MacOS – Signing an App that includes Java fails

applicationscode-signingjavamacos

I try to sign an app-bundle that includes the Java Runtime Environment 8 (JRE).

From command line I run this command:

codesign -s "Developer ID Application: My Company" /Development/MyApp.app

I get this output:

MyApp.app: code object is not signed at all
In subcomponent: /Development/MyApp.app/Contents/PlugIns/jre8/Contents/Home/jre/COPYRIGHT

The result is that the App-bundle doesn't get signed as expected.

How do I fix this?

Best Answer

code signing

The friendly manual on code signing says to sign the sub-component first, then try again with your app itself:

codesign says my code is unsigned when I try to sign it.

Make sure all nested code is already signed and its signature is valid. Xcode will take care of this for you if you let it handle your code signing tasks.

It goes on to say let Xcode handle all the signing, which may or may not be helpful since you are already choosing to sign things from the command line.

--deep

To sign all nested code in one go, add the --deep argument to codesign:

codesign --deep -s "Developer ID Application: My Company" /Development/MyApp.app

shell script

Another way of doing the same is to create a shell script that checks the signature state of the nested code, and signs if it is missing. This way you may get more control on what you are signing within the bundle.

Example:

A bash-script called sign-unsigned.sh that checks one entry in the bundle and signs it if it is not already signed could be done like this:

#!/bin/bash
if codesign --verify $1 ; then 
   exit; 
else
   codesign --sign "$2" $1;
fi

Put the sign-unsigned.sh in /Development and do this on the command line:

cd /Development/MyApp.app/
find . -exec ../sign-unsigned.sh {} "Developer ID Application: My Company" \;
codesign --sign "Developer ID Application: My Company" ../MyApp.app
Related Question