Packaging a Java Application ITMS-90238: Invalid Signature Error

Code Signing General
Ryanhend OP
Created Sep ’21
Replies 3
Boosts 1
Views 1.5k
Participants 2

Hi,

When packaging an application using JDK 17 and the latest version of jpackage I get the below error when uploading to the App Store. All test prior to uploading complete just fine.

I think it might be realated to the structure of the .app folder but not sure, any ideas would be helpful

ITMS-90238: Invalid Signature - The main app bundle Test at path Test.app has following signing error(s): a sealed resource is missing or invalid. Refer to the Code Signing ...

and

ITMS-90296: App sandbox not enabled - The following executables must include the 'com.apple.security.app-sandbox' entitlement with a Boolean value of true in the entitlements property list: [[Test.app/Contents/MacOS/Test]]

The app verifies in Transporter just fine and codesign as well.

codesign --verify --verbose=4 'Test.app' 

Test.app: valid on disk
Test.app: satisfies its Designated Requirement

Also entitlements seems to be fine.

codesign -d --entitlements :- ./Test.app/Contents/MacOS/Test 
Executable=/Users/ryan/flat/Test.app/Contents/MacOS/Test
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.cs.allow-jit</key>
    <true/>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>
    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
    <true/>
    <key>com.apple.security.cs.debugger</key>
    <true/>
</dict>
</plist>

The app structure looks like the below, noting runtime contains the java runtime and app contains the application jar file.

ls -al ./Test.app/Contents 
total 16
drwxr-xr-x  9 ryan  staff   288 27 Sep 08:36 .
drwxr-xr-x  3 ryan  staff    96 27 Sep 08:35 ..
-rw-r--r--  1 ryan  staff  1229 27 Sep 08:36 Info.plist
drwxr-xr-x  3 ryan  staff    96 27 Sep 08:36 MacOS
-rw-r--r--  1 ryan  staff     8 27 Sep 08:36 PkgInfo
drwxr-xr-x  3 ryan  staff    96 27 Sep 08:36 Resources
drwxr-xr-x  3 ryan  staff    96 27 Sep 08:36 _CodeSignature
drwxr-xr-x  6 ryan  staff   192 27 Sep 08:36 app
drwxr-xr-x  3 ryan  staff    96 27 Sep 08:35 runtime

The jpackage commands looks like the below:

Noting that in the first, jpackage finds the correct certificate and entitlements because of the option --mac-app-store Further details can be found here

https://docs.oracle.com/en/java/javase/17/jpackage/support-application-features.html#GUID-8D9F0607-91F4-4070-8823-02FCAB12238D 

rm -rf Test.app

iconutil --convert icns flat.iconset

/Library/Java/JavaVirtualMachines/jdk-17.jdk/Contents/Home/bin/jpackage \
 -i input \
 -n Test \
 --app-version 1.0.9 \
 --main-class com.formdev.flatlaf.demo.FlatLafDemo \
 --main-jar flatlaf-demo-1.6.jar \
 --icon flat.icns \
 --mac-package-name Test \
 --mac-package-identifier "com.formdev.flatlaf.demo.FlatLafDemo" \
 --java-options -Xmx2048m \
 --mac-sign \
 --mac-app-store \
 --mac-signing-key-user-name "Ryan Henderson (A8KKM73GSU)" \
 --type app-image --verbose

codesign --verify --verbose=4 'Test.app' 

rm -rf *.pkg
/Library/Java/JavaVirtualMachines/jdk-17.jdk/Contents/Home/bin/jpackage \
 -n Test \
 --app-version "1.0.9" \
 --description "Test Pkg" \
 --vendor "Ryan" \
 --copyright "Ryan" \
 --app-image Test.app \
 --mac-app-store \
 --mac-sign \
 --mac-signing-key-user-name "3rd Party Mac Developer Installer: Ryan Henderson (A8KKM73GSU)" \
 --type pkg

If you want I can also supply the verbose output from the .app generation and the .pkg generation using jpackage. From what I can see it's doing all the right things when signing etc.

Thanks Ryan

Replies  3
Boosts  1
Views  1.5k
Participants  2
DTS Engineer OP
Apple
Sep ’21

Do this:

  1. Unpack the app from your installer. I used the Pacifist app for this but if you can also do it by hand.

  2. Run codesign --verify --verbose=4 --deep against that copy of the app.

What does it report?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1
Ryanhend OP
Sep ’21

Hi Quinn,

Looks like the runtime legal text files are invalid.

codesign --verify --verbose=4 'Test.app' 
Test.app: a sealed resource is missing or invalid
file modified: /Users/ryan/flat/tmp/Test.app/Contents/runtime/Contents/Home/legal/java.management.rmi/LICENSE
file modified: /Users/ryan/flat/tmp/Test.app/Contents/runtime/Contents/Home/legal/java.management.rmi/COPYRIGHT
...

I am now removing the legal folder after the .app packaging and signing just using codesign. That seems to work now.

I will submit a bug to Oracle for review, any ideas on what exactly might be the cause?

Thanks Ryan

1
DTS Engineer OP
Apple
Sep ’21

any ideas on what exactly might be the cause?

This error means that the specified file has been modified since it was sealed by the code signature. For example:

% codesign -v -vvv QProcessDock.app 
QProcessDock.app: valid on disk
QProcessDock.app: satisfies its Designated Requirement
% echo 'Hello Cruel World!' > QProcessDock.app/Contents/Resources/AppIcon.icns 
% codesign -v -vvv QProcessDock.app                                           
QProcessDock.app: a sealed resource is missing or invalid
file modified: /Users/quinn/Test/QProcessDock.app/Contents/Resources/AppIcon.icns

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
Packaging a Java Application ITMS-90238: Invalid Signature Error
First post date Last post date
 
 
Q