RFR: 8271868: Warn user when using mac-sign option with unsigned app-image.

[Andy Herrick]

On Wed, 4 Aug 2021 20:00:37 GMT, Andy Herrick <herrick at openjdk.org> wrote:

> 8271868: Warn user when using mac-sign option with unsigned app-image.

The purpose of this change is to catch the case (and emit a warning) when user creates an app-image w/o using --mac-sign, and then uses that app image to build a pkg or dmg bundle using --mac-sign.  For this purpose, checking if the main launcher is signed is sufficient.  There is no reason to check all the executables, libraries, and/or Frameworks in the app image., and there is no such thing as signing the app-image itself, also using --deep arg to codesigner is specifically recommended against in all codesigner documentation I have read.
The user can modify the app-image in any way he chooses, possibly invalidating the signing, before using it to create dmg or pkg (or he may create the app-image unsigned, and manually sign all or any part of it.  This really has nothing to do with this change.  The app-image can still be used to create a dmg or pkg using --mac-sign or not.

The alternative of recording if the app-image was created with --app-sign in the AppImageFile is a reasonable alternative to verifying the signing of the main launchers

-------------

PR: https://git.openjdk.java.net/jdk/pull/5004