RFR: JDK-8237490: [macos] Add support notarizing jpackage app-image and dmg (Andy Herrick)

Fri Apr 3 15:31:19 UTC 2020

On 4/3/2020 10:40 AM, James Elliott wrote:
> This sounds promising! I just wanted to check if there is a mechanism to specify a custom set of entitlements needed by the application when running jpackage, in case it needs more than the normal set that Java itself does. Or does Java already ask for every possible entitlement in its original notarization?
>
> Thanks,
>
>    -James
Although there is an existing enhancement request JDK-8241448 to add a 
specific CLI to use different entitlements file, this code will give 
user ability to override entitlements without that CLI using the 
resource override mechanism as follows:

Create a directory , (call it RESOURCE_DIR), add to that directory 
"APP_NAME.entitlements" file containing the entitlements you want then 
use the CLI options "--name APP_NAME --resource-dir RESOURCE_DIR.

Then when signing APP_NAME this file will be used instead of the builtin 
resource entitlements.plist.

/Andy
>
>> Date: Fri, 3 Apr 2020 10:20:21 -0400
>> From: Andy Herrick <andy.herrick at oracle.com>
>> To: core-libs-dev at openjdk.java.net
>> Subject: Re: RFR: JDK-8237490: [macos] Add support notarizing jpackage
>> 	app-image and dmg
>> Message-ID: <f3571d06-cfc4-ae42-53bc-a304630253f2 at oracle.com>
>> Content-Type: text/plain; charset=utf-8; format=flowed
>>
>> sorry missing webrev pointer [4]
>>
>> [4] - http://cr.openjdk.java.net/~herrick/8237490/webrev.07
>>
>> /Andy
>>
>> On 4/3/2020 9:24 AM, Andy Herrick wrote:
>>> please review this revised webrev [4] to issue [2]
>>>
>>> The previous version generated a signed app that could be notarized,
>>> but then couldn't run because signing the whole app resigned the
>>> executable with reduced entitlements.
>>>
>>> This revision adds back in the entitlements when signing the whole
>>> app, as well as fixing the unit test that was failing the spctl call
>>> on Catalina due to signed app not being notarized.
>>>
>>>
>>> /Andy
>>>
>>> On 3/30/2020 1:19 PM, Andy Herrick wrote:
>>>> revised with minor fixes as per below - webrev at [3]
>>>>
>>>> [3] http://cr.openjdk.java.net/~herrick/8237490/webrev.06/
>>>>
>>>> /Andy
>>>>
>>>> On 3/28/2020 9:43 AM, Andy Herrick wrote:
>>>>> On 3/27/2020 5:18 PM, Alexander Matveev wrote:
>>>>>> Hi Andy,
>>>>>>
>>>>>> http://cr.openjdk.java.net/~herrick/8237490/webrev.05/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/MacAppImageBuilder.java.frames.html
>>>>>>
>>>>>> Line 819,857,902 - Looks like temp debug log message. Remove it or
>>>>>> align with rest of code.
>>>>> I will fix this.
>>>>>> http://cr.openjdk.java.net/~herrick/8237490/webrev.05/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/resources/MacResources.properties.frames.html
>>>>>>
>>>>>> Line 70 - Capital F.
>>>>> and this
>>>>>> Since we added "--timestamp" and? "--options runtime" to codesign,
>>>>>> will it work with older Xcode and macOS we planning to support?
>>>>> not sure - may need some discussion of what we support and possible
>>>>> conditional code here.
>>>>>> Do we need any adjustments to signing tests we have?
>>>>> The existing tests pass, but this is not unexpected (and really
>>>>> means nothing) since the signing tests are all skipped unless
>>>>> specific test certs are installed on target machine.
>>>>>
>>>>> We need further discussion how one is expected to provision a
>>>>> machine to run these tests.
>>>>>
>>>>> /Andy
>>>>>
>>>>>> Otherwise looks fine.
>>>>>>
>>>>>> Thanks,
>>>>>> Alexander
>>>>>>
>>>>>> On 3/27/20 12:35 PM, Andy Herrick wrote:
>>>>>>> Please review the fix to issue [1] at [2].
>>>>>>>
>>>>>>> This change enables notarization on Mac for dmg images and
>>>>>>> app-image zip files.
>>>>>>>
>>>>>>> /Andy
>>>>>>>
>>>>>>> [1]: https://bugs.openjdk.java.net/browse/JDK-8237490
>>>>>>>
>>>>>>> [2]: http://cr.openjdk.java.net/~herrick/8237490
>>>>>>>
>>
>> End of core-libs-dev Digest, Vol 156, Issue 12
>> **********************************************
>>