-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
8332110: [macos] jpackage tries to sign added files without the --mac-sign option #19377
Conversation
👋 Welcome back almatvee! A progress list of the required criteria for merging this PR into |
@sashamatveev This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be:
You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 124 new commits pushed to the
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details. ➡️ To integrate this PR with the above commit message to the |
@sashamatveev The following label will be automatically applied to this pull request:
When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command. |
Webrevs
|
Mailing list message from Michael Hall on core-libs-dev:
Sorry I made my prior off-list. Would it also generally be a good idea to include a final codesign verify to fail the build if something is wrong with the signature? Something like? echo '*******************' Expected output? ******************* I think I have suggested this before but don?t remember if I did an enhancement request. Maybe you do that and I?m just not aware of it if it doesn?t appear in the jpackage output. -------------- next part -------------- |
Mailing list message from Alexander Matveev on core-libs-dev: Hi Michael,
Yes, it will leave you with an application that isn?t signed. I was able to run such application on same machine as it was generated by jpackage.
Not sure if it is an Apple bug.
Yes, you already suggested it. See https://bugs.openjdk.org/browse/JDK-8318063 and it was closed as won?t fix because such verification is redundant. Thanks, From: Michael Hall <mik3hall at gmail.com> On May 24, 2024, at 3:08?AM, Michael Hall <mik3hall at gmail.com> wrote: On May 23, 2024, at 8:13?PM, Alexander Matveev <almatvee at openjdk.org<mailto:almatvee at openjdk.org>> wrote: otherwise add additional content as post-processing step. Doesn?t this still leave you with an application that isn?t validly signed? And probably won?t run because of that. 2) jpackage --type app-image -n Test --app-content ReadMe ... For your example. This almost seems like an Apple bug if you can add a directory to the Contents directory but not a file? Sorry I made my prior off-list. Would it also generally be a good idea to include a final codesign verify to fail the build if something is wrong with the signature? Something like? echo '*******************' Expected output? ******************* I think I have suggested this before but don?t remember if I did an enhancement request. Maybe you do that and I?m just not aware of it if it doesn?t appear in the jpackage output. -------------- next part -------------- |
@alexeysemenyukoracle please review |
How about this wording for the message: "codesign" failed and additional application content was supplied via the "--app-content" parameter. Probably the additional content broke the integrity of the application bundle and caused the failure. Ensure content supplied via the "--app-content" parameter does not break the integrity of the application bundle, or add it in the post-processing step. |
8332110: jpackage tries to sign added files without the --mac-sign option [v2]
|
{"Hello", | ||
new String[]{"--app-content", TEST_DUKE}, | ||
null, | ||
"\"codesign\" failure is additional content provided via \"--app-content\""}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is this not a One of the possible reason for "{0}" failure is additional content provided via "--app-content"
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It was part of old message. Latest test version has latest message: ""codesign" failed and additional application content was supplied via the "--app-content" parameter."
/integrate |
Going to push as commit 9fd0e73.
Your commit was automatically rebased without conflicts. |
@sashamatveev Pushed as commit 9fd0e73. 💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored. |
Can this be reported to Apple somehow? |
I do not think that it is an Apple bug. If you look at an Apple documentation [1] about "Placing content in a bundle" you will see highlighted important message that you should not put content in the wrong location. [1] https://developer.apple.com/documentation/bundleresources/placing_content_in_a_bundle?language=objc |
I see, but it doesn't say where to put license files, which are usually in the root. Do you know where these belong? |
No idea. |
Mailing list message from Michael Hall on core-libs-dev: Yes you can file an Apple bug report but I think these days it requires a developer account to get to the bug reporter. The indicated documentation doesn?t mention anything about your own files/directories. So I think a bug report might be appropriate. One in but the other out doesn?t seem right. I used to have my own directory in an application but that was pre-jpackage. And prior to Apple?s incremental security crack-downs with Gatekeeper. I think I had code with special class loading requirements where I wanted to load it outside class path. My app no longer includes that. I have a resources jar where I dump all my miscellaneous and retrieve them from there. -------------- next part -------------- |
This issue is reproducible with and without
--mac-sign
. jpackage will "ad-hoc" sign application bundle when--mac-sign
is not specified by using pseudo-identity "-". This is why jpackage tries to sign added files and this is expected behavior by jpackage. "codesign" fails since added content made application bundle structure invalid. There is nothing we can do on jpackage side to sign such invalid bundles. As proposed solution we will output possible reason for "codesign" failure if it fails and--app-content
was specified and possible solution. Proposed message: "One of the possible reason for "codesign" failure is additional content provided via "--app-content", which made application bundle structure invalid. Make sure to provide additional content in a way it will not break application bundle structure, otherwise add additional content as post-processing step."Example:
Lets assume we have "ReadMe" folder with "ReadMe.txt" file in it.
"codesign" will fail with "In subcomponent: Test.app/Contents/ReadMe.txt". This is expected and "ReadMe.txt" placed in "Test.app/Contents" which is also expected.
Works and "ReadMe.txt" will be placed under "Test.app/Contents/ReadMe".
Sample output before fix:
Sample output after fix:
Progress
Issue
Reviewers
Reviewing
Using
git
Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/19377/head:pull/19377
$ git checkout pull/19377
Update a local copy of the PR:
$ git checkout pull/19377
$ git pull https://git.openjdk.org/jdk.git pull/19377/head
Using Skara CLI tools
Checkout this PR locally:
$ git pr checkout 19377
View PR using the GUI difftool:
$ git pr show -t 19377
Using diff file
Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/19377.diff
Webrev
Link to Webrev Comment