JAL-3796 minimal steps for notarization and the entitlements.txt file needed for...

diff --git a/utils/install4j/install4j8_template.install4j b/utils/install4j/install4j8_template.install4j
index a0f3dc8..610dd3b 100644 (file)
--- a/utils/install4j/install4j8_template.install4j
+++ b/utils/install4j/install4j8_template.install4j
@@ -73,6 +73,10 @@
         <entry>jspawnhelper</entry>
         <entry>libfreetype.dylib.6</entry>
         <entry>applet</entry>
+        <entry>jaotc</entry>
+        <entry>jfr</entry>
+        <entry>jrunscript</entry>
+        <entry>libjli.dylib</entry>
       </macAdditionalBinaries>
     </codeSigning>
   </application>

diff --git a/utils/osx_signing/README b/utils/osx_signing/README
new file mode 100644 (file)
index 0000000..057b5b8
--- /dev/null
+++ b/utils/osx_signing/README
@@ -0,0 +1,32 @@
+Signing and Notarizing install4j DMGs for OSX
+
+0. You will need an up to date Apple Developer ID subscription and have a valid developer key for signing/notarizing apps, installers and DMGs available on your system.
+
+1. Build the install4j installers - signing these for windows requires a Certum cryptokey or other suitable java codesigning cert. Details to be provided.
+
+2. Unpack the OSX installer to a local directory
+hdiutil attach build/install4j/11/Jalview_Develop-2_11_2_0dev-d20210128-macos-java_11.dmg 
+mkdir newdmg; ditto /Volumes/Jalview\ Develop\ Installer newdmg/
+
+3. Remove the uninstaller if necessary/and/or others, and then deep sign the dmg
+
+xattr -cr ./newdmg/Jalview\ Develop.app/Contents/Resources/app/jre/Contents/MacOS/libjli.dylib 
+codesign --verify --deep -v ./newdmg/Jalview\ Develop.app/Contents/Resources/app/jre/Contents/MacOS/libjli.dylib 
+
+codesign --force --deep -vvvv -s "Developer ID" --options runtime --entitlements ./utils/osx_signing/entitlements.txt ./newdmg/Jalview\ Develop.app/Contents/Resources/app/jre/Contents/MacOS/libjli.dylib 
+
+codesign --verify --deep -v ./newdmg/Jalview\ Develop.app/Contents/Resources/app/jre/Contents/MacOS/libjli.dylib 
+
+codesign --force --deep -vvvv -s "Developer ID" --options runtime --entitlements ./utils/osx_signing/entitlements.txt ./newdmg/Jalview\ Develop.app/Contents/MacOS/JavaApplicationStub 
+
+hdiutil create -megabytes 240 -srcfolder ./newdmg -volname 'Jalview Develop Installer (2.11.2)' Jalview_Develop-2_11_2-macos-java_11.dmg
+
+codesign --force --deep -vvvv -s "Developer ID" --options runtime --entitlements ./utils/osx_signing/entitlements.txt Jalview_Develop-2_11_2-macos-java_11.dmg
+
+codesign --deep -vvvv Jalview_Develop-2_11_2-macos-java_11.dmg
+
+4. Notarize
+xcrun altool --notarize-app --primary-bundle-id "org.jalview.jalview-desktop" -u jalview-dev-owner@jalview.org -p $ALTOOL_PASSWORD --file Jalview_Develop-2_11_2-macos-java_11.dmg 
+.. run with --notarization-info $notarization-session-id until complete
+
+5. Staple to dmg so it can be verified without a net connection.

diff --git a/utils/osx_signing/entitlements.txt b/utils/osx_signing/entitlements.txt
new file mode 100644 (file)
index 0000000..1446982
--- /dev/null
+++ b/utils/osx_signing/entitlements.txt
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+    <dict>
+        <key>com.apple.security.app-sandbox</key>
+        <false/>
+        <key>com.apple.security.network.server</key>
+        <true/>
+        <key>com.apple.security.network.client</key>
+        <true/>
+        <key>com.apple.security.files.user-selected.read-write</key>
+        <true/>
+        <key>com.apple.security.cs.allow-jit</key>
+        <true/>
+        <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+        <true/>
+        <key>com.apple.security.cs.disable-executable-page-protection</key>
+        <true/>
+        <key>com.apple.security.cs.disable-library-validation</key>
+        <true/>
+        <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+        <true/>
+    </dict>
+</plist>