Signing a Java app with jpackage

Question

Created Jun ’21

Replies 5

Boosts 0

Views 3.8k

Participants 2

I have been having problems signing an app with jpackage. I am confused and I'm not sure if it's because I don't have the correct certificate from Apple. Or I am doing something wrong when I pass the signature to apple. I find Apple certificates very confusing. And I think I have made several unnecessary certificates while trying to figure this out.

What I think is the problem is Jpackager seems to want the certificate to be of type: "Developer ID Application" and I seem to be only able to create "Apple Development" or "Mac Development" signatures. My role on my team ris a "developer" and I am wondering if I need my boss to create the correct certificate?

I have been googling like crazy and am not even sure if I understand what values are needed. For "signing-prefix" or "key-user-name"

`--mac-bundle-signing-prefix

--mac-sign

--mac-signing-keychain

--mac-signing-key-user-name `

I have used the following and Keychain Access to view my codesign values:

security find-identity -v -p codesigning

P.S. My program uses Swing and needs to run on MacOS, Windows 10 and linux which is why I use Java in the first place.

Boost

Answer 1

DTS Engineer OP

Apple

Jun ’21

I find Apple certificates very confusing.

You’re not the only one. Let’s start with some basic: What your deployment vehicle here? Do you plan to ship you app via the Mac App Store? Or independently, using Developer ID signing?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

DTS Engineer OP

Apple

Jun ’21

To ship outside of the Mac App Store you will need a Developer ID Application signing identity [1]. If you go to Certificates, Identifiers and Profiles and look at the certificate list, do you see a Developer ID Application entry?

IMPORTANT If you’re a member of multiple teams, make sure you select the right team from the menu in the top right.

Developer ID signing identities are precious, as discussed in this post, so it’s important that you understand this problem before taking any action to try to resolve it.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] You only need a Developer ID Installer signing identity if you package your product in a Mac installer package (.pkg).

0

Answer 3

DTS Engineer OP

Apple

Jun ’21

You don’t need any special privileges to see a Developer ID certificate on the developer web site; any team member can do that.

You do need special privileges to create one. See Apple Developer Program Roles for a summary of what each role can do.

This ties in to the fact that Developer ID signing identities are precious; you don’t want team members creating them willy-nilly. Indeed, in a large organisation it’s usually best to restrict access to these signing identities to the folks who prepare a product for final distribution.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 4

DTS Engineer OP

Apple

Jun ’21

But it doesn't show up when I look for it in security into the terminal.

I don’t know what the above means. Please elaborate.

Note If you’re running a command in Terminal, it’d help if you showed the actual command and its output. Use a code block (triple backticks) to make it easier to read.

jpackager is still asking for a Developer ID Application certificate.

OK, to be clear:

All your code (and any disk images) must be signed with a Developer ID Application signing identity.
If you ship an Apple installer package (.pkg) you must sign that with a Developer ID Installer identity.

So, if you ship code within an installer package you need both.

And I'm not sure what the keychain ID?

I don’t understand this question. The term keychain ID isn’t something we use in the Apple ecosystem.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 5

blueRock99 OP

Jul ’21

I finally got it to work. I got pulled off this project for a bit.

I'm not sure what I finally did yesterday. But I was finally about to create the Developer ID Application certificate through my company's developer login. I'm not even sure what I did. Creating it was not obvious.

The problem I was having was I was calling "security find-identity -p codesigning" and not seeing either Developer licenses.

I have a Developer ID Installer certificate, but have lost the private key and the password to save the private key. This private key was created on an old dead computer. That certificate is on other application that is already out in the world, so I can't delete it.

Still had to guess at a few things. And took me a bit to figure out notarization. But I now have an application I can distribute on Big Sur.

0