B4J Tutorial MacSigner - Building notarized Mac packages

Screen Shot 2021-05-19 at 11.55.28.png


It is mostly impossible to run non-notarized and unsigned apps on new versions of Mac.
MacSigner tool will help you with the various steps required to convert the app jar to a notarized and signed app package.

Requirements
  1. Mac computer.
  2. Apple developer account ($99 per year).
Java

The java SDK is made of three components: Java JDK, JavaFX libs and JavaFX jmods.
Java JDK 14.0.2: https://download.java.net/java/GA/j...c647/12/GPL/openjdk-14.0.2_osx-x64_bin.tar.gz
JavaFX libs: https://gluonhq.com/download/javafx-16-sdk-mac/
JavaFX jmods: https://gluonhq.com/download/javafx-16-jmods-mac/

You need to download the three components to a folder:

1621493668902.png

And unpack the files:

1621493855652.png

Don't rename the folders.


Mac signer

Download and unzip MacSigner to your Mac: www.b4x.com/b4j/MacSigner.zip

Signing key

In most cases you should use a single signing key for all your app. Steps to create the signing key:
  1. Run MacSigner. Set the path to Java 14 bin folder: jdk-14.02.jdk/Contents/Home/bin
  2. Set the path to the keys folder.
  3. Click on Create Key. You can leave the default values.
  4. It will create various files in the keys folder, including a file named certSigningRequest.csr.
  5. It is a good time to save the MacSigner settings (File - Save).
  6. Go to: https://developer.apple.com/account/resources/certificates/list
    Create a new certificate. Set its type to Developer ID Application. Don't confuse it with other similar types.
    Upload certSigningRequest.csr when requested to upload a certificate signing request file.
  7. Download developerID_application.cer and put it in the keys folder:

    1621419523878.png

    All these files go together. A certificate created with a different csr file will not work.
Steps from a jar to an app package

Link
- the good old B4JPackager11 which is embedded inside MacSigner. Links the app jar with a Java runtime. Creates a standalone package.
Package - Uses Java jPackage tool to convert the standalone package to a Mac app package with a native launcher. The files in the package are signed during this step. It also creates a zip file of the package.
Notarize - Uploads the zip file to Apple server for automatic tests. This step can take several minutes to complete. This step ends when the file was uploaded to Apple. It can take another several minutes for Apple to process the file. An email will be sent after the file was processed.
Request Info (optional) - Checks the status of a submitted app.
Staple - After the app was notarized successfully, the staple step marks the app package as notarized.

More details

Link


Copy the compiled jar to the Mac. If you have used #PackagerProperty (or it was added by a b4xlib) then you should also copy packager.json, which is generated when you choose Project - Build standalone package:

1621429436536.png


No need to copy the json file if not using #PackagerProperty.
If completed successfully, you will see a line similar to:
You can check the linked package: /Users/ereluziel/Downloads/tempjars/temp/build/run.command
Worth running run.command to see that the package works as expected.

Package

Set the app name. You can also put an icon file at the same folder as the jar file. The icon extension should be icns. You can use this tool to create the icon: https://cloudconvert.com/png-to-icns
As before, the output path will be logged. Worth double clicking on the app file. It should work.

Notarize

Set your Apple's username and password and provider id (click on List Providers to find it). The password must be an app specific password: https://appleid.apple.com/account/manage - Security - App Specific Passwords
After the zip file is uploaded, you will see something like:
No errors uploading '/Users/ereluziel/Downloads/tempjars/package/MacSigner.zip'.
RequestUUID = 5d17a894-0389-4737-a898-cec4a90f0d50

You can check the request status using the request uuid. You will also receive an email when the check completes.

Staple

If the app was notarized properly then you should click on Staple to mark the app package. It will also delete the previous zip file and create a new one.

You can now distribute it ?

Tips

Updates

  • 1.02 - Switched from altool to notarytool as required by Apple. Note that you must fill the provider field.
  • 1.01 - Adds an option to set the provider. It is relevant when there are several teams related to the Apple account.
    There is a new List Providers button. Click on it. Find the provider short name and put it in the field. If there is a single provider then you can leave it empty.
  • 0.95 - fixes issue with Java.
 
Last edited:

madru

Active Member
Licensed User
Longtime User
that makes life easier now :)

but......

1621433235359.png


launching of items (java) from the BIN folder does not work, xattr does also not help

'create key' returns
Create key completed unsuccessfully.
Error - 137:
 

madru

Active Member
Licensed User
Longtime User
works really well

THX a lot :)

one comment: Staple does only work after you have received the email from Apple 'Your Mac software was successfully notarized' and not directly after receiving this in the log:

Uploading package to Apple server. This step can take several minutes...
No errors uploading '/Users/dev2/Desktop/package/TestSinusWave.zip'.
RequestUUID = xxxx3e22-0ab9-4171-b81e-xxxx9ebdf1a3
Notarize completed successfully.

if you directly Staple after the message you will get:
Error - 65: Processing: /Users/dev2/Desktop/package/TestSinusWave.app
CloudKit query for TestSinusWave.app (1/xxxxfbe361b7acf54728255c5cb24a4f3a41xxxx) failed due to "Record not found".
Could not find base64 encoded ticket in response for 1/xxxxfbe361b7acf54728255c5cb24a4f3a41xxxx
The staple and validate action failed! Error 65.
 
Last edited:

Erel

B4X founder
Staff member
Licensed User
Longtime User
one comment: Staple does only work after you have received the email from Apple 'Your Mac software was successfully notarized' and not directly after receiving this in the log:
True. You can take the request UUID and use the Request Info button to get the notarization status.

No errors getting notarization info.

Date: 2021-05-20 09:00:57 +0000
Hash: d92f65b53172cc5f36238be13ea2649f20b9f03ba236620e1a99fc87b1098ad4
RequestUUID: 38fba1c7-5731-4818-8f4b-c98e8c03512d
Status: in progress
Status Code: 0
Status Message: Package Approved
Once it is approved you can click on the Staple button.
 

Erel

B4X founder
Staff member
Licensed User
Longtime User
Tip: currently File.DirData (= XUI.DirDefault) is the same as File.DirApp on Mac. This is a restricted path once you build an app bundle / package.

In the next version of B4J it will instead return: ~/Library/Application Support/[AppName]
This is similar to the way it works in Windows.

For now, you can get this folder with:
B4X:
Dim ApplicationSupportFolder As String = File.Combine(GetSystemProperty("user.home", ""), "Library/Application Support/" & AppName)
 

ThRuST

Well-Known Member
Licensed User
Longtime User
Does this mean that Java 8 install packages (made with B4Jpackager) won't run on newer Macs unless being signed with this tool?
 

gregchao

Active Member
Licensed User
Longtime User
When I try to notarize, I get the following error:

"Your Apple ID account is attached to other providers. You will need to specify which provider to submit content to."

Any ideas?
 

madru

Active Member
Licensed User
Longtime User
ideas - Yes :)

your Apple developer account is not active
you have not agreed to the lately updated terms
check and change the team name to a non friendly one

and properly many more :(
 

gregchao

Active Member
Licensed User
Longtime User
I tried the new "List Provider" feature and I do not see the providers. Instead I get an explanation of the altool command. See below: What am I doing wrong?
screenshot.png
 

madru

Active Member
Licensed User
Longtime User
can you execute the command from the shell?

B4X:
xcrun altool --list-providers -u [email protected] -p yourPassword

you should get something like this:

ProviderName ProviderShortname PublicID WWDRTeamID
------------ ------------------- ------------------------------------ ----------
my Name myName59763821 abe56828-a1b2-4fef-4055-4b6c7d11e4ff GHR56Y4D
 
Top