B4J Tutorial MacSigner - Building notarized Mac packages

It is mostly impossible to run non-notarized and unsigned apps on new versions of Mac.
MacSigner tool will help you with the various steps required to convert the app jar to a notarized and signed app package.

Requirements

1. Mac computer.
2. Apple developer account ($99 per year).

Java

The java SDK is made of three components: Java JDK, JavaFX libs and JavaFX jmods.
Java JDK 14.0.2: https://download.java.net/java/GA/j...c647/12/GPL/openjdk-14.0.2_osx-x64_bin.tar.gz
JavaFX libs: https://gluonhq.com/download/javafx-16-sdk-mac/
JavaFX jmods: https://gluonhq.com/download/javafx-16-jmods-mac/

You need to download the three components to a folder:

And unpack the files:

Don't rename the folders.


Mac signer

Download and unzip MacSigner to your Mac: www.b4x.com/b4j/MacSigner.zip

Signing key

In most cases you should use a single signing key for all your app. Steps to create the signing key:

1. Run MacSigner. Set the path to Java 14 bin folder: jdk-14.02.jdk/Contents/Home/bin
2. Set the path to the keys folder.
3. Click on Create Key. You can leave the default values.
4. It will create various files in the keys folder, including a file named certSigningRequest.csr.
5. It is a good time to save the MacSigner settings (File - Save).
6. Go to: https://developer.apple.com/account/resources/certificates/list
   Create a new certificate. Set its type to Developer ID Application. Don't confuse it with other similar types.
   Upload certSigningRequest.csr when requested to upload a certificate signing request file.
7. Download developerID_application.cer and put it in the keys folder:
   
   
   
   
   All these files go together. A certificate created with a different csr file will not work.

Steps from a jar to an app package

Link - the good old B4JPackager11 which is embedded inside MacSigner. Links the app jar with a Java runtime. Creates a standalone package.
Package - Uses Java jPackage tool to convert the standalone package to a Mac app package with a native launcher. The files in the package are signed during this step. It also creates a zip file of the package.
Notarize - Uploads the zip file to Apple server for automatic tests. This step can take several minutes to complete. This step ends when the file was uploaded to Apple. It can take another several minutes for Apple to process the file. An email will be sent after the file was processed.
Request Info (optional) - Checks the status of a submitted app.
Staple - After the app was notarized successfully, the staple step marks the app package as notarized.

More details

Link

Copy the compiled jar to the Mac. If you have used #PackagerProperty (or it was added by a b4xlib) then you should also copy packager.json, which is generated when you choose Project - Build standalone package:

No need to copy the json file if not using #PackagerProperty.
If completed successfully, you will see a line similar to:

You can check the linked package: /Users/ereluziel/Downloads/tempjars/temp/build/run.command

Worth running run.command to see that the package works as expected.

Package

Set the app name. You can also put an icon file at the same folder as the jar file. The icon extension should be icns. You can use this tool to create the icon: https://cloudconvert.com/png-to-icns
As before, the output path will be logged. Worth double clicking on the app file. It should work.

Notarize

Set your Apple's username and password and provider id (click on List Providers to find it). The password must be an app specific password: https://appleid.apple.com/account/manage - Security - App Specific Passwords
After the zip file is uploaded, you will see something like:

No errors uploading '/Users/ereluziel/Downloads/tempjars/package/MacSigner.zip'.
RequestUUID = 5d17a894-0389-4737-a898-cec4a90f0d50

You can check the request status using the request uuid. You will also receive an email when the check completes.

Staple

If the app was notarized properly then you should click on Staple to mark the app package. It will also delete the previous zip file and create a new one.

You can now distribute it ?

Tips

• Use B4J-Bridge v1.50+ to test your app on the Mac: https://www.b4x.com/android/forum/threads/remote-debugging-with-b4j-bridge.38804/
• You can use B4J-Bridge FTP feature to copy files between the PC and the Mac:
  
  
  
• Worth testing the packed app before the notarization step.

Updates

• 1.02 - Switched from altool to notarytool as required by Apple. Note that you must fill the provider field.
• 1.01 - Adds an option to set the provider. It is relevant when there are several teams related to the Apple account.
  There is a new List Providers button. Click on it. Find the provider short name and put it in the field. If there is a single provider then you can leave it empty.
• 0.95 - fixes issue with Java.

 

[Erel]

Source code of MacSigner is attached.

 

[jahswant]

Packager.bas is missing.

 

[Erel]

Fixed.

Note that you don't need to use the source code.

 

[madru]

that makes life easier now

but......

launching of items (java) from the BIN folder does not work, xattr does also not help

'create key' returns
Create key completed unsuccessfully.
Error - 137:

 

[Erel]

Checking it. Do you get this error when you try to create the signing key?

 

[madru]

Checking it. Do you get this error when you try to create the signing key?

yep

 

[Erel]

V0.95 released. It works with a signed Java SDK. See the Java section above. You need to download the three components and unzip them.

 

[madru]

works really well

THX a lot

one comment: Staple does only work after you have received the email from Apple 'Your Mac software was successfully notarized' and not directly after receiving this in the log:

Uploading package to Apple server. This step can take several minutes...
No errors uploading '/Users/dev2/Desktop/package/TestSinusWave.zip'.
RequestUUID = xxxx3e22-0ab9-4171-b81e-xxxx9ebdf1a3
Notarize completed successfully.

if you directly Staple after the message you will get:
Error - 65: Processing: /Users/dev2/Desktop/package/TestSinusWave.app
CloudKit query for TestSinusWave.app (1/xxxxfbe361b7acf54728255c5cb24a4f3a41xxxx) failed due to "Record not found".
Could not find base64 encoded ticket in response for 1/xxxxfbe361b7acf54728255c5cb24a4f3a41xxxx
The staple and validate action failed! Error 65.

 

[Erel]

one comment: Staple does only work after you have received the email from Apple 'Your Mac software was successfully notarized' and not directly after receiving this in the log:

True. You can take the request UUID and use the Request Info button to get the notarization status.

No errors getting notarization info.

Date: 2021-05-20 09:00:57 +0000
Hash: d92f65b53172cc5f36238be13ea2649f20b9f03ba236620e1a99fc87b1098ad4
RequestUUID: 38fba1c7-5731-4818-8f4b-c98e8c03512d
Status: in progress
Status Code: 0
Status Message: Package Approved

Once it is approved you can click on the Staple button.

 

[Erel]

Tip: currently File.DirData (= XUI.DirDefault) is the same as File.DirApp on Mac. This is a restricted path once you build an app bundle / package.

In the next version of B4J it will instead return: ~/Library/Application Support/[AppName]
This is similar to the way it works in Windows.

For now, you can get this folder with:

Dim ApplicationSupportFolder As String = File.Combine(GetSystemProperty("user.home", ""), "Library/Application Support/" & AppName)

 

[tchart]

Wow, I wish Microsoft would do something like this rather than require a code signing certificate.

 

[ThRuST]

Does this mean that Java 8 install packages (made with B4Jpackager) won't run on newer Macs unless being signed with this tool?

 

[Erel]

Non-notarized software cannot be distributed to other Macs.

You can use Java 8 without the packager and rely on Java 8 being installed on the customer computer, or better switch to Java 11+ and use this tool to notarize the package.

 

[gregchao]

When I try to notarize, I get the following error:

"Your Apple ID account is attached to other providers. You will need to specify which provider to submit content to."

Any ideas?

 

[madru]

ideas - Yes

your Apple developer account is not active
you have not agreed to the lately updated terms
check and change the team name to a non friendly one

and properly many more

 

[Erel]

v1.01 released - It adds an option to set the provider. It is relevant when there are several teams related to the Apple account.
There is a new List Providers button. Click on it. Find the provider short name and put it in the field. If there is a single provider then you can leave it empty.

 

[gregchao]

I tried the new "List Provider" feature and I do not see the providers. Instead I get an explanation of the altool command. See below: What am I doing wrong?

 

[Erel]

Is Xcode 12 installed?

 

[madru]

can you execute the command from the shell?

xcrun altool --list-providers -u user@domain.com -p yourPassword

you should get something like this:

ProviderName ProviderShortname PublicID WWDRTeamID
------------ ------------------- ------------------------------------ ----------
my Name myName59763821 abe56828-a1b2-4fef-4055-4b6c7d11e4ff GHR56Y4D