How to Embed JavaAppLauncher to sandbox for App Store

Question

I'm trying to send a Java application to the MacOS X App Store. All my code is correctly signed (jars, dylib, etc). Unfortunately, when sending the binary, I always get an "Invalid Binary" error with the following message:

Dear developer, We have discovered one or more issues with your recent delivery for "tamaggo ibi desktop". To process your delivery, the following issues must be corrected: App sandbox not enabled - The following executables must include the "com.apple.security.app-sandbox" entitlement with a Boolean value of true in the entitlements property list. Refer to the App Sandbox page for more information on sandboxing your app. • tamaggo ibi.app/Contents/MacOS/JavaAppLauncher Once these issues have been corrected, go to the Version Details page and click "Ready to Upload Binary." Continue through the submission process until the app status is "Waiting for Upload." You can then deliver the corrected binary. Regards, The App Store team

I Googled this for an entire day but didn't find anything. Does anybody have a clue how to sandbox the JavaAppLauncher in the .entitlements file ?

In order to give more informations, here is how I'm signing the code: /usr/bin/codesign --resource-rules desktop-app/target/dist/myApp/Contents/ResourceRules.plist --verbose --force --sign "3rd Party Mac Developer Application: XXX" desktop-app/target/dist/myApp

find desktop-app/target/dist/myApp.app/Contents/ -type f \( -name "*.jnilib" -or -name "*.jar" -or -name "*.dylib" \) -exec codesign --resource-rules desktop-app/target/dist/myApp.app/Contents/ResourceRules.plist --verbose -f -s "3rd Party Mac Developer Application: XXX" --entitlements desktop-app/target/dist/myApp.app/Contents/myApp.entitlements {} \;

codesign --resource-rules desktop-app/target/dist/myApp.app/Contents/ResourceRules.plist --verbose --force --sign "3rd Party Mac Developer Application: XXX" desktop-app/target/dist/myApp.app/Contents/Resources/binaries/ffmpeg

codesign --resource-rules desktop-app/target/dist/myApp.app/Contents/ResourceRules.plist --verbose --force --sign "3rd Party Mac Developer Application: XXX" desktop-app/target/dist/myApp.app/Contents/MacOS/JavaAppLauncher

Answer 1

We've had a java app on the MAS since late summer 2012. I think we were the first java app on the store (more info at infinitekind.com).

I think one issue is how you are signing. To be accepted on the app store you'll need to bundle a JDK. This can be done using the appbundler ant task. We've created a fork of this with a few improvements since the official one seems to be stagnant and not accepting updates:

https://bitbucket.org/infinitekind/appbundler

We've also created a fork of the OpenJDK with a couple of minor fixes that were dealbreakers (menu item keyboard shortcut issues) for us. These may now have been incorporated into the mainline OpenJDK, but I don't think so.

https://bitbucket.org/infinitekind/openjdk7u-jdk

Anyway, the above two items may not be necessary in your case, but that's how we did it and it worked. I think the real problem is what you are signing and in which order. Here's what we do and it's been accepted for five update submissions now:

  # sign all the jar and dylib files (signing jars is apparently not required by apple, but should be!)
  find "Path/To/App/AppName.app/Contents" -type f \( -name "*.jar" -or -name "*.dylib" \) -exec codesign -f -s '3rd Party Mac Developer Application: YourCompanyName' --entitlements 'path/to/AppName.entitlements' {} \;

  # Sign the JDK plugin
  codesign --verbose -f -s '3rd Party Mac Developer Application: YourCompanyName' --entitlements 'path/to/AppName.entitlements' "Path/To/App/AppName.app/Contents/Plugins/jdk"

  # sign the whole bundle
  codesign --verbose -f -s '3rd Party Mac Developer Application: YourCompanyName' --entitlements 'path/to/AppName.entitlements' "Path/To/App/AppName.app"

Hope this isn't too late to be helpful!