How to Sign a library inside core.jar, without Breaking the App?

I exported a processing sketch to Apple Silicone. It works fine, but when I try to sign and notarize it to send to Apple, it fails, saying there’s an unsigned binary in core.jar.

I can unzip core.jar and sign the offending binary, but when I rezip it up and rename it back to core.jar, the app doesn’t work anymore.

Is there any way to get some help to sign this file?

Here’s one of the errors I get from the notarization process (there’s 4 errors, but they are all about the same file)

"severity": "error",
      "code": null,
      "path": "SceneEditorV1_1_03.zip/SceneEditorV1_1_03.app/Contents/Java/core.jar/processing/core/libDifferent.jnilib",
      "message": "The binary is not signed.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
      "architecture": "x86_64"

The file is “libDifferent.jnilib”

I can sign it no problem, but as I said, when I rezip the whole folder back and rename it to core.jar, the app no longer launches. Literally nothing happens when you double click it, and if I try to launch it from Terminal, I get this error:

Error: Could not find or load main class SceneEditorV1_1_03
Caused by: java.lang.NoClassDefFoundError: processing/core/PApplet

Saving session...
...copying shared history...
...saving history...truncating history files...
...completed.

[Process completed]

I just updated to macOS Sequoia, and I didn’t get this problem before, so I’m sure it’s related (I’ve already signed/notarized this app many times successfully without issue).

Thanks for any insights. The app is stuck in signing/notarization hell until I figure this out…

Mike

Source of file in question originates here:
https://github.com/benfry/processing4/blob/main/core/src/processing/core/ThinkDifferent.java

This file mentions libDifferent.jnilib but the code does not seem to be shown. You can get a file called ‘True’ when you try to download it, but it’s not human readable. You may have to ask the author about certifying the file. Github has a mechanism for raising ‘issues’ if you can figure out how to do it. Good luck; I know you’ve spent a ton of time working on this project.

Addendum:
I assume that you have seen this:
https://github.com/benfry/processing4/wiki/Exporting-Applications#macos

Thank you so much, as usual Svan. You are always so brilliant!

The funny thing is, I didn’t get this error prior to upgrading the MacOS to Sequoia - there was a different file that needed code signing, but it wasn’t inside a .jar file.

I can unzip the jar, sign it, and rezip it, but then it’s broken and the app won’t launch.

I’m not sure where to go for help at this point - usually at GitHub it’s difficult getting any responses, and especially the Processing team seems reluctant to field questions/issues. But I’ll try to get their help if I can - it seems like this is the correct place to get help for Processing issues though, isn’t it? Do the devs monitor this forum?

You are right, I have seen that addendum, and I did become a full blown “Apple Developer” (which means I paid them $99), and I did get all the tools to sign the app and make it “legit” and open correctly without having to do those Xattr tricks! Using the command line tools to get around the safety issues isn’t great to an app for other people to use, although I will always appreciate all the time you spent sharing with me and helping me to get the app working with those tools!

The signing/notarizing worked just fine, until I fixed a bug in the app and tried to resign/re-notarize it all. Then this new issue came up. This, after I had just updated to Sequoia OS on Mac.

I think Apple changed the Xcode command line tools somehow, and now this binary is not included in the signing process. I could be wrong, but I didn’t update processing. It should have worked the same.

In any case, thank you kindly for your time and suggestions. I will keep pounding away at this until I get an answer, and I didn’t think to ask the creator of the file for help, so thanks for that suggestion.

Oh, if I could just unzip/rezip a jar file and have it work, then I’d be home free. Somehow unzipping the jar file, and then rezipping it, breaks it.

This is where the process breaks down, because the export function of Processing is a closed system; I have no control over what it’s doing, and I can’t seem to sign the binary inside the jar file when I export it directly from Processing.

Thanks again, and WHEN I find an answer, I’ll post back here.

If anyone else has a solution, I’m all ears, as I’m just spending hours googling this now over something so stupid.

Thanks,

Mike

That’s likely what the gatekeeper intended. Once an app is finished they don’t want anybody messing with it, including the programmer who wrote it. We would like to think that’s intended to make it difficult for a hacker who might have something nefarious in mind for our app. Unfortunately, it can also make it difficult for the good guys who just want to share their work.

I did become a full blown “Apple Developer” (which means I paid them $99)

It looks like you would have some reward for doing that, like free technical support. Check and see if you aren’t entitled to a free call to Apple for assistance.

Excellent suggestion, as usual, thank you Svan.

I think where I’m lacking here is the fact I’m not using Xcode to build the app - Xcode would take care of all this stuff from the get-go.

This is because I’m using Processing, and Processing doesn’t sign the binary correctly, and neither apparently does the official Apple Xcode code signing terminal command.

I’ll keep working on it. You’ve been an amazing support, so thank you again!

Mike

PS, what I really wish was that there was a way to have some control over the process of creating the executable files. Since the code signing is so important, it seems like maybe this process of exporting the application could be made more transparent.

Having a finished binary core.jar file that I can’t open to sign, basically means I can’t use Processing to make a viable Mac app.

Hopefully the creators of Processing reconsider this aspect of the program and allow for more control over what’s happening, including the ability to add developer code signing and notarizing right into Processing.

It’s not something that can be fixed other than finding some way of breaking open the core.jar file and signing the binary and then zipping it back up without breaking it - which seems like it’s not possible to do.

Translation: you cannot make a Mac app with Processing that can pass Gatekeeper.

Please someone prove me wrong…

Thank you

export778×240 19.1 KB

You are trying to export an app with someone else’s code inside of it. You can sign your own code, but I don’t think you can sign their code. Everyone has to sign their own code as far as I know. If their code is not signed correctly then I would simply make them aware of that and get it corrected. I doubt that it would be a problem if you just wanted to share your code with a few friends. Apparently you are trying to put your app in the AppStore and the bar is higher. You should be able to get help either from Apple or the author of Processing. Personally, I don’t have a clue how you would code sign a java .jar file. Do we know if that is even possible? Have you checked out the ‘docUrl’ contained in the error message? The architecture is listed as x86_64 (old Intel chip system) and I thought you said you was working with a newer Apple Silicone chip system.

Just curious how you do that.

Hi Svan, thank you so much!

Actually - it was ALL working - ALL the java files were signed with the Apple signing tool - all of them! It doesnt’ matter if someone else made them.

And now, I have cracked the issue!

The problem was, after I unzipped the jar file, then rezipped it and renamed the extension to .jar, the file size was different. Even without me signing it! Literally, just unzipping/rezipping, it broke.

That told me the issue here is the unzipping/rezipping I was doing. I had just been right-clicking and compressing the jar folder on the Mac, and then renaming the extension to .jar, which wasn’t working. The reconstituted file was smaller and wasn’t working right.

So I looked a lot more into how to unzip the jar file and rezip it, and found I could use an official java command line tool.

Here’s how I solved this…

The zip/unizip commands are this, with the Apple signing in between:

unzip core.jar -d core

Copy the entitlements file into the unzipped folder inside the unzipped core.jar folder. (Important!)

codesign --deep --force --verify --verbose --timestamp --options runtime --entitlements "SceneEditor.entitlements" --sign "Developer ID Application: Michael Phillips (XXXXXX (my Dev code))" "libDifferent.jnilib"

Delete the entitlements file from the core.jar folder.

Rezip the core folder into a jar again:

jar cvf core.jar -C core/ .

Note - the period above is part of the command! I had missed this the first time around!

Now, I already have been successful signing and notarizing the app! Except I forgot to delete the entitlements file, so I’m doing it all again.

I’m 99.9% sure this will work (already worked once!).

I will post back with 100% success or not in a few minutes.

Your suggestions have helped me a lot to think differently; I so appreciate you Svan.

Also, to spread the love, I want to share that I am using a program called DMGCanvas to make the dmg file to share with other users. It’s the best program I found to automate a lot of all this, and even lets you sign and notarize the dmg file!

Note - once you are an “official Apple developer” and pay them the money, you CAN make apps for anyone! Through the App Store, or just to download off the internet - and it works for anyone!

Svan, or anyone, if you want to see the finished result of all this work, you can go to my website and download the previous Mac version of the app, to see how easy it is:

Then just download either the Apple Silicone, or the Apple Intel version, and see how the whole thing works. Mainly, I’m talking about how the dmg file opens, and you can just drag the folder onto your Mac to install the app, and it opens! You might be prompted that “the file is downloaded off the Internet - are you sure you want to open it?” But that is the only hassle, and only happens the first time your run it.

So again thank you - you’ve been wonderful, and the ONLY person on the whole internet to even respond! You’ve helped me so much! Thank you !

You use the Apple code signing command line tool:

codesign --deep --force --verify --verbose --timestamp --options runtime --entitlements "SceneEditor.entitlements" --sign "Developer ID Application: Michael Phillips (XXXXX)" "libDifferent.jnilib"

It’s that easy!

But you do have to copy an entitlements file into the folder first, and then after signing, delete the entitlements folder.

I’m not gonna lie, it’s a hellish amount of work to figure this all out with command line tools! I’d much rather have just built the app in Xcode to begin with, but then I’d have had to build it also for Windows and also Linux - I didn’t want three code bases!!!

But as great as Processing is - and it IS! - it just doesn’t let you build native looking apps. But I suppose that’s not what it was designed for…

Thanks!

Mike

I’m aware of the command line ‘codesign’ command but have never had the need to use it since I mainly write apps for my own use. You have become a code signing expert and I hope that you are recording all of these steps somewhere for future reference.

it just doesn’t let you build native looking apps

The look and feel of an app has a lot to do with the controls, aka ‘widgets’.

In the interest of giving back to everyone who has helped me, below is how I take the app out of Processing and then turn it into a signed, notarized, official Apple app that’s “legal” and “legit” as far as Apple is concerned, and can be shared over the internet with anyone. NO HORRIBLE ERROR MESSAGES!

Note - prior to these steps you will need to become an official Apple developer - pay them the $99 and get certificates for yourself. This small guide does not cover this part, and it is a little involved getting the certificates setup and installed correctly on your system. But they give you links how to do this when you become an Apple Developer.

You will need a Developer and and Application certificate, by the way.

OK, onto the steps.

Initial Steps:

• Update info.plist.tmpl to have updated version, data info for app - this is a little file you can include in the Processing folder for your app that will make the app show the right version. I’m not sure how to share it here, but you can probably google it. It’s not required, but makes your finished app a bit more professional.

• Export the app from Processing to Apple Silicone or Intel

• Replace the application.icns file in package Resources. You can make a file called application.icns which includes various sizes of your app logo. Again, this is a little involved, but you can google this part if you want a custom app icon (highly recommended!).

• Put an “entitlements” file into the same folder as the .app file. An entitlements file lets the app know what it’s allowed to do or not do. You can google for a sample entitlements file. But here’s the one I used:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.security.cs.allow-dyld-environment-variables</key>
	<true/>
	<key>com.apple.security.cs.allow-jit</key>
	<true/>
	<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
	<true/>
	<key>com.apple.security.cs.disable-executable-page-protection</key>
	<true/>
	<key>com.apple.security.cs.disable-library-validation</key>
	<true/>
</dict>
</plist>

Note: I highly suggest you make this in Xcode so it works right. I know, “HOW?” - google, my friend, google.

Do all this in a terminal window in the same window as the app:

Code Sign:
codesign --deep --force --verify --verbose --timestamp --options runtime --entitlements "App.entitlements" --sign "Developer ID Application: Your Name (XXXXX - Developer ID)" "AppName.app"

Check code sign:
codesign -vvv --deep --strict AppName.app

Make zip file:
ditto -c -k --sequesterRsrc --keepParent “AppName.app” “AppName.zip”

Submit to Apple for Notarization:
xcrun notarytool submit --apple-id "yourappleid" --password "your app specific password which you get from Apple" --team-id YOURTEAMID --wait "AppName.zip"

• If it fails, get the json log and see what was not signed.

To get json log, run this command after app notarization failure:

xcrun notarytool log --apple-id "yourappleid" --password "your app specific password" --team-id YOURTEAMID [copy/paste code from submission failure] notary-log.json

• Look through the json file and see what file failed. Probably a binary wasn’t signed, even though it was supposed to be signed.

• If the unsigned file is not a .jar file, you can just run the notarization on the file inside the .app package.

• If the unsigned file is a .jar file, you’ll need to unzip the jar file into a folder, copy/paste entitlements into it, sign the unsigned file, delete the entitlements file, delete the original jar file, then rezip the folder back into a .jar file.

Here’s those steps:

unzip jarfilename.jar -d jarfolder

Copy Entitlements into the folder and recode sign:
codesign --deep --force --verify --verbose --timestamp --options runtime --entitlements “App.entitlements” --sign “Developer ID Application: Michael Phillips (XXXXXX)” “filename to sign”

• Delete SceneEditor.entitlements!!!

• Delete original .jar file

jar cvf jarfilename.jar -C jarfolder/ .

• Need to sign the whole app again after this!! Also need to re-notarize the whole thing again, but it should pass notarization at that point.

To check if App is Correctly Notarized:
spctl -a -t exec -vvv AppName.app

Staple Notarization:
xcrun stapler staple "AppName.app"

Check Staple:
spctl --assess --verbose AppName.app

At this point, your app file will be “official” and “legal” and “Legit” and will pass Apple Gatekeeper. You can upload it to the internet and people can download it, and use it. They will get an error “This file has been downloaded from the Internet. Are you sure you want to open it?” - this only happens the first time, and is totally NORMAL and not an indication you screwed up. Even Apple apps from mega corporations will show this, unless the app is hosted in the App Store.

You could also make your app available to the App Store, but I have not done this, so I will not comment on it except to say it’s going to be fairly similar process.

Make a DMG file
After you get your app file all legal and legit, you might want to package it up into a DMG file for other folks to download easily. You can include things like a EULA, instructions, readme, etc, with the dmg file.

For me, the program DMG Canvas was a godsend. You gotta pay for it, but it’s cheap, and it also will automatically sign and notarize your DMG file once you made it. Also you can make a fancy background and get it looking just amazing too. Note - I’m NOT getting an affiliate commission to share this with you!!!

Now, I totally understand that this is still probably VERY CONFUSING if you’ve never done any of this, and it’s waaaay beyond the scope of what I can offer right here right now to absolutely and clearly explain every step (this deserves a huge blog post, which might take a few hours to do right). I am a teacher after all, so I realize this is FAR from complete!

But I spent dozens of hours figuring this out, with Svan’s help, and tons of hours googling and trying things. Weeks.

I hope if any of you have been struggling with some of this, that this guide will give you the broad strokes outlines of how to proceed.

Thank you,

Mike

@svan See previous post! Your wish is my command!

It’s as detailed a guide as I can give without spending many hours writing it all down with screenshots etc, which it’s worthy of, but I just don’t have it in me to do.

Agreed about the “look/feel” comment - however Processing does not provide file windows and other native dialog boxes for things. So maybe you could do this with Swing? Not sure…but for sure if you did it with Xcode on Mac and Visual Studio on PC you could get there.

But then that’s another whole ball of wax!

Thanks again Svan - you’re the best!!