Apple Notary Service requires code-signed jnilib files

Apple's notary service was changed in late 2024 to require that jnilibs in a DMG must be code-signed.
When using the notary service, you may see an error: 

"The binary is not signed."

The Protection PLUS 5 SDK Java jnilib must be code-signed with an Apple Developer certificate.
Based on their information:

If the *.jnilib file is signed with a different certificate than the one used for the DMG container, it might cause issues during the notarization process. To avoid this, ensure that all components are signed with the same Developer ID certificate before submitting for notarization
It will need to be signed by your certificate. If we sign it, it will likely still fail the notary process.
More information can be found in this support forum post:
https://developer.apple.com/forums/thread/764017?form=MG0AV3&form=MG0AV3

You must unpack the jar file, sign the jnilib, and then repack it. 

Code-signing the JAR file

When a *.jnilib file is inside a JAR file, you can't directly code-sign the native library. Instead, you need to code-sign the entire JAR file. Here are the steps to do it:

  1. Extract the JAR Contents:
    • Extract the contents of the JAR file to access the *.jnilib file.
    • Example command:
      bash
jar xf yourfile.jar
    • Code-Sign the *.jnilib File:
    • Follow the steps mentioned earlier to code-sign the *.jnilib file using your Apple Developer certificate.
    • After signing the *.jnilib file, repackage the JAR file with the signed library.
    • Example command:
      bash
jar cf newfile.jar -C extracted_folder .
    • Code-Sign the JAR File:
    • Use the jarsigner tool to sign the entire JAR file. Here’s an example command:
      bash
jarsigner -keystore /path/to/keystore newfile.jar alias_name
      • -keystore : Specifies the keystore containing your signing key.
      • newfile.jar : The JAR file you want to sign.
      • alias_name : The alias for your signing key in the keystore.
        Verify the Signed JAR File:
    • Verify the signature with:
      bash
jarsigner -verify newfile.jar

By following these steps, you can ensure that both the *.jnilib file and the entire JAR file are correctly signed and ready for distribution.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us