From 02e5c6fb4edb3ae638e45cff1aad056682083c36 Mon Sep 17 00:00:00 2001 From: Jalview Development Admin Date: Fri, 5 Mar 2021 17:07:59 +0000 Subject: [PATCH] JAL-3796 minimal steps for notarization and the entitlements.txt file needed for the codesign tool --- utils/install4j/install4j8_template.install4j | 4 ++++ utils/osx_signing/README | 32 +++++++++++++++++++++++++ utils/osx_signing/entitlements.txt | 24 +++++++++++++++++++ 3 files changed, 60 insertions(+) create mode 100644 utils/osx_signing/README create mode 100644 utils/osx_signing/entitlements.txt diff --git a/utils/install4j/install4j8_template.install4j b/utils/install4j/install4j8_template.install4j index a0f3dc8..610dd3b 100644 --- a/utils/install4j/install4j8_template.install4j +++ b/utils/install4j/install4j8_template.install4j @@ -73,6 +73,10 @@ jspawnhelper libfreetype.dylib.6 applet + jaotc + jfr + jrunscript + libjli.dylib diff --git a/utils/osx_signing/README b/utils/osx_signing/README new file mode 100644 index 0000000..057b5b8 --- /dev/null +++ b/utils/osx_signing/README @@ -0,0 +1,32 @@ +Signing and Notarizing install4j DMGs for OSX + +0. You will need an up to date Apple Developer ID subscription and have a valid developer key for signing/notarizing apps, installers and DMGs available on your system. + +1. Build the install4j installers - signing these for windows requires a Certum cryptokey or other suitable java codesigning cert. Details to be provided. + +2. Unpack the OSX installer to a local directory +hdiutil attach build/install4j/11/Jalview_Develop-2_11_2_0dev-d20210128-macos-java_11.dmg +mkdir newdmg; ditto /Volumes/Jalview\ Develop\ Installer newdmg/ + +3. Remove the uninstaller if necessary/and/or others, and then deep sign the dmg + +xattr -cr ./newdmg/Jalview\ Develop.app/Contents/Resources/app/jre/Contents/MacOS/libjli.dylib +codesign --verify --deep -v ./newdmg/Jalview\ Develop.app/Contents/Resources/app/jre/Contents/MacOS/libjli.dylib + +codesign --force --deep -vvvv -s "Developer ID" --options runtime --entitlements ./utils/osx_signing/entitlements.txt ./newdmg/Jalview\ Develop.app/Contents/Resources/app/jre/Contents/MacOS/libjli.dylib + +codesign --verify --deep -v ./newdmg/Jalview\ Develop.app/Contents/Resources/app/jre/Contents/MacOS/libjli.dylib + +codesign --force --deep -vvvv -s "Developer ID" --options runtime --entitlements ./utils/osx_signing/entitlements.txt ./newdmg/Jalview\ Develop.app/Contents/MacOS/JavaApplicationStub + +hdiutil create -megabytes 240 -srcfolder ./newdmg -volname 'Jalview Develop Installer (2.11.2)' Jalview_Develop-2_11_2-macos-java_11.dmg + +codesign --force --deep -vvvv -s "Developer ID" --options runtime --entitlements ./utils/osx_signing/entitlements.txt Jalview_Develop-2_11_2-macos-java_11.dmg + +codesign --deep -vvvv Jalview_Develop-2_11_2-macos-java_11.dmg + +4. Notarize +xcrun altool --notarize-app --primary-bundle-id "org.jalview.jalview-desktop" -u jalview-dev-owner@jalview.org -p $ALTOOL_PASSWORD --file Jalview_Develop-2_11_2-macos-java_11.dmg +.. run with --notarization-info $notarization-session-id until complete + +5. Staple to dmg so it can be verified without a net connection. diff --git a/utils/osx_signing/entitlements.txt b/utils/osx_signing/entitlements.txt new file mode 100644 index 0000000..1446982 --- /dev/null +++ b/utils/osx_signing/entitlements.txt @@ -0,0 +1,24 @@ + + + + + com.apple.security.app-sandbox + + com.apple.security.network.server + + com.apple.security.network.client + + com.apple.security.files.user-selected.read-write + + com.apple.security.cs.allow-jit + + com.apple.security.cs.allow-unsigned-executable-memory + + com.apple.security.cs.disable-executable-page-protection + + com.apple.security.cs.disable-library-validation + + com.apple.security.cs.allow-dyld-environment-variables + + + -- 1.7.10.2