Signing jlink code for macOS on other platforms

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Signing jlink code for macOS on other platforms

Mark Raynsford
Hello!

As a long time Java developer, I've only ever had to deal with signing
jar files. I can obviously sign jar files once on whatever platform I
choose to use to build the code, and then distribute the jars to all
platforms. Build once, run everywhere, etc.

However, now that jlink exists, as a developer I have to deal with
signing platform-specific executables. For example, if I distribute a
macOS application produced with jlink, that executable will produce a
large warning message:

http://ataxia.io7m.com/2018/02/12/warning.png

Now obviously in the past, the system JRE was signed and so I'd give my
users a jar file, they'd run the jar file using the signed JRE, and
everything would work. With jlink, it's now my responsibility to sign
the executables I produce.

The code signing tools for macOS are evidently not available for any
platform other than macOS, meaning that I now can't just build the code
for all platforms on Linux if I want to use jlink (even though jlink
is capable of producing embedded JREs for all of the platforms I want
to support); at least part of the build would have to take place on
macOS to sign the final result. This is pretty awful!

Are there any plans to implement anything that's capable of signing
macOS binaries and resources in a platform-independent way so that
jlink-produced distributions can work without warnings? Is that even a
reasonable thing to request? I've no idea how "private" Apple keep
their signing implementation.

--
Mark Raynsford | http://www.io7m.com

Reply | Threaded
Open this post in threaded view
|

Re: Signing jlink code for macOS on other platforms

mark.reinhold
2018/2/12 3:44:07 -0800, Mark Raynsford <[hidden email]>:
> ...
>
> Are there any plans to implement anything that's capable of signing
> macOS binaries and resources in a platform-independent way so that
> jlink-produced distributions can work without warnings?

No.

>                                                         Is that even a
> reasonable thing to request? I've no idea how "private" Apple keep
> their signing implementation.

It's certainly reasonable, but as you suggest it would require an
implementation of Apple's signing algorithm that runs on non-macOS
systems.  I have no idea if such a thing exists or is even possible.

- Mark
Reply | Threaded
Open this post in threaded view
|

Re: Signing jlink code for macOS on other platforms

Mark Raynsford
In reply to this post by Mark Raynsford
On 2018-02-12T11:44:07 +0000
Mark Raynsford <[hidden email]> wrote:

> Hello!
>
> As a long time Java developer, I've only ever had to deal with signing
> jar files. I can obviously sign jar files once on whatever platform I
> choose to use to build the code, and then distribute the jars to all
> platforms. Build once, run everywhere, etc.
>
> However, now that jlink exists, as a developer I have to deal with
> signing platform-specific executables. For example, if I distribute a
> macOS application produced with jlink, that executable will produce a
> large warning message:

Seeing as I've had no response, is it safe to assume that this subject
isn't permitted here?

I was hoping there'd be some discussion of platform-independent ways to
produce correctly-signed jlink distributions... Right now, just using
jlink at all means you (probably) have to go back to building code on
each individual platform in order to get access to proprietary
platform-specific signing tools. This kind of reduces the utility of
being able to specify another platform's JVM with --module-path,
because the resulting distribution won't really be usable thanks to the
erosion of the ability to run unsigned binaries on some platforms.

--
Mark Raynsford | http://www.io7m.com