Now that the jar files in the p2 repo are signed, we also want to sign the Mac App that is available for download.

Triquetrum RC1 Mac Installer is from an unknown developer
eclipse-macsigner-plugin docs
Re: [cbi-dev] OS X application signing
- "You need to change your pom to be sure the CBI signer plugins are executed *before* the "archive-products" step."

From Triquetrum RC1 Mac Installer is from an unknown developer by Erwin:

"There is some info and examples on signing applications during the build being discussed on cbi-dev : http://dev.eclipse.org/mhonarc/lists/cbi-dev/msg01776.html"

"There are win and mac signer plugins that can be configured in the pom."

"It would seem this is something different from signing individual jars."

"Info on those executables signing plugins :"

"https://www.eclipse.org/cbi/sitedocs/eclipse-winsigner-plugin/plugin-info.html"

"https://www.eclipse.org/cbi/sitedocs/eclipse-macsigner-plugin/plugin-info.html"

"And on CBI in general :"

"http://www.eclipse.org/community/eclipse_newsletter/2013/august/article3.php"

JNI_CreateJavaVM

macOS: The JVM shared library ... does not contain the JNI_CreateJavaVM symbol:

When I download the 0.4.0M1 macOS zip file, unzip and run

   open triquetrum-0.4.0M1.app

a dialog pops up that states:

"The JVM shared library "/Library/Java/JavaVirtualMachines/jdk-14.0.2.jdk/Contents/Home/bin/..lib/server/libjvm.dylib" does not contain the JNI_CreateJavaVM symbol."

This seems to be a signing problem. I saw a similar issue earlier with the 0.3.1 installer.

Searching results in these hits:

Bug 558570 - Native launcher doesn't launch on MacOSX with Java 13
Bug 481059 - Cannot install Eclipse on Mac
- Suggests Mac OS, JDK1.7 (and 1.8) does not contain the JNI_CreateJavaVM symbol
  - Adding
    - <key>JVMCapabilities</key>
    - <string>JNI</string>
    - did not work, but it could be because edits to Info.plist are ignored.
      - Bug 481059 - Cannot install Eclipse on Mac (edit)
        "As the installer from 2019-09 onwards is notarized, modifying plist will corrupt eclipse installation prompting Mac's gatekeeper security software to block eclipse."
  - OS X JDK 1.7 failing to load #90
    - "add JNI as an option in JVMCapabilities"
    - Bug 411361 - [Mac] Kepler doesn't launch without JRE 6, even if JDK 7 is installed

Entitlements

IT Infrastructure Doc -> macOS signing:
- "macOS signing"
- "To sign the macOS executables use the eclipse-macsigner-plugin"
  <plugin>

     <groupId>org.eclipse.cbi.maven.plugins</groupId>
     <artifactId>eclipse-macsigner-plugin</artifactId>
     <version>${cbi-version}</version>
     <executions>
       <execution>
         <id>sign</id>
         <goals>
           <goal>sign</goal>
         </goals>
         <phase>package</phase>
         <configuration>
           <signFiles>
             <signFile>${project.build.directory}/products/${product-folder}/macosx/cocoa/x86_64/Eclipse.app</signFile>
           </signFiles>
           <timeoutMillis>300000</timeoutMillis> 
           <continueOnFail>${macSigner.forceContinue}</continueOnFail>
           <entitlements>${project.basedir}/application.entitlement</entitlements>
         </configuration>
       </execution>
     </executions>
   </plugin>

"Entitlements"
"The security guidelines for macOS application development requires the definition of Entitlements to grant an executable permission to use a service or technology. The entitlements used by the Eclipse Platform are defined here"

eclipse.platform.releng.tychoeclipsebuilder/sdk/pom.xml has

         <plugin>
            <groupId>org.eclipse.cbi.maven.plugins</groupId>
            <artifactId>eclipse-macsigner-plugin</artifactId>
            <version>${cbi-plugins.version}</version>
            <executions>
              <execution>
                <goals>
                  <goal>sign</goal>
                </goals>
                <phase>package</phase>
                <configuration>
                  <timeoutMillis>300000</timeoutMillis> <!-- 5 min -->
                  <continueOnFail>${macSigner.forceContinue}</continueOnFail>
                  <entitlements>${project.basedir}/../entitlement/sdk.entitlement</entitlements>
                  <signerUrl>http://172.30.206.146:8282/macosx-signing-service/1.0.1-SNAPSHOT</signerUrl>
                </configuration>
              </execution>
            </executions>
          </plugin>

eclipse-platform-parent/pom.xml sets

   <cbi-plugins.version>1.1.8-SNAPSHOT</cbi-plugins.version>

eclipse.platform.releng.tychoeclipsebuilder/entitlement has three entitlement files that are all the same:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict>

      <key>com.apple.security.cs.allow-jit</key>
      <true/>
      <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
      <true/>
      <key>com.apple.security.cs.disable-executable-page-protection</key>
      <true/>
      <key>com.apple.security.cs.allow-dyld-environment-variables</key>
      <true/>
      <key>com.apple.security.cs.disable-library-validation</key>
      <true/>
      <key>com.apple.security.cs.debugger</key>
      <true/>

</dict>

  </plist>

So, it would seem that the solution is to update the cbi version number and to add an entitlement file.

EclipseAndSigningMacApps

JNI_CreateJavaVM

Entitlements