Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Cannot sign jar with .jnilib file inside it

See original GitHub issue

Every time I run electron-osx-sign (through electron-forge) and then the notarization process I get the following errors:

{
  "logFormatVersion": 1,
  "jobId": "****",
  "status": "Invalid",
  "statusSummary": "Archive contains critical validation errors",
  "statusCode": 4000,
  "archiveFilename": "myapp.zip",
  "uploadDate": "****",
  "sha256": "****",
  "ticketContents": null,
  "issues": [
    {
      "severity": "error",
      "code": null,
      "path": "myapp.zip/myapp.app/Contents/Resources/app.asar.unpacked/node_modules/elasticsearch/lib/jna-4.5.1.jar/com/sun/jna/darwin/libjnidispatch.jnilib",
      "message": "The binary is not signed.",
      "docUrl": null,
      "architecture": "i386"
    },
    {
      "severity": "error",
      "code": null,
      "path": "myapp.zip/myapp.app/Contents/Resources/app.asar.unpacked/node_modules/elasticsearch/lib/jna-4.5.1.jar/com/sun/jna/darwin/libjnidispatch.jnilib",
      "message": "The signature does not include a secure timestamp.",
      "docUrl": null,
      "architecture": "i386"
    },
    {
      "severity": "error",
      "code": null,
      "path": "myapp.zip/myapp.app/Contents/Resources/app.asar.unpacked/node_modules/elasticsearch/lib/jna-4.5.1.jar/com/sun/jna/darwin/libjnidispatch.jnilib",
      "message": "The binary is not signed.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "myapp.zip/myapp.app/Contents/Resources/app.asar.unpacked/node_modules/elasticsearch/lib/jna-4.5.1.jar/com/sun/jna/darwin/libjnidispatch.jnilib",
      "message": "The signature does not include a secure timestamp.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "myapp.zip/myapp.app/Contents/Resources/app.asar.unpacked/node_modules/elasticsearch/lib/jna-4.5.1.jar/com/sun/jna/darwin/libjnidispatch.jnilib",
      "message": "The binary is not signed.",
      "docUrl": null,
      "architecture": "x86_64h"
    },
    {
      "severity": "error",
      "code": null,
      "path": "myapp.zip/myapp.app/Contents/Resources/app.asar.unpacked/node_modules/elasticsearch/lib/jna-4.5.1.jar/com/sun/jna/darwin/libjnidispatch.jnilib",
      "message": "The signature does not include a secure timestamp.",
      "docUrl": null,
      "architecture": "x86_64h"
    }
  ]
}

What’s basically happening is that the .jar has this .jnilib file that’s not being signed for some reason, but everything else is.

I would really appreciate some help with this issue.

The .jar can be found here (I had to zip it to upload it to github) jna-4.5.1.zip

Issue Analytics

State:
Created 3 years ago
Reactions:1
Comments:10 (5 by maintainers)

Top GitHub Comments

3reactions

sethlucommented, Jul 16, 2020

@b-zurg Thanks for coming up with the automated script! ❤️ This is great! I played around with the code today and integrated your procedure with the existing signing workflow.

The latest changes are available here: https://github.com/electron/electron-osx-sign/tree/traverse-archives

This should handle almost all zip-like archives (including jar files) and nested archives. All files in archives are treated mostly the same way as if they are not inside of an archive by electron-osx-sign, so the binary-like files should be picked up automatically (including dynamic libraries and shared objects). We can get nice logs with file paths like my.app/Contents/Resources/app.asar.unpacked/node_modules/elasticsearch/lib/jna-4.5.1.jar/com/sun/jna/darwin/libjnidispatch.jnilib (even though here libjnidispatch.jnilib doesn’t technically exist this way).

Currently it’s disabled by default but one can opt-in the automation with the added flag --traverse-archives. I haven’t tested it by uploading any app to the notarization service. It will be great if you can help test it out 🙌

1reaction

b-zurgcommented, Jul 17, 2020

Ok I came across something very interesting:

WARNING: Code sign failed; please retry manually. Error: Command failed: unzip -d /var/folders/yx/vzstvm8j40q6ddn2d0_0hwy40000gn/T/tmp-785-0-uncompressed /var/folders/yx/vzstvm8j40q6ddn2d0_0hwy40000gn/T/electron-packager/darwin-x64/myApp-darwin-x64/myApp.app/Contents/Resources/elastic/jdk/Contents/Home/lib/security/public_suffix_list.dat
error:  cannot create /var/folders/yx/vzstvm8j40q6ddn2d0_0hwy40000gn/T/tmp-785-0-uncompressed/verm+�gensberater
        Illegal byte sequence
error:  cannot create /var/folders/yx/vzstvm8j40q6ddn2d0_0hwy40000gn/T/tmp-785-0-uncompressed/verm+�gensberatung
        Illegal byte sequence
error:  cannot create /var/folders/yx/vzstvm8j40q6ddn2d0_0hwy40000gn/T/tmp-785-0-uncompressed/+�++
        Illegal byte sequence
error:  cannot create /var/folders/yx/vzstvm8j40q6ddn2d0_0hwy40000gn/T/tmp-785-0-uncompressed/��
        Illegal byte sequence

I tried out this file public_suffix_list.dat just running unzip on it and it’s not a zip file. I think this procedure should only try out zip files that the unzip utility can verify as being valid zip files.

The best way to do this seems to be to run unzip -t FILE where FILE is the path to the file to test.

An example run:

zurg@zurgs-Mac .temp % unzip -t public_suffix_list.dat 
Archive:  public_suffix_list.dat
  End-of-central-directory signature not found.  Either this file is not
  a zipfile, or it constitutes one disk of a multi-part archive.  In the
  latter case the central directory and zipfile comment will be found on
  the last disk(s) of this archive.
unzip:  cannot find zipfile directory in one of public_suffix_list.dat or
        public_suffix_list.dat.zip, and cannot find public_suffix_list.dat.ZIP, period.
zurg@zurgs-Mac .temp % echo $?
9
zurg@zurgs-Mac .temp % unzip -t HdrHistogram-2.1.9.jar 
Archive:  HdrHistogram-2.1.9.jar
    testing: META-INF/MANIFEST.MF     OK
    testing: META-INF/                OK
    testing: META-INF/maven/          OK
...
No errors detected in compressed data of HdrHistogram-2.1.9.jar.
zurg@zurgs-Mac .temp % echo $?                        
0

In this we can see that the first file exits with code 9 and the valid zip-like .jar file validates with exit code 0.

What do you think?