jpackage java.io.IOException libnet.dylib

exited with 1 code

When codesign fails in this way it invariably prints an error message. To make progress on this, you’ll need to find that error.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hi, Thanks for your help! It looks like it cannot find the keychain but it is also possible that my codesign command is not the same as the one reported above by jpackage (I removed the commas and put the -s option in single quotes (pasted below in bold).

The security find-certificate command attached below suggests that the certificate is there but maybe I'm missing something (I'm not confident that the certificate is installed correctly and don't really know what to look for). I've starred-out and deleted most of the info as the web interface is complaining when I include certain info and I'm guessing it is not wise to share this info online but I'm new to this and desperate to find a solution.

Thanks! DC

It certainly looks like you have problems with your signing identity. Please run this command and post the results:

% security find-identity

Policy: X.509 Basic
  Matching identities
…
 27) C32E0E68CE92936D5532E21BAAD8CFF4A6D9BAA1 "Developer ID Installer: Quinn Quinn (SKMME9E2Y8)"
 28) ADC03B244F4C1018384DCAFFC920F26136F6B59B "Developer ID Application: Quinn Quinn (SKMME9E2Y8)"
 29) ADC03B244F4C1018384DCAFFC920F26136F6B59B "Developer ID Application: Quinn Quinn (SKMME9E2Y8)"
…
     30 identities found

  Valid identities only
…
  9) C32E0E68CE92936D5532E21BAAD8CFF4A6D9BAA1 "Developer ID Installer: Quinn Quinn (SKMME9E2Y8)"
 10) ADC03B244F4C1018384DCAFFC920F26136F6B59B "Developer ID Application: Quinn Quinn (SKMME9E2Y8)"
 11) ADC03B244F4C1018384DCAFFC920F26136F6B59B "Developer ID Application: Quinn Quinn (SKMME9E2Y8)"
…
     12 valid identities found

Feel free to redact:

• Any identities that don’t include Developer ID.

• The stuff after the the colon (:) in each identity name.

• The hashes.

ps When you post a log message, please post it in a code block rather than a screen shot. It’s hard to copy’n’paste from a screen shot.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hi, See below. Also from the keychain access app, I can see the certificate when I select login (left panel, default keychains) and there is a green check mark in the main panel (right side under certificates tab) and it says: This certificate is valid. Similarly, if I select System (left panel under System keychains), it also says that the certificate is valid. Based on the jpackage error, I believe that jpackage is specifying /Library/Keychains/System.keychain and not ~/Library/Keychains/whateverTheFileisCalled

Thanks, DC

bash-3.2$ security find-identity

Policy: X.509 Basic
  Matching identities
     0 identities found

  Valid identities only
     0 valid identities found

bash-3.2$ security find-identity /Library/Keychains/System.keychain

Policy: X.509 Basic
  Matching identities
     0 identities found

  Valid identities only
     0 valid identities found


bash-3.2$
bash-3.2$ codesign --timestamp --options runtime -s Developer ID Application: 'Daniel Caffrey (D37TH85SCQ)' --prefix some.domain.pfaat. -vvvv --keychain /Library/Keychains/System.keychain  /var/folders/rh/2slcpd4s0qn46fgfz32680_80000gn/T/jdk.jpackage9595025139862794341/images/image-3946415554238003562/Pfaat.app/Contents/runtime/Contents/Home/lib/libnet.dylib
error: The specified item could not be found in the keychain.

# NOT SURE IF login.keychain-db  IS THE CORRECT FILE NAME BUT TRYING ANYWAY
bash-3.2$ codesign --timestamp --options runtime -s Developer ID Application: 'Daniel Caffrey (D37TH85SCQ)' --prefix some.domain.pfaat. -vvvv --keychain ~/Library/Keychains/login.keychain-db  /var/folders/rh/2slcpd4s0qn46fgfz32680_80000gn/T/jdk.jpackage9595025139862794341/images/image-3946415554238003562/Pfaat.app/Contents/runtime/Contents/Home/lib/libnet.dylib
error: The specified item could not be found in the keychain.



bash-3.2$ du -a ~/Library/Keychains
64	/Users/dcaffrey/Library/Keychains/C39A2E82-D204-53BF-8637-77C6C4DDAB87/keychain-2.db-shm
6192	/Users/dcaffrey/Library/Keychains/C39A2E82-D204-53BF-8637-77C6C4DDAB87/keychain-2.db-wal
8	/Users/dcaffrey/Library/Keychains/C39A2E82-D204-53BF-8637-77C6C4DDAB87/user.kb
8	/Users/dcaffrey/Library/Keychains/C39A2E82-D204-53BF-8637-77C6C4DDAB87/SOSAccountSettings.pb
280	/Users/dcaffrey/Library/Keychains/C39A2E82-D204-53BF-8637-77C6C4DDAB87/com.apple.security.keychain-defaultContext.TrustedPeersHelper.db
64	/Users/dcaffrey/Library/Keychains/C39A2E82-D204-53BF-8637-77C6C4DDAB87/com.apple.security.keychain-defaultContext.TrustedPeersHelper.db-shm
16104	/Users/dcaffrey/Library/Keychains/C39A2E82-D204-53BF-8637-77C6C4DDAB87/keychain-2.db
4176	/Users/dcaffrey/Library/Keychains/C39A2E82-D204-53BF-8637-77C6C4DDAB87/com.apple.security.keychain-defaultContext.TrustedPeersHelper.db-wal
8	/Users/dcaffrey/Library/Keychains/C39A2E82-D204-53BF-8637-77C6C4DDAB87/Analytics/sos_analytics.db
8	/Users/dcaffrey/Library/Keychains/C39A2E82-D204-53BF-8637-77C6C4DDAB87/Analytics/CloudServicesAnalytics.db
6152	/Users/dcaffrey/Library/Keychains/C39A2E82-D204-53BF-8637-77C6C4DDAB87/Analytics/CloudServicesAnalytics.db-wal
64	/Users/dcaffrey/Library/Keychains/C39A2E82-D204-53BF-8637-77C6C4DDAB87/Analytics/TransparencyAnalytics.db-shm
8	/Users/dcaffrey/Library/Keychains/C39A2E82-D204-53BF-8637-77C6C4DDAB87/Analytics/localkeychain.db
1160	/Users/dcaffrey/Library/Keychains/C39A2E82-D204-53BF-8637-77C6C4DDAB87/Analytics/TransparencyAnalytics.db-wal
64	/Users/dcaffrey/Library/Keychains/C39A2E82-D204-53BF-8637-77C6C4DDAB87/Analytics/CloudServicesAnalytics.db-shm
8200	/Users/dcaffrey/Library/Keychains/C39A2E82-D204-53BF-8637-77C6C4DDAB87/Analytics/sos_analytics.db-wal
8200	/Users/dcaffrey/Library/Keychains/C39A2E82-D204-53BF-8637-77C6C4DDAB87/Analytics/ckks_analytics.db-wal
528	/Users/dcaffrey/Library/Keychains/C39A2E82-D204-53BF-8637-77C6C4DDAB87/Analytics/ckks_analytics.db
64	/Users/dcaffrey/Library/Keychains/C39A2E82-D204-53BF-8637-77C6C4DDAB87/Analytics/sos_analytics.db-shm
64	/Users/dcaffrey/Library/Keychains/C39A2E82-D204-53BF-8637-77C6C4DDAB87/Analytics/ckks_analytics.db-shm
264	/Users/dcaffrey/Library/Keychains/C39A2E82-D204-53BF-8637-77C6C4DDAB87/Analytics/localkeychain.db-wal
384	/Users/dcaffrey/Library/Keychains/C39A2E82-D204-53BF-8637-77C6C4DDAB87/Analytics/TransparencyAnalytics.db
64	/Users/dcaffrey/Library/Keychains/C39A2E82-D204-53BF-8637-77C6C4DDAB87/Analytics/localkeychain.db-shm
25232	/Users/dcaffrey/Library/Keychains/C39A2E82-D204-53BF-8637-77C6C4DDAB87/Analytics
52128	/Users/dcaffrey/Library/Keychains/C39A2E82-D204-53BF-8637-77C6C4DDAB87
480	/Users/dcaffrey/Library/Keychains/login.keychain-db
0	/Users/dcaffrey/Library/Keychains/.fl34AC2A0A
0	/Users/dcaffrey/Library/Keychains/.flC23220F1
48	/Users/dcaffrey/Library/Keychains/metadata.keychain-db
52656	/Users/dcaffrey/Library/Keychains

You are confusing certificate and signing identity. Before going further, read my Certificate Signing Requests Explained post for an explanation of the difference.

it also says that the certificate is valid

The fact that the certificate is valid does not mean that you can sign with it. To sign your need a digital identity, and that means you must have the private key associated with that certificate. The results of find-identity confirm that you have no digital identities. You need to find the private key associated with that certificate.

IMPORTANT For development signing identities you can just regenerate everything from scratch. However, you’re trying to use a Developer ID signing identity, and those are precious. See the posts on this thread for more on that.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thanks,I read your post and hopefully understood most of it. As you imply, the the use of similar terminology to describe different things makes it a challenge to wrap your head around all of this. There is also a lot of information forums that appears to be disputed or out of date so I've tried to provide a detailed description of what I did next> I think I'm almost there but need a little more help getting over the line...

Thanks, DC

If there are multiple posts in a row, the interface is rejecting my content and it is not clear which parts will submit

For "Developer ID Application", I found a private key on an older mac (under the keys tab of the keychain access app). I right-clicked on the private keychain and exported it as a .p12 file (it asked me to create a password). I copied the private key to a safe location and also downloaded it to my new machine (macbook 2021, Monterey) . I double clicked the .p12 file and appears to have installed.

To create a "Developer ID Installer" (I believe this is my 1st time doing this and ultimately what I need), I logged onto developer.apple.com , clicked on account tab, clicked on certificates, identifiers & profiles, clicked on 'certificates' in the left panel, Clicked on the '+' icon and performed the various steps to create an installer identity. Here is the latest status from security find-identity.

bash-3.2$ security find-identity ~/Library/Keychains/login.keychain-db

Policy: X.509 Basic
  Matching identities
  1) redacted-40-digit-code  "Developer ID Application: Firstname Lastname (redacted)"
  2) redacted-40-digit-code  "Developer ID Installer: Firstname Lastname  (redacted)"
     2 identities found

  Valid identities only
  1) redacted-40-digit-code "Developer ID Application: Firstname Lastname  (redacted)"
  2) redacted-40-digit-code "Developer ID Installer: Firstname Lastname  (redacted)"
     2 valid identities found`

Note, I see the private keys in the keychain access app under the certificates and keys tab. I do not see any public keys in the same location but I read somewhere that the public keys are embedded in the certificates.

It is my understanding that I need to specify Developer ID Installer as I want to distribute a pkg outside of the app store. However, I show some of the command for Developer ID Application also:

Developer ID Installer:

% ant -buildfile buildWithJpackageAndSignInstaller.xml deploymacosx2022 Buildfile: /Users/dcaffrey/work/workspace/pfaat/trunk/pfaat/buildWithJpackageAndSignInstaller.xml

deploymacosx2022: [echo] using jpackage at /Library/Java/JavaVirtualMachines/jdk-17.0.1.jdk/Contents/Home/bin/jpackage [exec] java.io.IOException: Command [/usr/bin/codesign, --timestamp, --options, runtime, -s, Developer ID Installer: firstName lastName (redactedCode), --prefix, com.neogenesis.pfaat., -vvvv, --keychain, /Users/dcaffrey/Library/Keychains/login.keychain-db, /var/folders/rh/2slcpd4s0qn46fgfz32680_80000gn/T/jdk.jpackage4

continued...

I attempted to rerun codesign to get more info:

% codesign --timestamp --options runtime -s 'Developer ID Installer: firstName lastName (redactedCode)' --prefix com.neogenesis.pfaat. -vvvv --keychain /Users/dcaffrey/Library/Keychains/login.keychain-db /var/folders/rh/2slcpd4s0qn46fgfz32680_80000gn/T/jdk.jpackage17110438044419986386/images/image-8953270622600972312/Pfaat.app/Contents/runtime/Contents/Home/lib/libnet.dylib
Developer ID Installer: firstName lastName (redactedCode): **this identity cannot be used for signing code**

Developer ID Application: The xml file is almost identical to the one above, except I replace Developer ID Installer with Developer ID Application

% ant -buildfile buildWithJpackageAndSignApplication.xml deploymacosx2022
Buildfile: /Users/dcaffrey/work/workspace/pfaat/trunk/pfaat/buildWithJpackageAndSignApplication.xml

deploymacosx2022:
     [echo] using jpackage at /Library/Java/JavaVirtualMachines/jdk-17.0.1.jdk/Contents/Home/bin/jpackage
     [exec] Error: Bundler "Mac PKG Package" (pkg) failed to produce a package
     [exec] Result: 1

The two ant files are almost identical. I replace Developer ID Installer with Developer ID Application

relevant info in the ant files:

<target name="deploymacosx2022" if="isMac">
                <property name="jdkPath" value="${JDKMacOSX}" />
                <echo message="using jpackage at ${jdkPath}/bin/jpackage" />

                 <exec executable="${jdkPath}/bin/jpackage" os="Mac OS X">
                            <arg line="--input ${lib.unsigned.dir}"/>
                            <arg line="-d ${releaseFolder}"/>
                            <arg line="-n Pfaat"/>
                            <arg line="--app-version ${version}"/>
                            <arg line="--main-class com.neogenesis.pfaat.AlignmentFrame"/>
                            <arg line="--main-jar pfaatUnsigned.jar"/>
                            <arg line="--type pkg"/>
                            <arg line="--mac-package-identifier Pfaat"/>
                           <arg line="--mac-sign"/>
                           <arg line="--mac-sign"/>
                                        <arg line="--mac-signing-keychain /Users/dcaffrey/Library/Keychains/login.keychain-db"/>
                                        <arg line="--mac-signing-key-user-name **'Developer ID Installer:** firstName LastName (redactedCode)'"/>
                        </exec>
        </target>

As you imply, the the use of similar terminology to describe different things makes it a challenge to wrap your head around all of this.

Indeed.

In our defence, this terminological confusion is an industry-wide issue )-: For example, it’s one of the main reasons why people have so much trouble with TLS (aka SSL).

I believe this is my 1st time doing this and ultimately what I need

If you want to distribute code inside an installer package, you’ll need both Developer ID Application, for the code, and Developer ID Installer, for the installer. Signing a Mac Product For Distribution has the details here.

I read somewhere that the public keys are embedded in the certificates.

Correct. You do not need a separate public key to form a digital identity because the public key is embedded in the certificate.

this identity cannot be used for signing code

Indeed. To sign code you need your Developer ID Application signing identity. Use Developer ID Installer to sign your installer package.

IMPORTANT Don’t forget to backup your Developer ID signing identities as standalone .p12 files. That gives you a recovery path if something goes wrong with the keychain.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"