8271868: Warn user when using mac-sign option with unsigned app-image.

Reviewed-by: asemenyuk

Author: Andy Herrick

src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacAppBundler.java

@@ -35,6 +35,7 @@
 import static jdk.jpackage.internal.StandardBundlerParam.MAIN_CLASS;
 import static jdk.jpackage.internal.StandardBundlerParam.VERBOSE;
 import static jdk.jpackage.internal.StandardBundlerParam.VERSION;
+import static jdk.jpackage.internal.StandardBundlerParam.SIGN_BUNDLE;
 
 public class MacAppBundler extends AppImageBundler {
      public MacAppBundler() {
@@ -125,7 +126,7 @@ private static void doValidate(Map<String, ? super Object> params)
         }
 
         // reject explicitly set sign to true and no valid signature key
-        if (Optional.ofNullable(MacAppImageBuilder.
+        if (Optional.ofNullable(
                     SIGN_BUNDLE.fetchFrom(params)).orElse(Boolean.FALSE)) {
             String signingIdentity =
                     DEVELOPER_ID_APP_SIGNING_KEY.fetchFrom(params);

src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacAppImageBuilder.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -66,6 +66,7 @@
 import static jdk.jpackage.internal.StandardBundlerParam.PREDEFINED_APP_IMAGE;
 import static jdk.jpackage.internal.StandardBundlerParam.VERSION;
 import static jdk.jpackage.internal.StandardBundlerParam.ADD_LAUNCHERS;
+import static jdk.jpackage.internal.StandardBundlerParam.SIGN_BUNDLE;
 
 public class MacAppImageBuilder extends AbstractAppImageBuilder {
 
@@ -143,16 +144,6 @@ public class MacAppImageBuilder extends AbstractAppImageBuilder {
             },
             (s, p) -> Path.of(s));
 
-    public static final StandardBundlerParam<Boolean> SIGN_BUNDLE  =
-            new StandardBundlerParam<>(
-            Arguments.CLIOptions.MAC_SIGN.getId(),
-            Boolean.class,
-            params -> false,
-            // valueOf(null) is false, we actually do want null in some cases
-            (s, p) -> (s == null || "null".equalsIgnoreCase(s)) ?
-                    null : Boolean.valueOf(s)
-        );
-
     public static final StandardBundlerParam<Boolean> APP_STORE =
             new StandardBundlerParam<>(
             Arguments.CLIOptions.MAC_APP_STORE.getId(),
@@ -863,5 +854,4 @@ private static String extractBundleIdentifier(Map<String, Object> params) {
 
         return null;
     }
-
 }

src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacBaseInstallerBundler.java

@@ -34,13 +34,15 @@
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
+import java.util.Optional;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import static jdk.jpackage.internal.StandardBundlerParam.APP_NAME;
 import static jdk.jpackage.internal.StandardBundlerParam.INSTALLER_NAME;
 import static jdk.jpackage.internal.StandardBundlerParam.INSTALL_DIR;
 import static jdk.jpackage.internal.StandardBundlerParam.PREDEFINED_APP_IMAGE;
 import static jdk.jpackage.internal.StandardBundlerParam.VERSION;
+import static jdk.jpackage.internal.StandardBundlerParam.SIGN_BUNDLE;
 
 public abstract class MacBaseInstallerBundler extends AbstractBundler {
 
@@ -134,6 +136,20 @@ protected void validateAppImageAndBundeler(
                         I18N.getString(
                             "message.app-image-requires-app-name.advice"));
             }
+            if (Optional.ofNullable(
+                    SIGN_BUNDLE.fetchFrom(params)).orElse(Boolean.FALSE)) {
+                // if signing bundle with app-image, warn user if app-image
+                // is not allready signed.
+                try {
+                    if (!(AppImageFile.load(applicationImage).isSigned())) {
+                        Log.info(MessageFormat.format(I18N.getString(
+                                 "warning.unsigned.app.image"), getID()));
+                    }
+                } catch (IOException ioe) {
+                    // Ignore - In case of a forign or tampered with app-image,
+                    // user is notified of this when the name is extracted.
+                }
+            }
         } else {
             appImageBundler.validate(params);
         }

src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacPkgBundler.java

@@ -46,6 +46,7 @@
 import static jdk.jpackage.internal.StandardBundlerParam.APP_NAME;
 import static jdk.jpackage.internal.StandardBundlerParam.LICENSE_FILE;
 import static jdk.jpackage.internal.StandardBundlerParam.VERSION;
+import static jdk.jpackage.internal.StandardBundlerParam.SIGN_BUNDLE;
 import static jdk.jpackage.internal.MacBaseInstallerBundler.SIGNING_KEYCHAIN;
 import static jdk.jpackage.internal.MacBaseInstallerBundler.SIGNING_KEY_USER;
 import static jdk.jpackage.internal.MacAppImageBuilder.APP_STORE;
@@ -499,7 +500,7 @@ private Path createPKG(Map<String, ? super Object> params,
             commandLine.add(CONFIG_ROOT.fetchFrom(params).toAbsolutePath().toString());
 
             // maybe sign
-            if (Optional.ofNullable(MacAppImageBuilder.
+            if (Optional.ofNullable(
                     SIGN_BUNDLE.fetchFrom(params)).orElse(Boolean.TRUE)) {
                 if (Platform.getMajorVersion() > 10 ||
                     (Platform.getMajorVersion() == 10 &&
@@ -603,7 +604,7 @@ public boolean validate(Map<String, ? super Object> params)
             }
 
             // reject explicitly set sign to true and no valid signature key
-            if (Optional.ofNullable(MacAppImageBuilder.
+            if (Optional.ofNullable(
                     SIGN_BUNDLE.fetchFrom(params)).orElse(Boolean.FALSE)) {
                 String signingIdentity =
                         DEVELOPER_ID_INSTALLER_SIGNING_KEY.fetchFrom(params);

src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/resources/MacResources.properties

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2017, 2020, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2017, 2021, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -88,3 +88,4 @@ message.preparing-distribution-dist=Preparing distribution.dist: {0}.
 message.signing.pkg=Warning: For signing PKG, you might need to set "Always Trust" for your certificate using "Keychain Access" tool.
 message.setfile.dmg=Setting custom icon on DMG file skipped because 'SetFile' utility was not found. Installing Xcode with Command Line Tools should resolve this issue.
 message.install-dir-ignored=Warning: "--install-dir" is not supported by DMG and will be default to /Applications.
+warning.unsigned.app.image=Warning: Using unsigned app-image to build signed {0}.

src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/resources/MacResources_ja.properties

@@ -87,3 +87,4 @@ message.preparing-distribution-dist=distribution.dist\u3092\u6E96\u5099\u3057\u3
 message.signing.pkg=\u8B66\u544A: PKG\u3078\u306E\u7F72\u540D\u306E\u5834\u5408\u3001\u300C\u30AD\u30FC\u30C1\u30A7\u30FC\u30F3\u30FB\u30A2\u30AF\u30BB\u30B9\u300D\u30C4\u30FC\u30EB\u3092\u4F7F\u7528\u3057\u3066\u8A3C\u660E\u66F8\u306B\u300C\u5E38\u306B\u4FE1\u983C\u3059\u308B\u300D\u3092\u8A2D\u5B9A\u3059\u308B\u5FC5\u8981\u304C\u3042\u308A\u307E\u3059\u3002
 message.setfile.dmg='SetFile'\u30E6\u30FC\u30C6\u30A3\u30EA\u30C6\u30A3\u304C\u898B\u3064\u304B\u3089\u306A\u3044\u305F\u3081\u3001DMG\u30D5\u30A1\u30A4\u30EB\u3067\u306E\u30AB\u30B9\u30BF\u30E0\u30FB\u30A2\u30A4\u30B3\u30F3\u306E\u8A2D\u5B9A\u304C\u30B9\u30AD\u30C3\u30D7\u3055\u308C\u307E\u3057\u305F\u3002Xcode\u3068\u30B3\u30DE\u30F3\u30C9\u30FB\u30E9\u30A4\u30F3\u30FB\u30C4\u30FC\u30EB\u3092\u30A4\u30F3\u30B9\u30C8\u30FC\u30EB\u3059\u308B\u3068\u3001\u3053\u306E\u554F\u984C\u306F\u89E3\u6C7A\u3055\u308C\u307E\u3059\u3002
 message.install-dir-ignored=Warning: "--install-dir" is not supported by DMG and will be default to /Applications.
+warning.unsigned.app.image=Warning: Using unsigned app-image to build signed {0}.

src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/resources/MacResources_zh_CN.properties

@@ -87,3 +87,4 @@ message.preparing-distribution-dist=\u6B63\u5728\u51C6\u5907 distribution.dist:
 message.signing.pkg=\u8B66\u544A\uFF1A\u8981\u5BF9 PKG \u8FDB\u884C\u7B7E\u540D\uFF0C\u53EF\u80FD\u9700\u8981\u4F7F\u7528\u201C\u5BC6\u94A5\u94FE\u8BBF\u95EE\u201D\u5DE5\u5177\u4E3A\u8BC1\u4E66\u8BBE\u7F6E\u201C\u59CB\u7EC8\u4FE1\u4EFB\u201D\u3002
 message.setfile.dmg=\u7531\u4E8E\u672A\u627E\u5230 'SetFile' \u5B9E\u7528\u7A0B\u5E8F\uFF0C\u8DF3\u8FC7\u4E86\u9488\u5BF9 DMG \u6587\u4EF6\u8BBE\u7F6E\u5B9A\u5236\u56FE\u6807\u7684\u64CD\u4F5C\u3002\u5B89\u88C5\u5E26\u547D\u4EE4\u884C\u5DE5\u5177\u7684 Xcode \u5E94\u80FD\u89E3\u51B3\u6B64\u95EE\u9898\u3002
 message.install-dir-ignored=Warning: "--install-dir" is not supported by DMG and will be default to /Applications.
+warning.unsigned.app.image=Warning: Using unsigned app-image to build signed {0}.

src/jdk.jpackage/share/classes/jdk/jpackage/internal/AppImageFile.java

@@ -46,6 +46,7 @@
 import static jdk.jpackage.internal.StandardBundlerParam.VERSION;
 import static jdk.jpackage.internal.StandardBundlerParam.ADD_LAUNCHERS;
 import static jdk.jpackage.internal.StandardBundlerParam.APP_NAME;
+import static jdk.jpackage.internal.StandardBundlerParam.SIGN_BUNDLE;
 
 public class AppImageFile {
 
@@ -54,6 +55,7 @@ public class AppImageFile {
     private final String creatorPlatform;
     private final String launcherName;
     private final List<String> addLauncherNames;
+    private final boolean signed;
 
     private static final String FILENAME = ".jpackage.xml";
 
@@ -63,15 +65,16 @@ public class AppImageFile {
 
 
     private AppImageFile() {
-        this(null, null, null, null);
+        this(null, null, null, null, null);
     }
 
     private AppImageFile(String launcherName, List<String> addLauncherNames,
-            String creatorVersion, String creatorPlatform) {
+            String creatorVersion, String creatorPlatform, String signedStr) {
         this.launcherName = launcherName;
         this.addLauncherNames = addLauncherNames;
         this.creatorVersion = creatorVersion;
         this.creatorPlatform = creatorPlatform;
+        this.signed = "true".equals(signedStr);
     }
 
     /**
@@ -90,6 +93,10 @@ String getLauncherName() {
         return launcherName;
     }
 
+    boolean isSigned() {
+        return signed;
+    }
+
     void verifyCompatible() throws ConfigException {
         // Just do nothing for now.
     }
@@ -125,6 +132,10 @@ static void save(Path appImageDir, Map<String, Object> params)
             xml.writeCharacters(APP_NAME.fetchFrom(params));
             xml.writeEndElement();
 
+            xml.writeStartElement("signed");
+            xml.writeCharacters(SIGN_BUNDLE.fetchFrom(params).toString());
+            xml.writeEndElement();
+
             List<Map<String, ? super Object>> addLaunchers =
                 ADD_LAUNCHERS.fetchFrom(params);
 
@@ -164,6 +175,9 @@ static AppImageFile load(Path appImageDir) throws IOException {
             String version = xpathQueryNullable(xPath,
                     "/jpackage-state/@version", doc);
 
+            String signedStr = xpathQueryNullable(xPath,
+                    "/jpackage-state/@signed", doc);
+
             NodeList launcherNameNodes = (NodeList) xPath.evaluate(
                     "/jpackage-state/add-launcher/text()", doc,
                     XPathConstants.NODESET);
@@ -173,7 +187,7 @@ static AppImageFile load(Path appImageDir) throws IOException {
             }
 
             AppImageFile file = new AppImageFile(
-                    mainLauncher, addLaunchers, version, platform);
+                    mainLauncher, addLaunchers, version, platform, signedStr);
             if (!file.isValid()) {
                 file = new AppImageFile();
             }

src/jdk.jpackage/share/classes/jdk/jpackage/internal/StandardBundlerParam.java

@@ -467,6 +467,16 @@ private static Path findPathOfModule( List<Path> modulePath, String moduleName)
                     (s, p) -> new LinkedHashSet<>(Arrays.asList(s.split(",")))
             );
 
+    static final StandardBundlerParam<Boolean> SIGN_BUNDLE =
+            new StandardBundlerParam<>(
+                    Arguments.CLIOptions.MAC_SIGN.getId(),
+                    Boolean.class,
+                    params -> false,
+                    (s, p) -> (s == null || "null".equalsIgnoreCase(s)) ?
+                    null : Boolean.valueOf(s)
+        );
+
+
     static boolean isRuntimeInstaller(Map<String, ? super Object> params) {
         if (params.containsKey(MODULE.getID()) ||
                 params.containsKey(MAIN_JAR.getID()) ||