Code Signing/Notarisation for .app that runs Java, no XCode

Hi there-

Like the title says, I'm trying to get an .app bundle code-signed and notarised that runs java internally, without using XCode. I've mostly based my workflow off the advice and notes given here and here, but I'm running into problems with using notarytool at the final step, rather than altool.

My basic workflow from the same directory with the .app is as follows...

codesign --deep --force --options=runtime --entitlements ../resources/entitlements.plist --sign "DEVELOPER_ID_ETC" --timestamp MyApp.app/Contents/MacOS/launcher.command

codesign --deep --force --options=runtime --entitlements ../resources/entitlements.plist --sign "DEVELOPER_ID_ETC" --timestamp MyApp.app/Contents/Java/code_jar.jar

codesign --deep --force --options=runtime --entitlements ../resources/entitlements.plist --sign "DEVELOPER_ID_ETC" --timestamp MyApp.app/Contents/PlugIns/OSX_JRE

codesign --deep --force --options=runtime --sign "DEVELOPER_ID_ETC" --timestamp MyApp.app/Contents/Resources/app_icon.icns

codesign --deep --force --options=runtime --entitlements ../resources/entitlements.plist --sign "DEVELOPER_ID_ETC" --timestamp MyApp.app

codesign -vv MyApp.app

zip -r MyApp_APP.zip MyApp.app

../notarytool submit MyApp_APP.zip --keychain-profile "Developer-notarytool" --wait

...at which point I receive an 'invalid' response from the server that notarytool uploads to. The "codesign -vv" step passes without complaint, so is there any way to get more information about what's causing the notarisation failure?

Answered by DTS Engineer in 801668022

You are currently signing your code using --deep, which is something I specifically recommend against. See --deep Considered Harmful.

Apple has general advice on how to sign a Mac app correctly:

In this case, however, I recommend that you consult the support resources for your third-party tools, because this is a path than many other folks have walked down previously.

is there any way to get more information about what's causing the notarisation failure?

See Fetching the Notary Log.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

If there's no obvious solution or way to diagnose the problem here, could I please get a recommendation for code-level support?

Accepted Answer

You are currently signing your code using --deep, which is something I specifically recommend against. See --deep Considered Harmful.

Apple has general advice on how to sign a Mac app correctly:

In this case, however, I recommend that you consult the support resources for your third-party tools, because this is a path than many other folks have walked down previously.

is there any way to get more information about what's causing the notarisation failure?

See Fetching the Notary Log.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Code Signing/Notarisation for .app that runs Java, no XCode
 
 
Q