Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Two counterpoints:

* AdoptOpenJDK releases that were notarized some months ago are no longer accepted by Apple since they made the rules even more stringent. I had releases accepted by Apple that are not accepted today using the same AdoptOpenJDK binaries.

* Apple's notarization rules are not global. There's whitelists for given companies/institutions/apps/files which means the same dylib might not have to be notarized by a bigger player but will have to be codesigned by you.

The above happened to me in the span of less than 3 months I think?

Indeed, the scripts I use per se to do the notarization are about the same as originally.



Do you have more details about this?


I think I gave quite some details. Do you need the exact AdoptOpenJDK version (11.0.5+10 for macOS)?

And I made a test about the non-global rules too (by trying to submit the same binary and getting rejected).


Apple may have stepped up notarization requirements, but I never heard them be inconsistent across developers. Are you sure you submitted the same binary? Nothing different about the signing or bundle layout?


Well, I would love to know how to change the bundle layout to have to sign less.

My notes are here: https://www.patreon.com/posts/34472331

You can take the same Apache-NetBeans-11.3-bin-macosx.dmg and see how you could submit it with your own key.

I guess there may be different rules on a .pkg vs .app in a DMG but it seems silly since the user gets the same bits on disk.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: