Skip to content
Permalink
Browse files
8276150: Quarantined jpackage apps are labeled as "damaged"
Reviewed-by: almatvee
  • Loading branch information
Andy Herrick committed Nov 19, 2021
1 parent a022796 commit 936f7ff49ed86adb74bb1ff10d93cb3d7f7d70a0
Show file tree
Hide file tree
Showing 2 changed files with 80 additions and 33 deletions.
@@ -329,7 +329,8 @@ public void prepareApplicationFiles(Map<String, ? super Object> params)
}

copyRuntimeFiles(params);
sign(params);

doSigning(params);
}

private void copyRuntimeFiles(Map<String, ? super Object> params)
@@ -355,7 +356,12 @@ private void copyRuntimeFiles(Map<String, ? super Object> params)
}
}

private void sign(Map<String, ? super Object> params) throws IOException {
private void doSigning(Map<String, ? super Object> params)
throws IOException {

// signing or not, unsign first ...
unsignAppBundle(params, root);

if (Optional.ofNullable(
SIGN_BUNDLE.fetchFrom(params)).orElse(Boolean.TRUE)) {
try {
@@ -647,7 +653,52 @@ public static void restoreKeychainList(Map<String, ? super Object> params)
IOUtils.exec(pb);
}

static void signAppBundle(
private static void unsignAppBundle(Map<String, ? super Object> params,
Path appLocation) throws IOException {

// unsign all dylibs and executables
try (Stream<Path> stream = Files.walk(appLocation)) {
stream.peek(path -> { // fix permissions
try {
Set<PosixFilePermission> pfp =
Files.getPosixFilePermissions(path);
if (!pfp.contains(PosixFilePermission.OWNER_WRITE)) {
pfp = EnumSet.copyOf(pfp);
pfp.add(PosixFilePermission.OWNER_WRITE);
Files.setPosixFilePermissions(path, pfp);
}
} catch (IOException e) {
Log.verbose(e);
}
}).filter(p -> Files.isRegularFile(p) &&
(Files.isExecutable(p) || p.toString().endsWith(".dylib"))
&& !(p.toString().contains("dylib.dSYM/Contents"))
).forEach(p -> {
// If p is a symlink then skip.
if (Files.isSymbolicLink(p)) {
Log.verbose(MessageFormat.format(I18N.getString(
"message.ignoring.symlink"), p.toString()));
} else {
List<String> args = new ArrayList<>();
args.addAll(Arrays.asList("/usr/bin/codesign",
"--remove-signature", p.toString()));
try {
Set<PosixFilePermission> oldPermissions =
Files.getPosixFilePermissions(p);
p.toFile().setWritable(true, true);
ProcessBuilder pb = new ProcessBuilder(args);
IOUtils.exec(pb);
Files.setPosixFilePermissions(p,oldPermissions);
} catch (IOException ioe) {
Log.verbose(ioe);
return;
}
}
});
}
}

private static void signAppBundle(
Map<String, ? super Object> params, Path appLocation,
String signingIdentity, String identifierPrefix, Path entitlements)
throws IOException {
@@ -682,29 +733,7 @@ static void signAppBundle(
Log.verbose(MessageFormat.format(I18N.getString(
"message.ignoring.symlink"), p.toString()));
} else {
List<String> args;
// runtime and Framework files will be signed below
// but they need to be unsigned first here
if ((p.toString().contains("/Contents/runtime")) ||
(p.toString().contains("/Contents/Frameworks"))) {

args = new ArrayList<>();
args.addAll(Arrays.asList("/usr/bin/codesign",
"--remove-signature", p.toString()));
try {
Set<PosixFilePermission> oldPermissions =
Files.getPosixFilePermissions(p);
p.toFile().setWritable(true, true);
ProcessBuilder pb = new ProcessBuilder(args);
IOUtils.exec(pb);
Files.setPosixFilePermissions(p,oldPermissions);
} catch (IOException ioe) {
Log.verbose(ioe);
toThrow.set(ioe);
return;
}
}
args = new ArrayList<>();
List<String> args = new ArrayList<>();
args.addAll(Arrays.asList("/usr/bin/codesign",
"--timestamp",
"--options", "runtime",
@@ -22,8 +22,11 @@
*/

import java.nio.file.Path;
import java.util.List;

import jdk.jpackage.test.JPackageCommand;
import jdk.jpackage.test.Annotations.Test;
import jdk.jpackage.test.Annotations.Parameters;

/**
* Tests generation of app image with --mac-sign and related arguments. Test will
@@ -57,21 +60,36 @@
*/
public class SigningAppImageTest {

final boolean doSign;

public SigningAppImageTest(String flag) {
this.doSign = "true".equals(flag);
}

@Parameters
public static List<Object[]> data() {
return List.of(new Object[][] {{"true"}, {"false"}});
}

@Test
public static void test() throws Exception {
public void test() throws Exception {
SigningCheck.checkCertificates();

JPackageCommand cmd = JPackageCommand.helloAppImage();
cmd.addArguments("--mac-sign", "--mac-signing-key-user-name",
SigningBase.DEV_NAME, "--mac-signing-keychain",
SigningBase.KEYCHAIN);
if (doSign) {
cmd.addArguments("--mac-sign", "--mac-signing-key-user-name",
SigningBase.DEV_NAME, "--mac-signing-keychain",
SigningBase.KEYCHAIN);
}
cmd.executeAndAssertHelloAppImageCreated();

Path launcherPath = cmd.appLauncherPath();
SigningBase.verifyCodesign(launcherPath, true);
SigningBase.verifyCodesign(launcherPath, doSign);

Path appImage = cmd.outputBundle();
SigningBase.verifyCodesign(appImage, true);
SigningBase.verifySpctl(appImage, "exec");
SigningBase.verifyCodesign(appImage, doSign);
if (doSign) {
SigningBase.verifySpctl(appImage, "exec");
}
}
}

1 comment on commit 936f7ff

@openjdk-notifier
Copy link

@openjdk-notifier openjdk-notifier bot commented on 936f7ff Nov 19, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please sign in to comment.