Class CodesignPkgMojo

java.lang.Object
network.ike.plugin.CodesignPkgMojo
All Implemented Interfaces:
org.apache.maven.api.plugin.Mojo

@Mojo(name="codesign-pkg", defaultPhase="verify", projectRequired=true) public class CodesignPkgMojo extends Object implements org.apache.maven.api.plugin.Mojo
Re-sign the .app bundle inside a jpackage-produced .pkg installer to add macOS entitlements required by the JVM.

This workaround exists because of JDK-8358723: jpackage --mac-sign in older JDKs signs the main launcher and nested runtime binaries without entitlements, so the JVM's JIT entitlements (com.apple.security.cs.allow-jit, etc.) are missing. Without them the JVM crashes immediately on Apple Silicon with EXC_BREAKPOINT in pthread_jit_write_protect_np.

The fix for JDK-8358723 is backported to JDK 25.0.2+ via JDK-8369477 (OpenJDK 25.0.2 Jan 2026 CPU; Oracle JDK 25.0.3 Apr 2026 CPU) and is present in JDK 26 mainline. On those JDKs jpackage signs correctly, and re-signing on top produces a signature variant macOS 26.4's notary rejects. This goal therefore auto-skips on JDK 25.0.2 or newer.

This goal post-processes the .pkg (only on JDK < 25.0.2):

  1. Expands the .pkg with pkgutil --expand
  2. Extracts the Payload (gzip + cpio archive)
  3. Re-signs the main executable and .app bundle with entitlements
  4. Repacks the Payload and regenerates the BOM
  5. Flattens the .pkg with pkgutil --flatten
  6. Signs the .pkg with productsign

Bind this goal after jpackage but before notarization:

<execution>
    <id>codesign-pkg</id>
    <phase>verify[0.5]</phase>
    <goals><goal>codesign-pkg</goal></goals>
    <configuration>
        <entitlementsFile>${project.basedir}/src/main/resources/installer/resourceDir_unix/default.plist</entitlementsFile>
    </configuration>
</execution>

On non-macOS platforms the goal skips silently. Set -Dcodesign.pkg.forceWorkaround=true to run the re-sign on JDK 25.0.2+ (debugging only).

  • Constructor Details

    • CodesignPkgMojo

      public CodesignPkgMojo()
      Creates this goal instance.
  • Method Details

    • getLog

      protected org.apache.maven.api.plugin.Log getLog()
      Access the Maven logger.
      Returns:
      the logger
    • execute

      public void execute() throws org.apache.maven.api.plugin.MojoException
      Specified by:
      execute in interface org.apache.maven.api.plugin.Mojo
      Throws:
      org.apache.maven.api.plugin.MojoException