You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@netbeans.apache.org by Emilian Bold <em...@gmail.com> on 2020/02/28 08:34:01 UTC
Digitally signing the NetBeans binaries for macOS notarization
Hello,
For OpenBeans.org I have to notarize the macOS app, which means among
other things digitally signing everything that looks executable to
Apple: standalone binaries and dynamic libraries. See
https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution
We have both of these in a NetBeans release and I have been wondering
if it's not more practical to just digitally sign these binaries with
the Apache key instead?
OR, I could just sign these with my key and update the binaries /
external files used by NetBeans so that the resulting binary
distribution has less things to worry about.
I'm happy with either solution. Using my key would be fastest as I can
just use my key and create a PR. I don't know how signing with the
Apache key is done but I assume somebody that worked on the NetBeans
macOS installer knows.
I see the following files:
* native execution with the most:
ide/bin/nativeexecution/MacOSX-x86/killall
ide/bin/nativeexecution/MacOSX-x86/process_start
ide/bin/nativeexecution/MacOSX-x86/pty
ide/bin/nativeexecution/MacOSX-x86/pty_open
ide/bin/nativeexecution/MacOSX-x86/stat
ide/bin/nativeexecution/MacOSX-x86/unbuffer.dylib
ide/bin/nativeexecution/MacOSX-x86_64/killall
ide/bin/nativeexecution/MacOSX-x86_64/process_start
ide/bin/nativeexecution/MacOSX-x86_64/pty
ide/bin/nativeexecution/MacOSX-x86_64/pty_open
ide/bin/nativeexecution/MacOSX-x86_64/stat
ide/bin/nativeexecution/MacOSX-x86_64/unbuffer.dylib
* profiler:
profiler/lib/deployed/jdk15/mac/libprofilerinterface.jnilib
profiler/lib/deployed/jdk16/mac/libprofilerinterface.jnilib
* C/C++:
cnd/bin/MacOSX-x86/libBuildTrace.dylib
cnd/bin/MacOSX-x86_64/libBuildTrace.dylib
dlight/bin/MacOSX-x86/fs_server
* JavaFX has some dylibs inside the JAR:
platform/modules/ext/javafx-graphics-13-mac.jar
platform/modules/ext/javafx-media-13-mac.jar
platform/modules/ext/javafx-web-13-mac.jar
* and this one:
platform/modules/lib/libjnidispatch-nb.jnilib
--emi
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
For additional commands, e-mail: dev-help@netbeans.apache.org
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
Re: Digitally signing the NetBeans binaries for macOS notarization
Posted by Geertjan Wielenga <ge...@apache.org>.
Great work, thanks Arunava.
Gj
On Sun, Mar 1, 2020 at 11:26 AM Arunava Sinha <ar...@oracle.com>
wrote:
> Hi,
>
> Apple notarization happened through below ticket
>
> https://issues.apache.org/jira/browse/INFRA-19884
>
> During build of macOS installer "Apple Developer ID Installer
> Certificate" was used which I got from ASF.
>
> https://issues.apache.org/jira/browse/INFRA-19653
>
> Regards,
>
> Arunava Sinha
>
>
> On 3/1/2020 12:54 PM, Geertjan Wielenga wrote:
> > Excellent.
> >
> > Gj
> >
> > On Sun, 1 Mar 2020 at 07:53, Emilian Bold <em...@gmail.com>
> wrote:
> >
> >> Nevermind, I realise this was a silly question. Apple has apparently
> >> whitelisted these binaries for NetBeans so there's no need to sign
> >> them at all.
> >>
> >> --emi
> >>
> >> On Fri, Feb 28, 2020 at 10:34 AM Emilian Bold <em...@gmail.com>
> >> wrote:
> >>> Hello,
> >>>
> >>> For OpenBeans.org I have to notarize the macOS app, which means among
> >>> other things digitally signing everything that looks executable to
> >>> Apple: standalone binaries and dynamic libraries. See
> >>>
> >>
> https://urldefense.com/v3/__https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution__;!!GqivPVa7Brio!MlsYTSbmlZhbH1vUd_CIwCyWT2k3v3d6JAvJhwYP2BfoF0kQF6KWqyVONE20BR8k4w$
> >>> We have both of these in a NetBeans release and I have been wondering
> >>> if it's not more practical to just digitally sign these binaries with
> >>> the Apache key instead?
> >>>
> >>> OR, I could just sign these with my key and update the binaries /
> >>> external files used by NetBeans so that the resulting binary
> >>> distribution has less things to worry about.
> >>>
> >>> I'm happy with either solution. Using my key would be fastest as I can
> >>> just use my key and create a PR. I don't know how signing with the
> >>> Apache key is done but I assume somebody that worked on the NetBeans
> >>> macOS installer knows.
> >>>
> >>> I see the following files:
> >>>
> >>> * native execution with the most:
> >>>
> >>> ide/bin/nativeexecution/MacOSX-x86/killall
> >>> ide/bin/nativeexecution/MacOSX-x86/process_start
> >>> ide/bin/nativeexecution/MacOSX-x86/pty
> >>> ide/bin/nativeexecution/MacOSX-x86/pty_open
> >>> ide/bin/nativeexecution/MacOSX-x86/stat
> >>> ide/bin/nativeexecution/MacOSX-x86/unbuffer.dylib
> >>> ide/bin/nativeexecution/MacOSX-x86_64/killall
> >>> ide/bin/nativeexecution/MacOSX-x86_64/process_start
> >>> ide/bin/nativeexecution/MacOSX-x86_64/pty
> >>> ide/bin/nativeexecution/MacOSX-x86_64/pty_open
> >>> ide/bin/nativeexecution/MacOSX-x86_64/stat
> >>> ide/bin/nativeexecution/MacOSX-x86_64/unbuffer.dylib
> >>>
> >>> * profiler:
> >>> profiler/lib/deployed/jdk15/mac/libprofilerinterface.jnilib
> >>> profiler/lib/deployed/jdk16/mac/libprofilerinterface.jnilib
> >>>
> >>> * C/C++:
> >>> cnd/bin/MacOSX-x86/libBuildTrace.dylib
> >>> cnd/bin/MacOSX-x86_64/libBuildTrace.dylib
> >>> dlight/bin/MacOSX-x86/fs_server
> >>>
> >>> * JavaFX has some dylibs inside the JAR:
> >>>
> >>> platform/modules/ext/javafx-graphics-13-mac.jar
> >>> platform/modules/ext/javafx-media-13-mac.jar
> >>> platform/modules/ext/javafx-web-13-mac.jar
> >>>
> >>> * and this one:
> >>>
> >>> platform/modules/lib/libjnidispatch-nb.jnilib
> >>>
> >>> --emi
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
> >> For additional commands, e-mail: dev-help@netbeans.apache.org
> >>
> >> For further information about the NetBeans mailing lists, visit:
> >>
> https://urldefense.com/v3/__https://cwiki.apache.org/confluence/display/NETBEANS/Mailing*lists__;Kw!!GqivPVa7Brio!MlsYTSbmlZhbH1vUd_CIwCyWT2k3v3d6JAvJhwYP2BfoF0kQF6KWqyVONE3Y0P1V3g$
> >>
> >>
> >>
> >>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
> For additional commands, e-mail: dev-help@netbeans.apache.org
>
> For further information about the NetBeans mailing lists, visit:
> https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
>
>
>
>
Re: Digitally signing the NetBeans binaries for macOS notarization
Posted by Arunava Sinha <ar...@oracle.com>.
Hi,
Apple notarization happened through below ticket
https://issues.apache.org/jira/browse/INFRA-19884
During build of macOS installer "Apple Developer ID Installer
Certificate" was used which I got from ASF.
https://issues.apache.org/jira/browse/INFRA-19653
Regards,
Arunava Sinha
On 3/1/2020 12:54 PM, Geertjan Wielenga wrote:
> Excellent.
>
> Gj
>
> On Sun, 1 Mar 2020 at 07:53, Emilian Bold <em...@gmail.com> wrote:
>
>> Nevermind, I realise this was a silly question. Apple has apparently
>> whitelisted these binaries for NetBeans so there's no need to sign
>> them at all.
>>
>> --emi
>>
>> On Fri, Feb 28, 2020 at 10:34 AM Emilian Bold <em...@gmail.com>
>> wrote:
>>> Hello,
>>>
>>> For OpenBeans.org I have to notarize the macOS app, which means among
>>> other things digitally signing everything that looks executable to
>>> Apple: standalone binaries and dynamic libraries. See
>>>
>> https://urldefense.com/v3/__https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution__;!!GqivPVa7Brio!MlsYTSbmlZhbH1vUd_CIwCyWT2k3v3d6JAvJhwYP2BfoF0kQF6KWqyVONE20BR8k4w$
>>> We have both of these in a NetBeans release and I have been wondering
>>> if it's not more practical to just digitally sign these binaries with
>>> the Apache key instead?
>>>
>>> OR, I could just sign these with my key and update the binaries /
>>> external files used by NetBeans so that the resulting binary
>>> distribution has less things to worry about.
>>>
>>> I'm happy with either solution. Using my key would be fastest as I can
>>> just use my key and create a PR. I don't know how signing with the
>>> Apache key is done but I assume somebody that worked on the NetBeans
>>> macOS installer knows.
>>>
>>> I see the following files:
>>>
>>> * native execution with the most:
>>>
>>> ide/bin/nativeexecution/MacOSX-x86/killall
>>> ide/bin/nativeexecution/MacOSX-x86/process_start
>>> ide/bin/nativeexecution/MacOSX-x86/pty
>>> ide/bin/nativeexecution/MacOSX-x86/pty_open
>>> ide/bin/nativeexecution/MacOSX-x86/stat
>>> ide/bin/nativeexecution/MacOSX-x86/unbuffer.dylib
>>> ide/bin/nativeexecution/MacOSX-x86_64/killall
>>> ide/bin/nativeexecution/MacOSX-x86_64/process_start
>>> ide/bin/nativeexecution/MacOSX-x86_64/pty
>>> ide/bin/nativeexecution/MacOSX-x86_64/pty_open
>>> ide/bin/nativeexecution/MacOSX-x86_64/stat
>>> ide/bin/nativeexecution/MacOSX-x86_64/unbuffer.dylib
>>>
>>> * profiler:
>>> profiler/lib/deployed/jdk15/mac/libprofilerinterface.jnilib
>>> profiler/lib/deployed/jdk16/mac/libprofilerinterface.jnilib
>>>
>>> * C/C++:
>>> cnd/bin/MacOSX-x86/libBuildTrace.dylib
>>> cnd/bin/MacOSX-x86_64/libBuildTrace.dylib
>>> dlight/bin/MacOSX-x86/fs_server
>>>
>>> * JavaFX has some dylibs inside the JAR:
>>>
>>> platform/modules/ext/javafx-graphics-13-mac.jar
>>> platform/modules/ext/javafx-media-13-mac.jar
>>> platform/modules/ext/javafx-web-13-mac.jar
>>>
>>> * and this one:
>>>
>>> platform/modules/lib/libjnidispatch-nb.jnilib
>>>
>>> --emi
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
>> For additional commands, e-mail: dev-help@netbeans.apache.org
>>
>> For further information about the NetBeans mailing lists, visit:
>> https://urldefense.com/v3/__https://cwiki.apache.org/confluence/display/NETBEANS/Mailing*lists__;Kw!!GqivPVa7Brio!MlsYTSbmlZhbH1vUd_CIwCyWT2k3v3d6JAvJhwYP2BfoF0kQF6KWqyVONE3Y0P1V3g$
>>
>>
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
For additional commands, e-mail: dev-help@netbeans.apache.org
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
Re: Digitally signing the NetBeans binaries for macOS notarization
Posted by Geertjan Wielenga <ge...@apache.org>.
Excellent.
Gj
On Sun, 1 Mar 2020 at 07:53, Emilian Bold <em...@gmail.com> wrote:
> Nevermind, I realise this was a silly question. Apple has apparently
> whitelisted these binaries for NetBeans so there's no need to sign
> them at all.
>
> --emi
>
> On Fri, Feb 28, 2020 at 10:34 AM Emilian Bold <em...@gmail.com>
> wrote:
> >
> > Hello,
> >
> > For OpenBeans.org I have to notarize the macOS app, which means among
> > other things digitally signing everything that looks executable to
> > Apple: standalone binaries and dynamic libraries. See
> >
> https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution
> >
> > We have both of these in a NetBeans release and I have been wondering
> > if it's not more practical to just digitally sign these binaries with
> > the Apache key instead?
> >
> > OR, I could just sign these with my key and update the binaries /
> > external files used by NetBeans so that the resulting binary
> > distribution has less things to worry about.
> >
> > I'm happy with either solution. Using my key would be fastest as I can
> > just use my key and create a PR. I don't know how signing with the
> > Apache key is done but I assume somebody that worked on the NetBeans
> > macOS installer knows.
> >
> > I see the following files:
> >
> > * native execution with the most:
> >
> > ide/bin/nativeexecution/MacOSX-x86/killall
> > ide/bin/nativeexecution/MacOSX-x86/process_start
> > ide/bin/nativeexecution/MacOSX-x86/pty
> > ide/bin/nativeexecution/MacOSX-x86/pty_open
> > ide/bin/nativeexecution/MacOSX-x86/stat
> > ide/bin/nativeexecution/MacOSX-x86/unbuffer.dylib
> > ide/bin/nativeexecution/MacOSX-x86_64/killall
> > ide/bin/nativeexecution/MacOSX-x86_64/process_start
> > ide/bin/nativeexecution/MacOSX-x86_64/pty
> > ide/bin/nativeexecution/MacOSX-x86_64/pty_open
> > ide/bin/nativeexecution/MacOSX-x86_64/stat
> > ide/bin/nativeexecution/MacOSX-x86_64/unbuffer.dylib
> >
> > * profiler:
> > profiler/lib/deployed/jdk15/mac/libprofilerinterface.jnilib
> > profiler/lib/deployed/jdk16/mac/libprofilerinterface.jnilib
> >
> > * C/C++:
> > cnd/bin/MacOSX-x86/libBuildTrace.dylib
> > cnd/bin/MacOSX-x86_64/libBuildTrace.dylib
> > dlight/bin/MacOSX-x86/fs_server
> >
> > * JavaFX has some dylibs inside the JAR:
> >
> > platform/modules/ext/javafx-graphics-13-mac.jar
> > platform/modules/ext/javafx-media-13-mac.jar
> > platform/modules/ext/javafx-web-13-mac.jar
> >
> > * and this one:
> >
> > platform/modules/lib/libjnidispatch-nb.jnilib
> >
> > --emi
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
> For additional commands, e-mail: dev-help@netbeans.apache.org
>
> For further information about the NetBeans mailing lists, visit:
> https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
>
>
>
>
Re: Digitally signing the NetBeans binaries for macOS notarization
Posted by Emilian Bold <em...@gmail.com>.
Nevermind, I realise this was a silly question. Apple has apparently
whitelisted these binaries for NetBeans so there's no need to sign
them at all.
--emi
On Fri, Feb 28, 2020 at 10:34 AM Emilian Bold <em...@gmail.com> wrote:
>
> Hello,
>
> For OpenBeans.org I have to notarize the macOS app, which means among
> other things digitally signing everything that looks executable to
> Apple: standalone binaries and dynamic libraries. See
> https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution
>
> We have both of these in a NetBeans release and I have been wondering
> if it's not more practical to just digitally sign these binaries with
> the Apache key instead?
>
> OR, I could just sign these with my key and update the binaries /
> external files used by NetBeans so that the resulting binary
> distribution has less things to worry about.
>
> I'm happy with either solution. Using my key would be fastest as I can
> just use my key and create a PR. I don't know how signing with the
> Apache key is done but I assume somebody that worked on the NetBeans
> macOS installer knows.
>
> I see the following files:
>
> * native execution with the most:
>
> ide/bin/nativeexecution/MacOSX-x86/killall
> ide/bin/nativeexecution/MacOSX-x86/process_start
> ide/bin/nativeexecution/MacOSX-x86/pty
> ide/bin/nativeexecution/MacOSX-x86/pty_open
> ide/bin/nativeexecution/MacOSX-x86/stat
> ide/bin/nativeexecution/MacOSX-x86/unbuffer.dylib
> ide/bin/nativeexecution/MacOSX-x86_64/killall
> ide/bin/nativeexecution/MacOSX-x86_64/process_start
> ide/bin/nativeexecution/MacOSX-x86_64/pty
> ide/bin/nativeexecution/MacOSX-x86_64/pty_open
> ide/bin/nativeexecution/MacOSX-x86_64/stat
> ide/bin/nativeexecution/MacOSX-x86_64/unbuffer.dylib
>
> * profiler:
> profiler/lib/deployed/jdk15/mac/libprofilerinterface.jnilib
> profiler/lib/deployed/jdk16/mac/libprofilerinterface.jnilib
>
> * C/C++:
> cnd/bin/MacOSX-x86/libBuildTrace.dylib
> cnd/bin/MacOSX-x86_64/libBuildTrace.dylib
> dlight/bin/MacOSX-x86/fs_server
>
> * JavaFX has some dylibs inside the JAR:
>
> platform/modules/ext/javafx-graphics-13-mac.jar
> platform/modules/ext/javafx-media-13-mac.jar
> platform/modules/ext/javafx-web-13-mac.jar
>
> * and this one:
>
> platform/modules/lib/libjnidispatch-nb.jnilib
>
> --emi
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
For additional commands, e-mail: dev-help@netbeans.apache.org
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists