RFR: JDK-8237490: [macos] Add support notarizing jpackage app-image and dmg
Alexander Matveev
alexander.matveev at oracle.com
Fri Apr 3 23:29:14 UTC 2020
Hi Andy,
http://cr.openjdk.java.net/~herrick/8237490/webrev.07/test/jdk/tools/jpackage/macosx/base/SigningBase.java.frames.html
Maybe better to check for Catalina case as well, instead of disabling
check. We can assume that on Catalina code 3 and not notarized will
consider as pass. In case if it fails for some other reasons.
Otherwise looks fine.
Thanks,
Alexander
On 4/3/20 7:20 AM, Andy Herrick wrote:
> sorry missing webrev pointer [4]
>
> [4] - http://cr.openjdk.java.net/~herrick/8237490/webrev.07
>
> /Andy
>
> On 4/3/2020 9:24 AM, Andy Herrick wrote:
>> please review this revised webrev [4] to issue [2]
>>
>> The previous version generated a signed app that could be notarized,
>> but then couldn't run because signing the whole app resigned the
>> executable with reduced entitlements.
>>
>> This revision adds back in the entitlements when signing the whole
>> app, as well as fixing the unit test that was failing the spctl call
>> on Catalina due to signed app not being notarized.
>>
>>
>> /Andy
>>
>> On 3/30/2020 1:19 PM, Andy Herrick wrote:
>>> revised with minor fixes as per below - webrev at [3]
>>>
>>> [3] http://cr.openjdk.java.net/~herrick/8237490/webrev.06/
>>>
>>> /Andy
>>>
>>> On 3/28/2020 9:43 AM, Andy Herrick wrote:
>>>>
>>>> On 3/27/2020 5:18 PM, Alexander Matveev wrote:
>>>>> Hi Andy,
>>>>>
>>>>> http://cr.openjdk.java.net/~herrick/8237490/webrev.05/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/MacAppImageBuilder.java.frames.html
>>>>>
>>>>> Line 819,857,902 - Looks like temp debug log message. Remove it or
>>>>> align with rest of code.
>>>> I will fix this.
>>>>> http://cr.openjdk.java.net/~herrick/8237490/webrev.05/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/resources/MacResources.properties.frames.html
>>>>>
>>>>> Line 70 - Capital F.
>>>> and this
>>>>>
>>>>> Since we added "--timestamp" and "--options runtime" to codesign,
>>>>> will it work with older Xcode and macOS we planning to support?
>>>> not sure - may need some discussion of what we support and possible
>>>> conditional code here.
>>>>>
>>>>> Do we need any adjustments to signing tests we have?
>>>>
>>>> The existing tests pass, but this is not unexpected (and really
>>>> means nothing) since the signing tests are all skipped unless
>>>> specific test certs are installed on target machine.
>>>>
>>>> We need further discussion how one is expected to provision a
>>>> machine to run these tests.
>>>>
>>>> /Andy
>>>>
>>>>>
>>>>> Otherwise looks fine.
>>>>>
>>>>> Thanks,
>>>>> Alexander
>>>>>
>>>>> On 3/27/20 12:35 PM, Andy Herrick wrote:
>>>>>> Please review the fix to issue [1] at [2].
>>>>>>
>>>>>> This change enables notarization on Mac for dmg images and
>>>>>> app-image zip files.
>>>>>>
>>>>>> /Andy
>>>>>>
>>>>>> [1]: https://bugs.openjdk.java.net/browse/JDK-8237490
>>>>>>
>>>>>> [2]: http://cr.openjdk.java.net/~herrick/8237490
>>>>>>
>>>>>
More information about the core-libs-dev
mailing list