[jdk19] RFR: 8289030: [macos] app image signature invalid when creating DMG or PKG [v2]

Alexey Semenyuk asemenyuk at openjdk.org
Thu Jul 7 17:17:09 UTC 2022 

On Thu, 7 Jul 2022 07:27:56 GMT, Alexander Matveev <almatvee at openjdk.org> wrote:

>> Fixed 3 issues which made signature invalid:
>> - We should not remove .jpackage.xml from signed app image when creating DMG or PKG otherwise it invalidates signature.
>> - .package should be created when app image is generated, so this file can be signed.
>> - Copying predefine app image for DMG and PKG should not follow symbolic links, otherwise several files from runtime (COPYRIGHT and LICENSE) will be copied instead of symbolic links being created, since it invalidates signature as well.
>> 
>> Added additional test to validate signature when DMG or PKG is generated from predefined app image.
>
> Alexander Matveev has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains three additional commits since the last revision:
> 
>  - Merge remote-tracking branch 'upstream/master' into JDK-8289030
>  - 8289030: [macos] app image signature invalid when creating DMG or PKG [v2]
>  - 8289030: [macos] app image signature invalid when creating DMG or PKG

Changes requested by asemenyuk (Reviewer).

src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacBaseInstallerBundler.java line 171:

> 169:            Files.deleteIfExists(AppImageFile.getPathInAppImage(appDir));
> 170:         }
> 171: 

I think there is no need to modify AbstractAppImageBuilder.java, and AppImageBundler.java.
It is sufficient to modify the condition controlling the creation of `.package` file:

if (predefinedImage == null || (!StandardBundlerParam.isRuntimeInstaller(params) && !AppImageFile.load(predefinedImage).isSigned())) {
    new PackageFile(APP_NAME.fetchFrom(params)).save(
        ApplicationLayout.macAppImage().resolveAt(appDir));
    Files.deleteIfExists(AppImageFile.getPathInAppImage(appDir));
}

Besides `.package` file logically doesn't belong to app image, it belongs to the installed application, so it must not be referenced from the classes creating app images.

test/jdk/tools/jpackage/macosx/SigningPackageTwoStepTest.java line 87:

> 85:     private static void verifyAppImageInDMG(JPackageCommand cmd) {
> 86:         MacHelper.withExplodedDmg(cmd, dmgImage -> {
> 87:             Path launcherPath = dmgImage.resolve(Path.of("Contents", "MacOS", cmd.name()));

I'd replace it with `ApplicationLayout.macAppImage().resolveAt(dmgImage).launchersDirectory(cmd.name())`

-------------

PR: https://git.openjdk.org/jdk19/pull/89

More information about the core-libs-dev mailing list