I currently distribute a Java application, packaged and signed using pkgbuild
on macOS.
Recently, Apple warns developers:
"In an upcoming release of macOS, Gatekeeper will require Developer ID–signed software to be notarized by Apple."
Upon reading the notarizing docs, apple warns developers:
"You must enable hardened runtime for your app to be notarized by Apple."
Which goes into some details about how to toggle these settings on within Xcode. But what about apps not developed with Xcode? Xamarin/Mono have some back and forth about how they're tackling this but the commits so far seem to focus on Mojave detection and C/C++. What about Java apps or apps that don't distribute any C/C++/Objective-C compiled code? How does a project get "notarized" so that it doesn't get blocked by a future macOS update?
Possibly related: How to codesign and enable the hardened runtime for a 3rd-party CLI on Xcode?
I'm answering this question in regards to a Java project that requires notarization. With slight modifications, the answer should work for other types of projects (python, powershell, node) as well.
Note: At the time of posting this, Apple's notarization command allowed the below procedure to work however as notarization and security becomes more common and more strictly enforced it is inevitable that Apple will change and improve hardening requirements and procedures. Please edit, comment or re-answer as needed.
Code Signing
.pkg
or.app
containing scripts, jars), the notarization should pass. During notarization, Apple will extract the.jar
and look for native libraries. If it finds any that aren't signed, it'll be rejected. If it doesn't, you're OK. Instructions for notarization usingxcrun
are further below.For a Java app which contains native calls (e.g. JNI) to bundled libraries (
.dylib
,.jnilib
) each bundled library must be signed using an "Application" (e.g.developerID_application.cer
) certificate.openssl
via command line (instead of theKeychain Access
) if you get stuck.Once you obtain the certificate, signing each native library
.dylib|.jnilib|.so|bin
gets tricky. The general idea is to usecodesign
command against the native library so that it is signed as you, the developer. The syntax is:... where
P6DMU6694X
is either the unique developer ID or the exact certificate Common Name (either will work).For a
.jar
file, this can be particularly cumbersome as each package needs to be extracted, signed and then zipped back up.Notarization
Once the native libraries are signed the package must be sent for notarization using
xcrun
.Which may look something like this:
You will be prompted for your Apple Developer password (NOT the password you use to login to your Mac). Edit: Since dual-factor has been mandated, you'll need to create an app-specific password for this step!
After a few minutes, the
xcrun
command will return a unique ID that can be used to determine if the notarization was approved.If denied, they won't directly tell you why, you have to parse the JSON response.
Read the JSON and correct the problems identified. The JSON is minified, you may want to run it through a pretty-formatter. If there are no problems, your app has been notarized and is
Ready for distribution
.Stapling
Finally, stapling the build will ensure the package is trusted even when a network connection is not available.
In addition to tresf's answer above, if your app is sandboxed (and possibly even if not) then the hardened runtime will fail when the JVM is loaded. To work around that you'll need to add some keys to your entitlements when signing. The necessary entitlement entries are below, copied from TAO ZHOU's solution here: https://bitbucket.org/infinitekind/appbundler/issues/39/build-with-hardened-runtime