Skip to content
Permalink
Browse files

8237490: [macos] Add support notarizing jpackage app-image and dmg

Reviewed-by: asemenyuk, almatvee
  • Loading branch information
Andy Herrick committed Apr 8, 2020
1 parent 50ed530 commit 1cca0e48e082102896b47bbde7edefa6040ff451
@@ -368,14 +368,28 @@ private void sign(Map<String, ? super Object> params) throws IOException {
String signingIdentity =
DEVELOPER_ID_APP_SIGNING_KEY.fetchFrom(params);
if (signingIdentity != null) {
prepareEntitlements(params);
signAppBundle(params, root, signingIdentity,
BUNDLE_ID_SIGNING_PREFIX.fetchFrom(params), null, null);
BUNDLE_ID_SIGNING_PREFIX.fetchFrom(params),
getConfig_Entitlements(params));
}
restoreKeychainList(params);
}
}

private String getLauncherName(Map<String, ? super Object> params) {
static File getConfig_Entitlements(Map<String, ? super Object> params) {
return new File(CONFIG_ROOT.fetchFrom(params),
getLauncherName(params) + ".entitlements");
}

static void prepareEntitlements(Map<String, ? super Object> params)
throws IOException {
createResource("entitlements.plist", params)
.setCategory(I18N.getString("resource.entitlements"))
.saveToFile(getConfig_Entitlements(params));
}

private static String getLauncherName(Map<String, ? super Object> params) {
if (APP_NAME.fetchFrom(params) != null) {
return APP_NAME.fetchFrom(params);
} else {
@@ -735,16 +749,15 @@ public static void restoreKeychainList(Map<String, ? super Object> params)
IOUtils.exec(pb);
}

public static void signAppBundle(
static void signAppBundle(
Map<String, ? super Object> params, Path appLocation,
String signingIdentity, String identifierPrefix,
String entitlementsFile, String inheritedEntitlements)
String signingIdentity, String identifierPrefix, File entitlements)
throws IOException {
AtomicReference<IOException> toThrow = new AtomicReference<>();
String appExecutable = "/Contents/MacOS/" + APP_NAME.fetchFrom(params);
String keyChain = SIGNING_KEYCHAIN.fetchFrom(params);

// sign all dylibs and jars
// sign all dylibs and executables
try (Stream<Path> stream = Files.walk(appLocation)) {
stream.peek(path -> { // fix permissions
try {
@@ -758,48 +771,43 @@ public static void signAppBundle(
} catch (IOException e) {
Log.verbose(e);
}
}).filter(p -> Files.isRegularFile(p)
&& !(p.toString().contains("/Contents/MacOS/libjli.dylib")
|| p.toString().endsWith(appExecutable)
}).filter(p -> Files.isRegularFile(p) &&
(Files.isExecutable(p) || p.toString().endsWith(".dylib"))
&& !(p.toString().endsWith(appExecutable)
|| p.toString().contains("/Contents/runtime")
|| p.toString().contains("/Contents/Frameworks"))).forEach(p -> {
//noinspection ThrowableResultOfMethodCallIgnored
|| p.toString().contains("/Contents/Frameworks"))
).forEach(p -> {
// noinspection ThrowableResultOfMethodCallIgnored
if (toThrow.get() != null) return;

// If p is a symlink then skip the signing process.
if (Files.isSymbolicLink(p)) {
if (VERBOSE.fetchFrom(params)) {
Log.verbose(MessageFormat.format(I18N.getString(
"message.ignoring.symlink"), p.toString()));
}
Log.verbose(MessageFormat.format(I18N.getString(
"message.ignoring.symlink"), p.toString()));
} else if (isFileSigned(p)) {
// executable or lib already signed
Log.verbose(MessageFormat.format(I18N.getString(
"message.already.signed"), p.toString()));
} else {
if (p.toString().endsWith(LIBRARY_NAME)) {
if (isFileSigned(p)) {
return;
}
}

List<String> args = new ArrayList<>();
args.addAll(Arrays.asList("codesign",
"-s", signingIdentity, // sign with this key
"--timestamp",
"--options", "runtime",
"-s", signingIdentity,
"--prefix", identifierPrefix,
// use the identifier as a prefix
"-vvvv"));
if (entitlementsFile != null &&
(p.toString().endsWith(".jar")
|| p.toString().endsWith(".dylib"))) {
args.add("--entitlements");
args.add(entitlementsFile); // entitlements
} else if (inheritedEntitlements != null &&
Files.isExecutable(p)) {
args.add("--entitlements");
args.add(inheritedEntitlements);
// inherited entitlements for executable processes
}
if (keyChain != null && !keyChain.isEmpty()) {
args.add("--keychain");
args.add(keyChain);
}

if (Files.isExecutable(p)) {
if (entitlements != null) {
args.add("--entitlements");
args.add(entitlements.toString());
}
}

args.add(p.toString());

try {
@@ -809,6 +817,7 @@ public static void signAppBundle(
f.setWritable(true, true);

ProcessBuilder pb = new ProcessBuilder(args);

IOUtils.exec(pb);

Files.setPosixFilePermissions(p, oldPermissions);
@@ -831,32 +840,22 @@ public static void signAppBundle(
try {
List<String> args = new ArrayList<>();
args.addAll(Arrays.asList("codesign",
"-f",
"--timestamp",
"--options", "runtime",
"--deep",
"--force",
"-s", signingIdentity, // sign with this key
"--prefix", identifierPrefix,
// use the identifier as a prefix
"-vvvv"));

if (keyChain != null && !keyChain.isEmpty()) {
args.add("--keychain");
args.add(keyChain);
}
args.add(path.toString());
ProcessBuilder pb = new ProcessBuilder(args);
IOUtils.exec(pb);

args = new ArrayList<>();
args.addAll(Arrays.asList("codesign",
"-s", signingIdentity, // sign with this key
"--prefix", identifierPrefix,
// use the identifier as a prefix
"-vvvv"));
if (keyChain != null && !keyChain.isEmpty()) {
args.add("--keychain");
args.add(keyChain);
}
args.add(path.toString()
+ "/Contents/_CodeSignature/CodeResources");
pb = new ProcessBuilder(args);
IOUtils.exec(pb);
} catch (IOException e) {
toThrow.set(e);
@@ -886,20 +885,28 @@ public static void signAppBundle(
// sign the app itself
List<String> args = new ArrayList<>();
args.addAll(Arrays.asList("codesign",
"-s", signingIdentity, // sign with this key
"-vvvv")); // super verbose output
if (entitlementsFile != null) {
args.add("--entitlements");
args.add(entitlementsFile); // entitlements
}
"--timestamp",
"--options", "runtime",
"--deep",
"--force",
"-s", signingIdentity,
"-vvvv"));

if (keyChain != null && !keyChain.isEmpty()) {
args.add("--keychain");
args.add(keyChain);
}

if (entitlements != null) {
args.add("--entitlements");
args.add(entitlements.toString());
}

args.add(appLocation.toString());

ProcessBuilder pb =
new ProcessBuilder(args.toArray(new String[args.size()]));

IOUtils.exec(pb);
}

@@ -40,10 +40,6 @@
"jdk.incubator.jpackage.internal.resources.MacResources");

private static final String TEMPLATE_BUNDLE_ICON_HIDPI = "java.icns";
private final static String DEFAULT_ENTITLEMENTS =
"MacAppStore.entitlements";
private final static String DEFAULT_INHERIT_ENTITLEMENTS =
"MacAppStore_Inherit.entitlements";

public static final BundlerParamInfo<String> MAC_APP_STORE_APP_SIGNING_KEY =
new StandardBundlerParam<>(
@@ -94,13 +90,6 @@
},
(s, p) -> s);

public static final StandardBundlerParam<File> MAC_APP_STORE_ENTITLEMENTS =
new StandardBundlerParam<>(
Arguments.CLIOptions.MAC_APP_STORE_ENTITLEMENTS.getId(),
File.class,
params -> null,
(s, p) -> new File(s));

public static final BundlerParamInfo<String> INSTALLER_SUFFIX =
new StandardBundlerParam<> (
"mac.app-store.installerName.suffix",
@@ -133,20 +122,15 @@ public File bundle(Map<String, ? super Object> params,
params.put(DEVELOPER_ID_APP_SIGNING_KEY.getID(), null);
File appLocation = prepareAppBundle(params);

prepareEntitlements(params);

String signingIdentity =
MAC_APP_STORE_APP_SIGNING_KEY.fetchFrom(params);
String identifierPrefix =
BUNDLE_ID_SIGNING_PREFIX.fetchFrom(params);
String entitlementsFile =
getConfig_Entitlements(params).toString();
String inheritEntitlements =
getConfig_Inherit_Entitlements(params).toString();
MacAppImageBuilder.prepareEntitlements(params);

MacAppImageBuilder.signAppBundle(params, appLocation.toPath(),
signingIdentity, identifierPrefix,
entitlementsFile, inheritEntitlements);
MacAppImageBuilder.getConfig_Entitlements(params));
MacAppImageBuilder.restoreKeychainList(params);

ProcessBuilder pb;
@@ -188,31 +172,6 @@ public File bundle(Map<String, ? super Object> params,
}
}

private File getConfig_Entitlements(Map<String, ? super Object> params) {
return new File(CONFIG_ROOT.fetchFrom(params),
APP_NAME.fetchFrom(params) + ".entitlements");
}

private File getConfig_Inherit_Entitlements(
Map<String, ? super Object> params) {
return new File(CONFIG_ROOT.fetchFrom(params),
APP_NAME.fetchFrom(params) + "_Inherit.entitlements");
}

private void prepareEntitlements(Map<String, ? super Object> params)
throws IOException {
createResource(DEFAULT_ENTITLEMENTS, params)
.setCategory(
I18N.getString("resource.mac-app-store-entitlements"))
.setExternal(MAC_APP_STORE_ENTITLEMENTS.fetchFrom(params))
.saveToFile(getConfig_Entitlements(params));

createResource(DEFAULT_INHERIT_ENTITLEMENTS, params)
.setCategory(I18N.getString(
"resource.mac-app-store-inherit-entitlements"))
.saveToFile(getConfig_Entitlements(params));
}

///////////////////////////////////////////////////////////////////////
// Implement Bundler
///////////////////////////////////////////////////////////////////////

This file was deleted.

This file was deleted.

@@ -46,8 +46,7 @@ error.no.xcode.signing.advice=Install Xcode with command line developer tools.
resource.bundle-config-file=Bundle config file
resource.app-info-plist=Application Info.plist
resource.runtime-info-plist=Java Runtime Info.plist
resource.mac-app-store-entitlements=Mac App Store Entitlements
resource.mac-app-store-inherit-entitlements=Mac App Store Inherit Entitlements
resource.entitlements=Mac Entitlements
resource.dmg-setup-script=DMG setup script
resource.license-setup=License setup
resource.dmg-background=dmg background
@@ -68,6 +67,7 @@ message.version-string-no-negative-numbers=Negative numbers are not allowed in v
message.version-string-numbers-only=Version strings can consist of only numbers and up to two dots.
message.creating-association-with-null-extension=Creating association with null extension.
message.ignoring.symlink=Warning: codesign is skipping the symlink {0}.
message.already.signed=File already signed: {0}.
message.keychain.error=Error: unable to get keychain list.
message.building-bundle=Building Mac App Store Package for {0}.
message.app-image-dir-does-not-exist=Specified application image directory {0}: {1} does not exists.
@@ -46,8 +46,7 @@ error.no.xcode.signing.advice=Xcode\u3068\u30B3\u30DE\u30F3\u30C9\u30E9\u30A4\u3
resource.bundle-config-file=\u30D0\u30F3\u30C9\u30EB\u69CB\u6210\u30D5\u30A1\u30A4\u30EB
resource.app-info-plist=\u30A2\u30D7\u30EA\u30B1\u30FC\u30B7\u30E7\u30F3\u306EInfo.plist
resource.runtime-info-plist=Java\u30E9\u30F3\u30BF\u30A4\u30E0\u306EInfo.plist
resource.mac-app-store-entitlements=Mac App Store\u6A29\u9650
resource.mac-app-store-inherit-entitlements=Mac App Store\u7D99\u627F\u6A29\u9650
resource.entitlements=Mac Entitlements
resource.dmg-setup-script=DMG\u8A2D\u5B9A\u30B9\u30AF\u30EA\u30D7\u30C8
resource.license-setup=\u30E9\u30A4\u30BB\u30F3\u30B9\u306E\u8A2D\u5B9A
resource.dmg-background=dmg\u80CC\u666F
@@ -68,6 +67,7 @@ message.version-string-no-negative-numbers=\u30D0\u30FC\u30B8\u30E7\u30F3\u6587\
message.version-string-numbers-only=\u30D0\u30FC\u30B8\u30E7\u30F3\u6587\u5B57\u5217\u306F\u3001\u6570\u5B57\u30682\u3064\u307E\u3067\u306E\u30C9\u30C3\u30C8\u3067\u306E\u307F\u69CB\u6210\u3067\u304D\u307E\u3059\u3002
message.creating-association-with-null-extension=null\u62E1\u5F35\u5B50\u3068\u306E\u95A2\u9023\u4ED8\u3051\u3092\u4F5C\u6210\u3057\u3066\u3044\u307E\u3059\u3002
message.ignoring.symlink=\u8B66\u544A: codesign\u304Csymlink {0}\u3092\u30B9\u30AD\u30C3\u30D7\u3057\u3066\u3044\u307E\u3059
message.already.signed=File already signed: {0}.
message.keychain.error=\u30A8\u30E9\u30FC: \u30AD\u30FC\u30C1\u30A7\u30FC\u30F3\u30FB\u30EA\u30B9\u30C8\u3092\u53D6\u5F97\u3067\u304D\u307E\u305B\u3093\u3002
message.building-bundle={0}\u306EMac App Store\u30D1\u30C3\u30B1\u30FC\u30B8\u3092\u4F5C\u6210\u3057\u3066\u3044\u307E\u3059\u3002
message.app-image-dir-does-not-exist=\u6307\u5B9A\u3055\u308C\u305F\u30A2\u30D7\u30EA\u30B1\u30FC\u30B7\u30E7\u30F3\u30FB\u30A4\u30E1\u30FC\u30B8\u30FB\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA {0}: {1}\u306F\u5B58\u5728\u3057\u307E\u305B\u3093\u3002
@@ -46,8 +46,7 @@ error.no.xcode.signing.advice=\u5B89\u88C5\u5E26\u547D\u4EE4\u884C\u5F00\u53D1\u
resource.bundle-config-file=\u5305\u914D\u7F6E\u6587\u4EF6
resource.app-info-plist=\u5E94\u7528\u7A0B\u5E8F Info.plist
resource.runtime-info-plist=Java \u8FD0\u884C\u65F6 Info.plist
resource.mac-app-store-entitlements=Mac App Store \u6743\u5229
resource.mac-app-store-inherit-entitlements=Mac App Store \u7EE7\u627F\u6743\u5229
resource.entitlements=Mac Entitlements
resource.dmg-setup-script=DMG \u8BBE\u7F6E\u811A\u672C
resource.license-setup=\u8BB8\u53EF\u8BC1\u8BBE\u7F6E
resource.dmg-background=DMG \u80CC\u666F
@@ -68,6 +67,7 @@ message.version-string-no-negative-numbers=\u7248\u672C\u5B57\u7B26\u4E32\u4E2D\
message.version-string-numbers-only=\u7248\u672C\u5B57\u7B26\u4E32\u53EA\u80FD\u5305\u542B\u6570\u5B57\u548C\u6700\u591A\u4E24\u4E2A\u70B9\u3002
message.creating-association-with-null-extension=\u6B63\u5728\u4F7F\u7528\u7A7A\u6269\u5C55\u540D\u521B\u5EFA\u5173\u8054\u3002
message.ignoring.symlink=\u8B66\u544A: codesign \u6B63\u5728\u8DF3\u8FC7\u7B26\u53F7\u94FE\u63A5 {0}\u3002
message.already.signed=File already signed: {0}.
message.keychain.error=\u9519\u8BEF\uFF1A\u65E0\u6CD5\u83B7\u53D6\u5BC6\u94A5\u94FE\u5217\u8868\u3002
message.building-bundle=\u6B63\u5728\u4E3A {0} \u6784\u5EFA Mac App Store \u7A0B\u5E8F\u5305\u3002
message.app-image-dir-does-not-exist=\u6307\u5B9A\u7684\u5E94\u7528\u7A0B\u5E8F\u6620\u50CF\u76EE\u5F55 {0}\uFF1A{1} \u4E0D\u5B58\u5728\u3002
@@ -0,0 +1,16 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
<true/>
<key>com.apple.security.cs.debugger</key>
<true/>
</dict>
</plist>
@@ -285,9 +285,6 @@ public Arguments(String[] args) {
MAC_SIGNING_KEYCHAIN ("mac-signing-keychain",
OptionCategories.PLATFORM_MAC),

MAC_APP_STORE_ENTITLEMENTS ("mac-app-store-entitlements",
OptionCategories.PLATFORM_MAC),

WIN_MENU_HINT ("win-menu", OptionCategories.PLATFORM_WIN, () -> {
setOptionValue("win-menu", true);
}),
@@ -109,12 +109,9 @@
options.put(CLIOptions.MAC_SIGN.getId(), USE.ALL);
options.put(CLIOptions.MAC_BUNDLE_NAME.getId(), USE.ALL);
options.put(CLIOptions.MAC_BUNDLE_IDENTIFIER.getId(), USE.ALL);
options.put(CLIOptions.MAC_BUNDLE_SIGNING_PREFIX.getId(),
USE.ALL);
options.put(CLIOptions.MAC_BUNDLE_SIGNING_PREFIX.getId(), USE.ALL);
options.put(CLIOptions.MAC_SIGNING_KEY_NAME.getId(), USE.ALL);
options.put(CLIOptions.MAC_SIGNING_KEYCHAIN.getId(), USE.ALL);
options.put(CLIOptions.MAC_APP_STORE_ENTITLEMENTS.getId(),
USE.ALL);
}

if (Platform.getPlatform() == Platform.LINUX) {

0 comments on commit 1cca0e4

Please sign in to comment.