-
Notifications
You must be signed in to change notification settings - Fork 57
Description
Okay, here is what I did to successfully sign a bundled .jar. You need to
- change the linked SDK of JavaAppLauncher, since this is too old (macOS 10.7, but we need 10.9)
- use entitlements so that a bundled JRE can be started
First we need to change the provided binary of JavaAppLauncher:
xcrun vtool -set-version-min macos 10.9 10.9 -replace -output JavaAppLauncher.new path/to/original/JavaAppLauncher
This vtool command is provided with Xcode and sets the linked SDK version to 10.9, which is needed for code signing.
Don't forget to exchange the JavaAppLauncher binaries, so that the modified one is used when bundling your .jar.
Now sign the app with
codesign --options runtime --entitlements entilement.plist --force --sign "Developer ID Application: Your_Name" path/to/your/bundle.app
For the entitlements you should use (save that to entilement.plist):
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.disable-library-validation</key><true/>
<key>com.apple.security.cs.disable-executable-page-protection</key><true/>
</dict>
</plist>
With this, I managed to get an app signed and notarized (as part of a DMG), which is able to run on Intel and Apple Silicon Macs with macOS 10.9 or higher.