JPackage signing leaves app unusable since updating to Ventura

Question

Created Apr ’23

Replies 3

Boosts 0

Views 1.5k

Participants 3

I had a process for generating an app using JPackage that was working well in Catalina. The signing process worked and generated apps that could be downloaded from my website and run without problems.

When my users had Ventura they could install from the dmg, but running the app gave "can't be opened because Apple cannot check it for malicious software". This is the error I used to get on Catalina before signing.

I updated my development computer to Ventura in the hopes that building using that OS version would clean up the problem, but no such luck.

The app runs without problems when I run it from the build location. I just get the above error when the dmg is downloaded from the internet.

The setting to allow applications from trusted developers is correct on my system.

I'm using:

Java 17 (though Java 20 does behaves the same)
Xcode 14.3 is installed (jpackage uses it under the hood)
My signing certificate shows as "this certificate is valid" in the system keychain
using "codesign -vvv --deep --strict" on the dmg and app claims "satisfies its Designated Requirement" (though I don't know what that means and there's no other information given)
Attempting to run codesign to sign the app tells me "already signed"
The code I have is pure Java, but does use JavaFX
There are no warnings or errors from jpackage when building

I would really appreciate suggestions on why the signing doesn't appear to be working any longer.

Thank you!

Boost

Answer 1

DTS Engineer OP

Apple

Apr ’23

There are limits to how much I can help you with third-party tools like this. My advice is that you seek help via the vendor’s support channel.

Having said that, I do have general advice on how to resolve problems like this, namely a hierarchy of posts rooted at Resolving Trusted Execution Problems. The error you’re seeing is a Gatekeeper issue, so you want to follow that path.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

jaikiran OP

Apr ’23

@javadev12345, since you note that this happens with jpackage and is even reproducible with the recent released Java 20, I would recommend that you open an issue here https://bugreport.java.com/bugreport/start_form with all relevant details, including the commands that you use and whether this is a macos x64 or M1, so that someone from the jpackage team can take a look.

I remember that in the past there was at least one similar issue which I think was addressed in https://bugs.openjdk.org/browse/JDK-8276150 and https://bugs.openjdk.org/browse/JDK-8277493. This could be a different variant of the issue though.

1

Answer 3

javadev12345 OP

Apr ’23

Accepted Answer

Thank you for the pointers. I've submitted a bug to oracle here: http://bugs.java.com/bugdatabase/view_bug?bug_id=JDK-8306977

I was able to get past this problem though. First, I had to remove a jar from my distribution that contained an unsigned native library (sqlite was the offending jar specifically).

I then notarized my app based on the instruction here:

https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow#3087734

Once notarized I was able to download the dmg from a web site and access the application. The gatekeeper is still invoked, but opening the application is an option that the gatekeeper gives you.

1