Skip to content
Permalink
Browse files
8277494: [BACKOUT] JDK-8276150 Quarantined jpackage apps are labeled … 
…as "damaged"

Reviewed-by: asemenyuk, tschatzl
  • Loading branch information
Daniel D. Daugherty committed Nov 19, 2021
1 parent 2ab43ec commit c79a485f1c3f9c0c3a79b8847fdcd50a141cd529
Showing with 33 additions and 80 deletions.
  1. +26 −55 src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacAppImageBuilder.java
  2. +7 −25 test/jdk/tools/jpackage/macosx/SigningAppImageTest.java
81 src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacAppImageBuilder.java
View file
@@ -329,8 +329,7 @@ public void prepareApplicationFiles(Map<String, ? super Object> params)
}

copyRuntimeFiles(params);

doSigning(params);
sign(params);
}

private void copyRuntimeFiles(Map<String, ? super Object> params)
@@ -356,12 +355,7 @@ private void copyRuntimeFiles(Map<String, ? super Object> params)
}
}

private void doSigning(Map<String, ? super Object> params)
throws IOException {

// signing or not, unsign first ...
unsignAppBundle(params, root);

private void sign(Map<String, ? super Object> params) throws IOException {
if (Optional.ofNullable(
SIGN_BUNDLE.fetchFrom(params)).orElse(Boolean.TRUE)) {
try {
@@ -653,52 +647,7 @@ public static void restoreKeychainList(Map<String, ? super Object> params)
IOUtils.exec(pb);
}

private static void unsignAppBundle(Map<String, ? super Object> params,
Path appLocation) throws IOException {

// unsign all dylibs and executables
try (Stream<Path> stream = Files.walk(appLocation)) {
stream.peek(path -> { // fix permissions
try {
Set<PosixFilePermission> pfp =
Files.getPosixFilePermissions(path);
if (!pfp.contains(PosixFilePermission.OWNER_WRITE)) {
pfp = EnumSet.copyOf(pfp);
pfp.add(PosixFilePermission.OWNER_WRITE);
Files.setPosixFilePermissions(path, pfp);
}
} catch (IOException e) {
Log.verbose(e);
}
}).filter(p -> Files.isRegularFile(p) &&
(Files.isExecutable(p) || p.toString().endsWith(".dylib"))
&& !(p.toString().contains("dylib.dSYM/Contents"))
).forEach(p -> {
// If p is a symlink then skip.
if (Files.isSymbolicLink(p)) {
Log.verbose(MessageFormat.format(I18N.getString(
"message.ignoring.symlink"), p.toString()));
} else {
List<String> args = new ArrayList<>();
args.addAll(Arrays.asList("/usr/bin/codesign",
"--remove-signature", p.toString()));
try {
Set<PosixFilePermission> oldPermissions =
Files.getPosixFilePermissions(p);
p.toFile().setWritable(true, true);
ProcessBuilder pb = new ProcessBuilder(args);
IOUtils.exec(pb);
Files.setPosixFilePermissions(p,oldPermissions);
} catch (IOException ioe) {
Log.verbose(ioe);
return;
}
}
});
}
}

private static void signAppBundle(
static void signAppBundle(
Map<String, ? super Object> params, Path appLocation,
String signingIdentity, String identifierPrefix, Path entitlements)
throws IOException {
@@ -733,7 +682,29 @@ private static void signAppBundle(
Log.verbose(MessageFormat.format(I18N.getString(
"message.ignoring.symlink"), p.toString()));
} else {
List<String> args = new ArrayList<>();
List<String> args;
// runtime and Framework files will be signed below
// but they need to be unsigned first here
if ((p.toString().contains("/Contents/runtime")) ||
(p.toString().contains("/Contents/Frameworks"))) {

args = new ArrayList<>();
args.addAll(Arrays.asList("/usr/bin/codesign",
"--remove-signature", p.toString()));
try {
Set<PosixFilePermission> oldPermissions =
Files.getPosixFilePermissions(p);
p.toFile().setWritable(true, true);
ProcessBuilder pb = new ProcessBuilder(args);
IOUtils.exec(pb);
Files.setPosixFilePermissions(p,oldPermissions);
} catch (IOException ioe) {
Log.verbose(ioe);
toThrow.set(ioe);
return;
}
}
args = new ArrayList<>();
args.addAll(Arrays.asList("/usr/bin/codesign",
"--timestamp",
"--options", "runtime",
32 test/jdk/tools/jpackage/macosx/SigningAppImageTest.java
View file
@@ -22,11 +22,8 @@
*/

import java.nio.file.Path;
import java.util.List;

import jdk.jpackage.test.JPackageCommand;
import jdk.jpackage.test.Annotations.Test;
import jdk.jpackage.test.Annotations.Parameters;

/**
* Tests generation of app image with --mac-sign and related arguments. Test will
@@ -60,36 +57,21 @@
*/
public class SigningAppImageTest {

final boolean doSign;

public SigningAppImageTest(String flag) {
this.doSign = "true".equals(flag);
}

@Parameters
public static List<Object[]> data() {
return List.of(new Object[][] {{"true"}, {"false"}});
}

@Test
public void test() throws Exception {
public static void test() throws Exception {
SigningCheck.checkCertificates();

JPackageCommand cmd = JPackageCommand.helloAppImage();
if (doSign) {
cmd.addArguments("--mac-sign", "--mac-signing-key-user-name",
SigningBase.DEV_NAME, "--mac-signing-keychain",
SigningBase.KEYCHAIN);
}
cmd.addArguments("--mac-sign", "--mac-signing-key-user-name",
SigningBase.DEV_NAME, "--mac-signing-keychain",
SigningBase.KEYCHAIN);
cmd.executeAndAssertHelloAppImageCreated();

Path launcherPath = cmd.appLauncherPath();
SigningBase.verifyCodesign(launcherPath, doSign);
SigningBase.verifyCodesign(launcherPath, true);

Path appImage = cmd.outputBundle();
SigningBase.verifyCodesign(appImage, doSign);
if (doSign) {
SigningBase.verifySpctl(appImage, "exec");
}
SigningBase.verifyCodesign(appImage, true);
SigningBase.verifySpctl(appImage, "exec");
}
}

1 comment on commit c79a485

@openjdk-notifier
Copy link

@openjdk-notifier openjdk-notifier bot commented on c79a485 Nov 19, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review

Issues

Please sign in to comment.