temurin-build: Mac builds failing due to sign_installer Notarization "Not signed" errors
https://ci.adoptium.net/job/build-scripts/job/release/job/sign_installer/9894/console
Notarization failed: {"uuid":"b9809b86-4789-4655-937c-d3895b9bbafe","notarizationStatus":{"status":"ERROR","message":"Notarization has failed on Apple notarization service","moreInfo":"Failed to notarize the requested file (status=Invalid). Error code=OptionalInt.empty. Reason: Optional.empty","log":"{\n \"logFormatVersion\": 1,\n \"jobId\": \"b868a917-04c1-4e28-b5dd-5fb0d6bb37a5\",\n \"status\": \"Invalid\",\n \"statusSummary\": \"Archive contains critical validation errors\",\n \"statusCode\": 4000,\n \"archiveFilename\": \"OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg\",\n \"uploadDate\": \"2023-10-10T08:57:27.708Z\",\n \"sha256\": \"c6c5eef2408ff9160a140a2d59b90fdffcec3d44d783a5e824932b8b42d538b8\",\n \"ticketContents\": null,\n \"issues\": [\n {\n \"severity\": \"error\",\n \"code\": null,\n \"path\": \"OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/jdk.jdwp.agent.jmod/lib/libdt_socket.dylib\",\n \"message\": \"The binary is not signed with a valid Developer ID certificate.\",\n \"docUrl\": \"https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721\",\n \"architecture\": \"arm64\"\n },\n {\n \"severity\": \"error\",\n \"code\": null,\n \"path\": \"OpenJDK17U-jdk_aarch64_mac_hotspot_17.0.8.1_1-5618895206704016833.pkg/net.temurin.17.jdk.pkg Contents/Payload/Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home/jmods/jdk.jdwp.agent.jmod/lib/libdt_socket.dylib\",\n \"message\": \"The signature does not include a secure timestamp.\",\n \"docUrl\": \"https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087733\",\n
Examing the .dylib’s show they look as though they are signed, but the Notarization service seems to not think so…
About this issue
- Original URL
- State: open
- Created 9 months ago
- Comments: 69 (69 by maintainers)
The root cause seems to be that the JMOD .dylib’s were getting re-built in the 2nd make phase after the Eclipse signing. The reason for this is due to a different version of gmake being picked up on the aarch64 Mac nodes, due to a change last week to add /opt/homebrew/bin to the PATH. It seems it now uses gmake 4.4.1 from /opt/homebrew/bin as opposed to previsouly gmake 3.8.1 from /usr/bin, and with this new version for some reason the 2nd make phase causes a rebuild of the .dylib’s, which then causes an “adhoc” signing by the openjdk make files, resulting in the Notary failure in the sign_installer job.
For the moment the solution is to revert to now using the /opt/homebrew/bin PATH on the build nodes.
We do however need to have a better look at the JMOD signing process, that currently relies on the 2nd make phase just packaging up the dylib’s into the image without rebuilding anything, which can’t be guaranteed. A better solution would be to add the JMOD dylib signing to the sign_build job, which currently just signs the jdk image /Contents/Home/lib dylibs.
My thoughts on a better solution is to change Mac(&Windows) back to a single make process like all the other platforms, and move the JMOD signing to the sign_build job post build.
ie.into here: https://github.com/adoptium/temurin-build/blob/master/sign.sh And instead do:
looks consistent with the aarch64 errors, but other dylibs are involved.