Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

8277494: [BACKOUT] JDK-8276150 Quarantined jpackage apps are labeled as "damaged" #6483

Closed
wants to merge 1 commit into from
Closed
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
@@ -329,8 +329,7 @@ public void prepareApplicationFiles(Map<String, ? super Object> params)
}

copyRuntimeFiles(params);

doSigning(params);
sign(params);
}

private void copyRuntimeFiles(Map<String, ? super Object> params)
@@ -356,12 +355,7 @@ private void copyRuntimeFiles(Map<String, ? super Object> params)
}
}

private void doSigning(Map<String, ? super Object> params)
throws IOException {

// signing or not, unsign first ...
unsignAppBundle(params, root);

private void sign(Map<String, ? super Object> params) throws IOException {
if (Optional.ofNullable(
SIGN_BUNDLE.fetchFrom(params)).orElse(Boolean.TRUE)) {
try {
@@ -653,52 +647,7 @@ public static void restoreKeychainList(Map<String, ? super Object> params)
IOUtils.exec(pb);
}

private static void unsignAppBundle(Map<String, ? super Object> params,
Path appLocation) throws IOException {

// unsign all dylibs and executables
try (Stream<Path> stream = Files.walk(appLocation)) {
stream.peek(path -> { // fix permissions
try {
Set<PosixFilePermission> pfp =
Files.getPosixFilePermissions(path);
if (!pfp.contains(PosixFilePermission.OWNER_WRITE)) {
pfp = EnumSet.copyOf(pfp);
pfp.add(PosixFilePermission.OWNER_WRITE);
Files.setPosixFilePermissions(path, pfp);
}
} catch (IOException e) {
Log.verbose(e);
}
}).filter(p -> Files.isRegularFile(p) &&
(Files.isExecutable(p) || p.toString().endsWith(".dylib"))
&& !(p.toString().contains("dylib.dSYM/Contents"))
).forEach(p -> {
// If p is a symlink then skip.
if (Files.isSymbolicLink(p)) {
Log.verbose(MessageFormat.format(I18N.getString(
"message.ignoring.symlink"), p.toString()));
} else {
List<String> args = new ArrayList<>();
args.addAll(Arrays.asList("/usr/bin/codesign",
"--remove-signature", p.toString()));
try {
Set<PosixFilePermission> oldPermissions =
Files.getPosixFilePermissions(p);
p.toFile().setWritable(true, true);
ProcessBuilder pb = new ProcessBuilder(args);
IOUtils.exec(pb);
Files.setPosixFilePermissions(p,oldPermissions);
} catch (IOException ioe) {
Log.verbose(ioe);
return;
}
}
});
}
}

private static void signAppBundle(
static void signAppBundle(
Map<String, ? super Object> params, Path appLocation,
String signingIdentity, String identifierPrefix, Path entitlements)
throws IOException {
@@ -733,7 +682,29 @@ private static void signAppBundle(
Log.verbose(MessageFormat.format(I18N.getString(
"message.ignoring.symlink"), p.toString()));
} else {
List<String> args = new ArrayList<>();
List<String> args;
// runtime and Framework files will be signed below
// but they need to be unsigned first here
if ((p.toString().contains("/Contents/runtime")) ||
(p.toString().contains("/Contents/Frameworks"))) {

args = new ArrayList<>();
args.addAll(Arrays.asList("/usr/bin/codesign",
"--remove-signature", p.toString()));
try {
Set<PosixFilePermission> oldPermissions =
Files.getPosixFilePermissions(p);
p.toFile().setWritable(true, true);
ProcessBuilder pb = new ProcessBuilder(args);
IOUtils.exec(pb);
Files.setPosixFilePermissions(p,oldPermissions);
} catch (IOException ioe) {
Log.verbose(ioe);
toThrow.set(ioe);
return;
}
}
args = new ArrayList<>();
args.addAll(Arrays.asList("/usr/bin/codesign",
"--timestamp",
"--options", "runtime",
@@ -22,11 +22,8 @@
*/

import java.nio.file.Path;
import java.util.List;

import jdk.jpackage.test.JPackageCommand;
import jdk.jpackage.test.Annotations.Test;
import jdk.jpackage.test.Annotations.Parameters;

/**
* Tests generation of app image with --mac-sign and related arguments. Test will
@@ -60,36 +57,21 @@
*/
public class SigningAppImageTest {

final boolean doSign;

public SigningAppImageTest(String flag) {
this.doSign = "true".equals(flag);
}

@Parameters
public static List<Object[]> data() {
return List.of(new Object[][] {{"true"}, {"false"}});
}

@Test
public void test() throws Exception {
public static void test() throws Exception {
SigningCheck.checkCertificates();

JPackageCommand cmd = JPackageCommand.helloAppImage();
if (doSign) {
cmd.addArguments("--mac-sign", "--mac-signing-key-user-name",
SigningBase.DEV_NAME, "--mac-signing-keychain",
SigningBase.KEYCHAIN);
}
cmd.addArguments("--mac-sign", "--mac-signing-key-user-name",
SigningBase.DEV_NAME, "--mac-signing-keychain",
SigningBase.KEYCHAIN);
cmd.executeAndAssertHelloAppImageCreated();

Path launcherPath = cmd.appLauncherPath();
SigningBase.verifyCodesign(launcherPath, doSign);
SigningBase.verifyCodesign(launcherPath, true);

Path appImage = cmd.outputBundle();
SigningBase.verifyCodesign(appImage, doSign);
if (doSign) {
SigningBase.verifySpctl(appImage, "exec");
}
SigningBase.verifyCodesign(appImage, true);
SigningBase.verifySpctl(appImage, "exec");
}
}