Add macOS arm64 DMG installer build script#392
Open
Altair-Bueno wants to merge 1 commit into
Open
Conversation
Mirrors distribution/windows/build-windows-installers.ps1 to produce JSignPdf-<version>-mac-aarch64.dmg via jpackage. Avoids the cross-platform fat-jar JavaFX classifier collision (intoolswetrust#391) by staging the thin app jar plus jsignpdf/target/dependency/ and filtering out wrong-platform classifier jars (-win.jar, -linux.jar, -mac.jar) at build time, keeping only -mac-aarch64.jar. Reuses the shared distribution/jpackage/common-jvm-options.txt for PKCS#11 access flags and explicitly enumerates the runtime modules so jdk.crypto.cryptoki and the standard java.se aggregator are included. Refs intoolswetrust#391 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Adds an initial macOS Apple Silicon (arm64) distribution path by introducing a jpackage-based DMG build script that packages JSignPdf from the thin jar plus dependency jars (avoiding the OpenJFX classifier collision that breaks the shaded fat jar on Apple Silicon).
Changes:
- Add
distribution/macos/build-macos-installers.shto build an arm64.appand.dmgviajpackage. - Stage app payload from the thin jar +
jsignpdf/target/dependency/, filtering out non-macOS classifier jars. - Generate a macOS
.icnsicon at build time and reuse shared JVM options fromdistribution/jpackage/common-jvm-options.txt.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| VERSION="" | ||
| while [[ $# -gt 0 ]]; do | ||
| case "$1" in | ||
| --version) VERSION="${2:-}"; shift 2 ;; |
Comment on lines
+8
to
+12
| # Prerequisites on the build machine: | ||
| # * macOS on Apple Silicon (arm64) | ||
| # * JDK 17+ on PATH (provides jpackage) | ||
| # * jsignpdf and installcert modules already built: | ||
| # mvn -B -DskipTests -pl jsignpdf,installcert -am package |
Comment on lines
+56
to
+63
| # non-numeric suffix (e.g. "-RC1", "-SNAPSHOT") and keep up to three numeric | ||
| # components. $VERSION itself is preserved for release-tag-aligned filenames. | ||
| APP_VERSION=$(echo "$VERSION" \ | ||
| | sed -E 's/[^0-9.].*$//' \ | ||
| | awk -F. '{ | ||
| n = (NF > 3 ? 3 : NF); | ||
| for (i = 1; i <= n; i++) printf("%s%s", (i>1?".":""), $i); | ||
| printf("\n"); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
distribution/macos/build-macos-installers.sh, ajpackage-based build script that produces a macOS Apple Silicon DMG installer for JSignPdf. Mirrors the existingdistribution/windows/build-windows-installers.ps1pattern and reuses the shareddistribution/jpackage/common-jvm-options.txt.This is the first packaged macOS distribution for JSignPdf — until now Mac users had to run the shaded fat jar manually, which is broken on Apple Silicon (see #391).
Closes #391.
Motivation
The published
jsignpdf-<version>-jar-with-dependencies.jarcannot launch JavaFX on Apple Silicon Macs because themaven-shade-pluginflattens the OpenJFXmac(x86_64) andmac-aarch64classifier jars together — they share internal paths (e.g.libprism_es2.dylib), so one overwrites the other and only x86_64 dylibs survive in the fat jar. At runtimedlopen()rejects the wrong-arch dylib and JavaFX dies withNo toolkit found. Full reproduction and root cause are documented in #391.This PR doesn't try to fix the cross-platform fat-jar problem itself (that's a separate decision involving distribution strategy). Instead it sidesteps it by never building a fat jar for macOS —
jpackageconsumes the thin app jar plus individual dependency jars, so eachorg.openjfxclassifier dep stays in its own jar and JavaFX'sNativeLibLoaderresolves the correct architecture at runtime.What changed
One new file:
distribution/macos/build-macos-installers.sh(~220 lines, executable).The script:
Stages from the thin jar +
jsignpdf/target/dependency/. Themaven-dependency-plugin:copy-dependenciesexecution already injsignpdf/pom.xmlproduces this directory at thepackagephase. No build-graph changes were needed.Filters wrong-platform classifier jars. Excludes
*-win.jar,*-linux.jar,*-mac.jarfrom the staged set; keeps platform-neutral jars and*-mac-aarch64.jar. Without this, JavaFX could resolve the wrong-arch dylib at startup even outside a fat jar.Generates a
.icnsat build time fromdistribution/linux/flatpak/jsignpdf.png(512×512) usingsips+iconutil. No icon resource was added to the repo.Generates fresh
--add-launcherproperties files for the three secondary launchers (JSignPdf-swing,JSignPdfC,InstallCert) using only platform-neutral keys, so it doesn't rely ondistribution/jpackage/JSignPdfC.properties(which contains Windows-specificwin-console/win-shortcut).Explicitly enumerates the runtime modules.
jpackage --add-modulesreplaces (not extends) the auto-detected set. PKCS#11 (jdk.crypto.cryptoki) is reached only via the existing--add-exportsJVM options, sojdepscannot see the dependency. The script passes--add-modules java.se,jdk.crypto.cryptoki,jdk.crypto.ec,jdk.security.auth,jdk.unsupported,jdk.localedatato guarantee hardware-token support and a complete Swing/AWT runtime.Reuses
distribution/jpackage/common-jvm-options.txtfor the same--add-exports/--add-opensset the Windows installer uses, keeping JVM options consistent across platforms.What was deliberately not changed
pom.xml(root) — untouched.jsignpdf/pom.xml— untouched. The cross-platform classifier-collision problem fromjar-with-dependenciesis unrunnable on Apple Silicon: contains x86_64 macOS JavaFX natives only #391 remains; that's a project-level distribution decision (see "Follow-up work" below) and is out of scope for this PR.distribution/windows/build-windows-installers.ps1— untouched.distribution/jpackage/common-jvm-options.txt— untouched (kept as the shared single source of truth).How to build and test locally
Prerequisites: macOS on Apple Silicon, JDK 17+ on
PATH(providesjpackage).Output:
distribution/target/upload/JSignPdf-3.0.1-mac-aarch64.dmg(~68 MB).Verified locally:
JSignPdf.app/Contents/app/contains onlymac-aarch64and platform-neutral JavaFX classifier jars; no-win.jar/-linux.jar/-mac.jar.Contents/MacOS/:JSignPdf,JSignPdf-swing,JSignPdfC,InstallCert.javafx-graphics-21.0.7-mac-aarch64.jarcleanly. The original "no suitable pipeline / no toolkit found" failure fromjar-with-dependenciesis unrunnable on Apple Silicon: contains x86_64 macOS JavaFX natives only #391 is gone.JSignPdfC --helpworks; theUnknown module: jdk.crypto.cryptokiwarning that's visible without explicit module enumeration is resolved.Known caveats / follow-up work
These are intentionally out of scope for this PR but worth tracking:
1. Code signing and notarization
The DMG is currently produced unsigned and unnotarized. End-users will see Gatekeeper warnings on first open ("JSignPdf cannot be opened because the developer cannot be verified" or similar) and have to right-click → Open, or run
xattr -dr com.apple.quarantine /Applications/JSignPdf.app.Adding signing requires:
--type pkgif added later).Once those are in place,
jpackageflags to add:Notarization is a separate step run after
jpackagefinishes:2. Intel (x86_64) build
This PR ships arm64 only.
jpackagedoes not cross-compile across Mac architectures — each arch must be built on its native host. An Intel DMG would require either an x86_64 macOS GitHub runner (macos-13and earlier are Intel;macos-14+ are arm64) or a separate dedicated builder. The script as-is can be reused on x86_64 by changing the architecture check at the top and the output filename suffix; no other changes needed.A "universal" DMG (containing both architectures via a fat app bundle) is technically possible with
lipo-merged JDK runtimes but is significantly more work and not standardjpackageoutput.3. CI integration
This PR adds the script but does not wire it into a GitHub Actions workflow. Mirroring
build-windows-installers.ps1's integration would mean adding a job that:macos-14(or newer arm64 image).releaseenforcer profile).mvn -B -DskipTests -pl jsignpdf,installcert -am package.distribution/macos/build-macos-installers.sh --version ${{ inputs.version }}.distribution/target/upload/JSignPdf-*-mac-aarch64.dmgas a release artifact.Happy to follow up with a separate PR for this once this script lands.
4. Underlying fat-jar problem (#391)
This PR works around the classifier-collision issue for macOS distribution but doesn't fix it for users who download the shaded jar directly. The four candidate fixes are listed in #391; whichever direction the project chooses, the script in this PR would still be the right way to build the macOS-native installer.