Add signing for mac osx.

[Siedlerchr]

First part of fixing #6154

• Sign and notarize dmg
• Sign and notarize pkg

Edit: We maybe should run the signing only on master?

• Change in CHANGELOG.md described (if applicable)
• Tests created for changes (if applicable)
• Manually tested changed features in running JabRef (always required)
• Screenshots added in PR description (for UI changes)
• Checked documentation: Is the information available and up to date? If not created an issue at https://github.com/JabRef/user-documentation/issues or, even better, submitted a pull request to the documentation repository.

[Siedlerchr]

windows seems to fail:

Running [C:\Program Files (x86)\WiX Toolset v3.11\bin\light.exe, -nologo, -spdb, -ext, WixUtilExtension, -out, D:\a\jabref\jabref\build\distribution\JabRef-5.1.30845.msi, -sice:ICE27, -ext, WixUIExtension, -loc, D:\a\jabref\jabref\build\installer\config\MsiInstallerStrings_en.wxl, -b, D:\a\jabref\jabref\build\installer\config, D:\a\jabref\jabref\build\installer\wixobj\main.wixobj, D:\a\jabref\jabref\build\installer\wixobj\bundle.wixobj]in D:\a\jabref\jabref\build\installer\images\win-msi.image\JabRef
D:\a\jabref\jabref\build\installer\config\main.wxs(85) : error LGHT0091 : Duplicate symbol 'Property:ARPPRODUCTICON' found. This typically means that an Id is duplicated. Check to make sure all your identifiers of a given type (File, Component, Feature) are unique.
D:\a\jabref\jabref\build\installer\config\main.wxs(147) : error LGHT0092 : Location of symbol related to previous error.
java.io.IOException: Command [C:\Program Files (x86)\WiX Toolset v3.11\bin\light.exe, -nologo, -spdb, -ext, WixUtilExtension, -out, D:\a\jabref\jabref\build\distribution\JabRef-5.1.30845.msi, -sice:ICE27, -ext, WixUIExtension, -loc, D:\a\jabref\jabref\build\installer\config\MsiInstallerStrings_en.wxl, -b, D:\a\jabref\jabref\build\installer\config, D:\a\jabref\jabref\build\installer\wixobj\main.wixobj, D:\a\jabref\jabref\build\installer\wixobj\bundle.wixobj]in D:\a\jabref\jabref\build\installer\images\win-msi.image\JabRef exited with 92 

[Siedlerchr]

@Gena928 @k3KAW8Pnf7mkmdSMPHz27
Can you please test this version here on mac?
The pgk and the dmg should now be signed correctly:
https://builds.jabref.org/pull/6748/merge/

(Just want to make sure that it works on your machines as well, because I have the certs already imported)

[Gena928]

Good day,
I was able to install JabRef using DMG & PKG files.
Unfortunately icons in dmg file are not in the center in the install frame.

But this looks much better now.

[Siedlerchr]

@Gena928 Yeah! glad to hear that it works now fine.
Regarding the icons, I think we need to copy over that script and adapt the sizes:

  if theFilePath is "DEPLOY_INSTALL_LOCATION" then
      -- Position install location
      set position of item theFile of theWindow to {390, 130}
    else
      -- Position application or runtime
      set position of item theFile of theWindow to {120, 130}
    end if

https://github.com/openjdk/jdk/blob/master/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/resources/DMGsetup.scpt

[Gena928]

OK, let me know if you need my testing.
But I think the result is very good now. Nice work!

[k3KAW8Pnf7mkmdSMPHz27]

Awesome that you are working on this!

.pkg works as it should (signed and not notarized), but I don't know how to verify the signature of the .dmg.

spctl -t open --assess --verbose JabRef-5.1.dmg and spctl -a -t open --context context:primary-signature -v JabRef-5.1.dmg gives me

JabRef-5.1.dmg: rejected
source=Insufficient Context

and

JabRef-5.1.dmg: rejected
source=no usable signature

but I am guessing this is as it should be?

[Siedlerchr]

Thanks for the feedback, glad that the signing at least works so that no warning is displayed.
Notarization seems to be the next step after the build.
Requires additional handling, will look into it.
It's really confusing figuring out the certificate stuff

[k3KAW8Pnf7mkmdSMPHz27]

I get no error message related to signing from either the dmg or pkg.

A minor "nitpick" is that the pkg displays a warning for it not being notarized ("... can't be opened because Apple cannot check it for malicious software.")

[Siedlerchr]

Yeah, I noticed that too. I will try to setup the notarization workflow next. Then aftewards ist should be also possible to add it to the app store. Probably reqires another different certificate signing stuff

[tobiasdiez]

Why do we need to upgrade to 15?

[Siedlerchr]

Because of this bug https://bugs.openjdk.java.net/browse/JDK-8238184

[tobiasdiez]

Concerning the installation screen, the easiest option is probably to change the image.

[koppor]

Please fix #6748 (comment).

[Siedlerchr]

I think @Gena928 did the initial design of the install dialog. Need to find the original PR.
Personally, I don't see a big problem with using our modified version.

[Siedlerchr]

@k3KAW8Pnf7mkmdSMPHz27 Both the installer and the dmg should now be signed and notarized. Can you confirm that?
You can try the latest master when it's ready

[tobiasdiez]

@Siedlerchr please also add this PR in #5226 as I guess most of these changes can be reverted as soon as the corresponding upstream java bugs are fixed.