Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No code signature error with the MacOS app bundle #183

Closed
ianbrandt opened this issue Mar 15, 2020 · 9 comments
Closed

No code signature error with the MacOS app bundle #183

ianbrandt opened this issue Mar 15, 2020 · 9 comments

Comments

@ianbrandt
Copy link

ianbrandt commented Mar 15, 2020
edited

I'm getting a warning from Little Snitch that a subprocess of VisualVM is not signed:

visualvm-not-signed

I downloaded VisualVM from https://github.com/visualvm/visualvm.src/releases/download/2.0/VisualVM_20.dmg

I found this related to packaging and signing Java apps for MacOS: https://docs.oracle.com/javase/8/docs/technotes/guides/deploy/self-contained-packaging.html#BCGJFCAI

I'm on MacOS 10.14.6 (18G3020)
@thurka
Copy link
Member

thurka commented Mar 15, 2020

VisualVM is signed. See below:

thurka$ codesign --verify --verbose /Volumes/VisualVM\ 2.0/VisualVM.app 
/Volumes/VisualVM 2.0/VisualVM.app: valid on disk
/Volumes/VisualVM 2.0/VisualVM.app: satisfies its Designated Requirement

thurka$ spctl --assess --verbose /Volumes/VisualVM\ 2.0/VisualVM.app 
/Volumes/VisualVM 2.0/VisualVM.app: accepted
source=Notarized Developer ID
thurka$

@ianbrandt
Copy link
Author

ianbrandt commented Mar 16, 2020
edited

So it is. I ran the commands above with the slightly different options recommended at https://developer.apple.com/library/archive/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG211. Everything passes:

$ codesign --verify --deep --strict --verbose=2 /Applications/VisualVM.app
/Applications/VisualVM.app: valid on disk
/Applications/VisualVM.app: satisfies its Designated Requirement

$ spctl -a -t exec -vv /Applications/VisualVM.app
/Applications/VisualVM.app: accepted
source=Notarized Developer ID
origin=Developer ID Application: Oracle America, Inc. (VB5E2TV963)

Looking at the details of the error reported by Little Snitch, it seems that it is for a subprocess (90627) of the main one (90522):

visualvm-not-signed-2

It looks like the code signature is not valid for the running subprocess:

$ codesign --verify --deep --strict --verbose=2 90627
90627: code identity has been invalidated

I found this detailed explanation of another app that had a similar issue, in case it's of any use:

spesmilo/electrum#4994 (comment)

@thurka
Copy link
Member

thurka commented Mar 16, 2020
edited

The MacOS app bundle at https://github.com/visualvm/visualvm.src/releases/download/2.0/VisualVM_20.dmg is not signed.

I am curious, how did you find out that VisualVM is not signed in your original report. It looks like codesign and spctl on your machine show that VisualVM is signed and notarized.

@thurka
Copy link
Member

thurka commented Mar 16, 2020

It looks like the code signature is not valid for the running subprocess:

VisualVM runs on java, so this subprocess is java process - you should see the actual executable via ps command in terminal. I guess that your JDK is probably not signed.

@ianbrandt
Copy link
Author

ianbrandt commented Mar 16, 2020
edited

I am curious, how did you find out that VisualVM is not signed in your original report. It looks like codesign and spctl on your machine show that VisualVM is signed and notarized.

I mistakenly assumed the Little Snitch warning from the attached screenshot meant that the App bundle wasn't signed. After your earlier comment showing that it was, I looked at the details for the warning, and that's when I realized it was actually a running subprocess that was invalid per the signature. Indeed, checking the PID with codesign shows that. I'll update the original report so it's not misleading. (Done.)

VisualVM runs on java, so this subprocess is java process - you should see the actual executable via ps command in terminal. I guess that your JDK is probably not signed.

pstree is showing that the VisualVM is running off my install of Amazon Corretto 11 (a distribution of OpenJDK):

 |-+= 96060 ibrandt /bin/bash /Applications/VisualVM.app/Contents/Resources/visualvm/platform/lib/nbexec --userdir /Users/ibrandt/Library/Application Support/VisualVM/2.0 --cachedir /Users/ibrandt/Library/Caches/VisualVM/2.0 --jdkhome  -J-Xdock:name=VisualVM -J-Xdock:icon=/Applications/VisualVM.app/Contents/Resources/visualvm/etc/visualvm.icns --branding visualvm --clusters /Applications/VisualVM.app/Contents/Resources/visualvm/visualvm: --laf com.apple.laf.AquaLookAndFeel -J-client -J-Xms24m -J-Xmx768m -J-Dnetbeans.accept_license_class=org.graalvm.visualvm.modules.startup.AcceptLicense -J-Dsun.jvmstat.perdata.syncWaitMs=10000 -J-Dsun.java2d.noddraw=true -J-Dsun.java2d.d3d=false -J-Dorg.netbeans.core.TimeableEventQueue.quantum=360000 -J-Dpolyglot.js.nashorn-compat=true -J-Dsun.misc.URLClassPath.disableJarChecking=true -J--add-exports=java.desktop/sun.awt=ALL-UNNAMED -J--add-exports=jdk.internal.jvmstat/sun.jvmstat.monitor.event=ALL-UNNAMED -J--add-exports=jdk.internal.jvmstat/sun.jvmstat.monitor=ALL-UNNAMED -J--add-exports=java.desktop/sun.swing=ALL-UNNAMED -J--add-exports=jdk.attach/sun.tools.attach=ALL-UNNAMED -J--add-opens=java.base/java.net=ALL-UNNAMED -J--add-opens=java.base/java.lang.ref=ALL-UNNAMED -J--add-opens=java.base/java.lang=ALL-UNNAMED -J--add-opens=java.desktop/javax.swing=ALL-UNNAMED -J--add-opens=java.desktop/javax.swing.plaf.basic=ALL-UNNAMED -J-XX:+IgnoreUnrecognizedVMOptions -psn_0_21144617
 | \--- 96165 ibrandt /Library/Java/JavaVirtualMachines/amazon-corretto-11.jdk/Contents/Home/bin/java -Djdk.home=/Library/Java/JavaVirtualMachines/amazon-corretto-11.jdk/Contents/Home -classpath /Applications/VisualVM.app/Contents/Resources/visualvm/platform/lib/boot.jar:/Applications/VisualVM.app/Contents/Resources/visualvm/platform/lib/org-openide-modules.jar:/Applications/VisualVM.app/Contents/Resources/visualvm/platform/lib/org-openide-util-lookup.jar:/Applications/VisualVM.app/Contents/Resources/visualvm/platform/lib/org-openide-util-ui.jar:/Applications/VisualVM.app/Contents/Resources/visualvm/platform/lib/org-openide-util.jar -Dnetbeans.default_userdir_root=/Users/ibrandt/Library/Application Support/VisualVM -Dnetbeans.dirs=/Applications/VisualVM.app/Contents/Resources/visualvm/visualvm: -Dnetbeans.home=/Applications/VisualVM.app/Contents/Resources/visualvm/platform -Xdock:name=VisualVM -Xdock:icon=/Applications/VisualVM.app/Contents/Resources/visualvm/etc/visualvm.icns -client -Xms24m -Xmx768m -Dnetbeans.accept_license_class=org.graalvm.visualvm.modules.startup.AcceptLicense -Dsun.jvmstat.perdata.syncWaitMs=10000 -Dsun.java2d.noddraw=true -Dsun.java2d.d3d=false -Dorg.netbeans.core.TimeableEventQueue.quantum=360000 -Dpolyglot.js.nashorn-compat=true -Dsun.misc.URLClassPath.disableJarChecking=true --add-exports=java.desktop/sun.awt=ALL-UNNAMED --add-exports=jdk.internal.jvmstat/sun.jvmstat.monitor.event=ALL-UNNAMED --add-exports=jdk.internal.jvmstat/sun.jvmstat.monitor=ALL-UNNAMED --add-exports=java.desktop/sun.swing=ALL-UNNAMED --add-exports=jdk.attach/sun.tools.attach=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.lang.ref=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.desktop/javax.swing=ALL-UNNAMED --add-opens=java.desktop/javax.swing.plaf.basic=ALL-UNNAMED -XX:+IgnoreUnrecognizedVMOptions -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/Users/ibrandt/Library/Application Support/VisualVM/2.0/var/log/heapdump.hprof org.netbeans.Main --cachedir /Users/ibrandt/Library/Caches/VisualVM/2.0 --userdir /Users/ibrandt/Library/Application Support/VisualVM/2.0 --branding visualvm --laf com.apple.laf.AquaLookAndFeel

I would have thought the app would bundle its own JRE, but perhaps that's not the up-to-date way to bundle Java apps for Mac. It does appear that Corretto is signed:

$ codesign --verify --deep --strict --verbose=2 /Library/Java/JavaVirtualMachines/amazon-corretto-11.jdk/Contents/Home/bin/java
/Library/Java/JavaVirtualMachines/amazon-corretto-11.jdk/Contents/Home/bin/java: valid on disk
/Library/Java/JavaVirtualMachines/amazon-corretto-11.jdk/Contents/Home/bin/java: satisfies its Designated Requirement

@ianbrandt ianbrandt changed the title Code sign the MacOS app bundle No code signature error with the MacOS app bundle Mar 16, 2020
@thurka
Copy link
Member

thurka commented Mar 16, 2020

I would have thought the app would bundle its own JRE

It does not make sense to bundle JDK, when VisualVM itself is 18M application.

@thurka
Copy link
Member

thurka commented Mar 16, 2020

I found this detailed explanation of another app that had a similar issue, in case it's of any use:
spesmilo/electrum#4994 (comment)

Based on the info above I would suspect that the problem is that Corretto links to some unsigned library.

@ianbrandt
Copy link
Author

Perhaps. I'll see if I can find anything about that.

I'll also attach a sample of the subprocess showing what it's linked to.

Sample of VisualVM.txt

@thurka
Copy link
Member

thurka commented Jun 16, 2020

Closing until more info is available.

@thurka thurka closed this as completed Jun 16, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ianbrandt @thurka