Skip to content
Permalink
Browse files
8276837: [macos]: Error when signing the additional launcher
Reviewed-by: asemenyuk, almatvee
  • Loading branch information
Andy Herrick committed Dec 2, 2021
1 parent 3d98ec1 commit 7696897932a35708b1632517127c1a3a59919878
Show file tree
Hide file tree
Showing 3 changed files with 47 additions and 31 deletions.
@@ -593,7 +593,6 @@ public static void addNewKeychain(Map<String, ? super Object> params)
Log.error(I18N.getString("message.keychain.error"));
return;
}

boolean contains = keychainList.stream().anyMatch(
str -> str.trim().equals("\""+keyChainPath.trim()+"\""));
if (contains) {
@@ -608,7 +607,9 @@ public static void addNewKeychain(Map<String, ? super Object> params)
if (path.startsWith("\"") && path.endsWith("\"")) {
path = path.substring(1, path.length()-1);
}
keyChains.add(path);
if (!keyChains.contains(path)) {
keyChains.add(path);
}
});

List<String> args = new ArrayList<>();
@@ -682,27 +683,23 @@ static void signAppBundle(
Log.verbose(MessageFormat.format(I18N.getString(
"message.ignoring.symlink"), p.toString()));
} else {
List<String> args;
// runtime and Framework files will be signed below
// but they need to be unsigned first here
if ((p.toString().contains("/Contents/runtime")) ||
(p.toString().contains("/Contents/Frameworks"))) {

args = new ArrayList<>();
args.addAll(Arrays.asList("/usr/bin/codesign",
"--remove-signature", p.toString()));
try {
Set<PosixFilePermission> oldPermissions =
Files.getPosixFilePermissions(p);
p.toFile().setWritable(true, true);
ProcessBuilder pb = new ProcessBuilder(args);
IOUtils.exec(pb);
Files.setPosixFilePermissions(p,oldPermissions);
} catch (IOException ioe) {
Log.verbose(ioe);
toThrow.set(ioe);
return;
}
// unsign everything before signing
List<String> args = new ArrayList<>();
args.addAll(Arrays.asList("/usr/bin/codesign",
"--remove-signature", p.toString()));
try {
Set<PosixFilePermission> oldPermissions =
Files.getPosixFilePermissions(p);
p.toFile().setWritable(true, true);
ProcessBuilder pb = new ProcessBuilder(args);
// run quietly
IOUtils.exec(pb, false, null, false,
Executor.INFINITE_TIMEOUT, true);
Files.setPosixFilePermissions(p,oldPermissions);
} catch (IOException ioe) {
Log.verbose(ioe);
toThrow.set(ioe);
return;
}
args = new ArrayList<>();
args.addAll(Arrays.asList("/usr/bin/codesign",
@@ -727,7 +724,9 @@ static void signAppBundle(
Files.getPosixFilePermissions(p);
p.toFile().setWritable(true, true);
ProcessBuilder pb = new ProcessBuilder(args);
IOUtils.exec(pb);
// run quietly
IOUtils.exec(pb, false, null, false,
Executor.INFINITE_TIMEOUT, true);
Files.setPosixFilePermissions(p, oldPermissions);
} catch (IOException ioe) {
toThrow.set(ioe);
@@ -190,14 +190,24 @@ static void exec(ProcessBuilder pb, boolean testForPresenceOnly,
static void exec(ProcessBuilder pb, boolean testForPresenceOnly,
PrintStream consumer, boolean writeOutputToFile, long timeout)
throws IOException {
exec(pb, testForPresenceOnly, consumer, writeOutputToFile,
Executor.INFINITE_TIMEOUT, false);
}

static void exec(ProcessBuilder pb, boolean testForPresenceOnly,
PrintStream consumer, boolean writeOutputToFile,
long timeout, boolean quiet) throws IOException {
List<String> output = new ArrayList<>();
Executor exec = Executor.of(pb).setWriteOutputToFile(writeOutputToFile)
.setTimeout(timeout).setOutputConsumer(lines -> {
lines.forEach(output::add);
if (consumer != null) {
output.forEach(consumer::println);
}
});
Executor exec = Executor.of(pb)
.setWriteOutputToFile(writeOutputToFile)
.setTimeout(timeout)
.setQuiet(quiet)
.setOutputConsumer(lines -> {
lines.forEach(output::add);
if (consumer != null) {
output.forEach(consumer::println);
}
});

if (testForPresenceOnly) {
exec.execute();
@@ -24,6 +24,7 @@
import java.nio.file.Path;
import jdk.jpackage.test.JPackageCommand;
import jdk.jpackage.test.Annotations.Test;
import jdk.jpackage.test.AdditionalLauncher;

/**
* Tests generation of app image with --mac-sign and related arguments. Test will
@@ -65,11 +66,17 @@ public static void test() throws Exception {
cmd.addArguments("--mac-sign", "--mac-signing-key-user-name",
SigningBase.DEV_NAME, "--mac-signing-keychain",
SigningBase.KEYCHAIN);

AdditionalLauncher testAL = new AdditionalLauncher("testAL");
testAL.applyTo(cmd);
cmd.executeAndAssertHelloAppImageCreated();

Path launcherPath = cmd.appLauncherPath();
SigningBase.verifyCodesign(launcherPath, true);

Path testALPath = launcherPath.getParent().resolve("testAL");
SigningBase.verifyCodesign(testALPath, true);

Path appImage = cmd.outputBundle();
SigningBase.verifyCodesign(appImage, true);
SigningBase.verifySpctl(appImage, "exec");

3 comments on commit 7696897

@openjdk-notifier
Copy link

@openjdk-notifier openjdk-notifier bot commented on 7696897 Dec 2, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@GoeLin
Copy link
Member

@GoeLin GoeLin commented on 7696897 Jul 19, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/backport jdk17u-dev

@openjdk
Copy link

@openjdk openjdk bot commented on 7696897 Jul 19, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@GoeLin the backport was successfully created on the branch GoeLin-backport-76968979 in my personal fork of openjdk/jdk17u-dev. To create a pull request with this backport targeting openjdk/jdk17u-dev:master, just click the following link:

➡️ Create pull request

The title of the pull request is automatically filled in correctly and below you find a suggestion for the pull request body:

Hi all,

This pull request contains a backport of commit 76968979 from the openjdk/jdk repository.

The commit being backported was authored by Andy Herrick on 2 Dec 2021 and was reviewed by Alexey Semenyuk and Alexander Matveev.

Thanks!

If you need to update the source branch of the pull then run the following commands in a local clone of your personal fork of openjdk/jdk17u-dev:

$ git fetch https://github.com/openjdk-bots/jdk17u-dev GoeLin-backport-76968979:GoeLin-backport-76968979
$ git checkout GoeLin-backport-76968979
# make changes
$ git add paths/to/changed/files
$ git commit --message 'Describe additional changes made'
$ git push https://github.com/openjdk-bots/jdk17u-dev GoeLin-backport-76968979

Please sign in to comment.