[bugfix] Improve macOS notarization process

adamretter · adamretter · commit 7894495be270 · 2025-06-04T16:33:56.000+01:00
Closes #2
diff --git a/exist-core/pom.xml b/exist-core/pom.xml
@@ -199,7 +199,7 @@
         <dependency>
             <groupId>org.lz4</groupId>
             <artifactId>lz4-java</artifactId>
-            <version>1.8.0</version>
+            <version>${lz4-java.version}</version>
         </dependency>
 
         <dependency>
@@ -245,18 +245,7 @@
         <dependency>
             <groupId>org.jline</groupId>
             <artifactId>jline</artifactId>
-            <version>3.29.0</version>
-        </dependency>
-
-        <dependency>
-            <groupId>org.fusesource.jansi</groupId>
-            <artifactId>jansi</artifactId>
-            <version>${jansi.version}</version>
-            <!--
-                Optionally used by jline at runtime on Linux and macOS,
-                and required by jline at runtime on Windows.
-            -->
-            <scope>runtime</scope>
+            <version>${jline.version}</version>
         </dependency>
 
         <dependency>
diff --git a/exist-distribution/pom.xml b/exist-distribution/pom.xml
@@ -377,7 +377,8 @@
                             <includes>
                                 <include>src/app/entitlements.plist</include>
                                 <include>src/dmgbuild/settings.py</include>
-                                <include>src/main/scripts/codesign-jansi-mac.sh</include>
+                                <include>src/main/scripts/codesign-jline-mac.sh</include>
+                                <include>src/main/scripts/codesign-lz4-java-mac.sh</include>
                                 <include>src/main/scripts/create-dmg-mac.sh</include>
                             </includes>
                             <excludes>
@@ -1241,20 +1242,40 @@
                         <executions>
                             <execution>
                                 <!--
-                                    Signs the jansi native binaries
+                                    Signs the JLine native binaries
                                 -->
-                                <id>mac-codesign-jansi-native</id>
+                                <id>mac-codesign-jline-native</id>
                                 <phase>package</phase>
                                 <goals>
                                     <goal>exec</goal>
                                 </goals>
                                 <configuration>
                                     <useMavenLogger>true</useMavenLogger>
-                                    <executable>${project.basedir}/src/main/scripts/codesign-jansi-mac.sh</executable>
+                                    <executable>${project.basedir}/src/main/scripts/codesign-jline-mac.sh</executable>
                                     <arguments>
                                         <argument>${mac.bundle.java.dir}</argument>
-                                        <argument>${jansi.version}</argument>
-                                        <argument>${project.build.directory}/jansi-native</argument>
+                                        <argument>${jline.version}</argument>
+                                        <argument>${project.build.directory}/jline-native</argument>
+                                        <argument>${mac.codesign.identity}</argument>
+                                    </arguments>
+                                </configuration>
+                            </execution>
+                            <execution>
+                                <!--
+                                    Signs the LZ4 Java native binaries
+                                -->
+                                <id>mac-codesign-lz4-java-native</id>
+                                <phase>package</phase>
+                                <goals>
+                                    <goal>exec</goal>
+                                </goals>
+                                <configuration>
+                                    <useMavenLogger>true</useMavenLogger>
+                                    <executable>${project.basedir}/src/main/scripts/codesign-lz4-java-mac.sh</executable>
+                                    <arguments>
+                                        <argument>${mac.bundle.java.dir}</argument>
+                                        <argument>${lz4-java.version}</argument>
+                                        <argument>${project.build.directory}/lz4-java-native</argument>
                                         <argument>${mac.codesign.identity}</argument>
                                     </arguments>
                                 </configuration>
@@ -1416,6 +1437,7 @@
                                         <argument>notarytool</argument>
                                         <argument>submit</argument>
                                         <argument>--verbose</argument>
+                                        <argument>--wait</argument>
                                         <argument>--apple-id</argument>
                                         <argument>${elemental.release.notarize.apple-id}</argument>
                                         <argument>--team-id</argument>
@@ -1426,6 +1448,23 @@
                                     </arguments>
                                 </configuration>
                             </execution>
+                            <execution>
+                                <id>mac-stapler-staple-dmg</id>
+                                <phase>package</phase>
+                                <goals>
+                                    <goal>exec</goal>
+                                </goals>
+                                <configuration>
+                                    <useMavenLogger>true</useMavenLogger>
+                                    <executable>/usr/bin/xcrun</executable>
+                                    <arguments>
+                                        <argument>stapler</argument>
+                                        <argument>staple</argument>
+                                        <argument>--verbose</argument>
+                                        <argument>${mac.dmg}</argument>
+                                    </arguments>
+                                </configuration>
+                            </execution>
 
                         </executions>
                     </plugin>
diff --git a/exist-distribution/src/main/scripts/codesign-jline-mac.sh b/exist-distribution/src/main/scripts/codesign-jline-mac.sh
@@ -22,7 +22,7 @@
 
 
 # $1 is .app/Contents/Java dir
-# $2 is the jansi version
+# $2 is the jline version
 # $3 is temp work directory
 # $4 the mac codesign identity
 
@@ -41,21 +41,22 @@ archs=('arm64' 'x86' 'x86_64')
 for arch in ${archs[@]}
 do
   # create the temp output dirs
-  mkdir -p "${3}/org/fusesource/jansi/internal/native/Mac/${arch}"
+  mkdir -p "${3}/org/jline/nativ/Mac/${arch}"
 
   # switch to temp output dir
   pushd "${3}"
 
   # extract the native files
-  jar -xf "${1}/jansi-${2}.jar" "org/fusesource/jansi/internal/native/Mac/${arch}/libjansi.jnilib"
+  jar -xf "${1}/jline-${2}.jar" "org/jline/nativ/Mac/${arch}/libjlinenative.jnilib"
 
   # test if the file is unsigned, and sign if needed
-  /usr/bin/codesign --verbose --test-requirement="=anchor trusted" --verify "org/fusesource/jansi/internal/native/Mac/${arch}/libjansi.jnilib" || /usr/bin/codesign --verbose --force --timestamp --sign "${4}" "org/fusesource/jansi/internal/native/Mac/${arch}/libjansi.jnilib"
+  /usr/bin/codesign --verbose --test-requirement="=anchor trusted" --verify "org/jline/nativ/Mac/${arch}/libjlinenative.jnilib" || /usr/bin/codesign --verbose --force --timestamp --sign "${4}" "org/jline/nativ/Mac/${arch}/libjlinenative.jnilib"
 
   # overwrite the file in the jar
-  jar -uf "${1}/jansi-${2}.jar" "org/fusesource/jansi/internal/native/Mac/${arch}/libjansi.jnilib"
+  jar -uf "${1}/jline-${2}.jar" "org/jline/nativ/Mac/${arch}/libjlinenative.jnilib"
 
   # switch back from temp output dir
   popd
 
 done
+
diff --git a/exist-distribution/src/main/scripts/codesign-lz4-java-mac.sh b/exist-distribution/src/main/scripts/codesign-lz4-java-mac.sh
@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+#
+# Elemental
+# Copyright (C) 2024, Evolved Binary Ltd
+#
+# admin@evolvedbinary.com
+# https://www.evolvedbinary.com | https://www.elemental.xyz
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; version 2.1.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+#
+
+
+# $1 is .app/Contents/Java dir
+# $2 is the lz4-java version
+# $3 is temp work directory
+# $4 the mac codesign identity
+
+
+set -e
+#set -x  ## enable to help debug
+
+# ensure a clean temp work directory
+if [ -d "${3}/net" ]
+then
+  rm -rf "${3}/net"
+fi
+
+# for each native arch
+archs=('aarch64' 'x86_64')
+for arch in ${archs[@]}
+do
+  # create the temp output dirs
+  mkdir -p "${3}/net/jpountz/util/darwin/${arch}"
+
+  # switch to temp output dir
+  pushd "${3}"
+
+  # extract the native files
+  jar -xf "${1}/lz4-java-${2}.jar" "net/jpountz/util/darwin/${arch}/liblz4-java.dylib"
+
+  # test if the file is unsigned, and sign if needed
+  /usr/bin/codesign --verbose --test-requirement="=anchor trusted" --verify "net/jpountz/util/darwin/${arch}/liblz4-java.dylib" || /usr/bin/codesign --verbose --force --timestamp --sign "${4}" "net/jpountz/util/darwin/${arch}/liblz4-java.dylib"
+
+  # overwrite the file in the jar
+  jar -uf "${1}/lz4-java-${2}.jar" "net/jpountz/util/darwin/${arch}/liblz4-java.dylib"
+
+  # switch back from temp output dir
+  popd
+
+done
+
diff --git a/exist-parent/pom.xml b/exist-parent/pom.xml
@@ -98,7 +98,8 @@
         <exquery.distribution.version>0.2.1</exquery.distribution.version>
         <icu.version>59.1</icu.version>
         <izpack.version>5.2.4</izpack.version>
-        <jansi.version>2.4.1</jansi.version>
+        <jline.version>3.29.0</jline.version>
+        <lz4-java.version>1.8.0</lz4-java.version>
         <jdom1.version>1.1.3</jdom1.version>
         <jetty.version>11.0.25</jetty.version>
         <log4j.version>2.24.3</log4j.version>
