RFR: 8286850: [macos] Add support for signing user provided app image [v2]

Tue Jun 7 05:26:20 UTC 2022

Hi Michael,

See below.

On Jun 5, 2022, at 5:58 PM, Michael Hall <mik3hall at gmail.com<mailto:mik3hall at gmail.com>> wrote:

./build/*/images/jdk/bin/jpackage --app-image ~/HalfPipe/halfpipe_jpkg/outputdir/HalfPipe.app --mac-sign --mac-signing-key-user-name "Developer ID Application: Michael Hall (5X6BXQB3Q7)"
Bundler Mac DMG Package skipped because of a configuration problem: When using an external app image you must specify the app name.
Advice to fix: Set the app name via the -name CLI flag, the fx:application/@name ANT attribute, or via the 'appName' bundler argument.

./build/*/images/jdk/bin/jpackage --app-image ~/HalfPipe/halfpipe_jpkg/outputdir/HalfPipe.app --mac-sign --mac-signing-key-user-name "Developer ID Application: Michael Hall (5X6BXQB3Q7)" --name HalfPipe
Warning: Using unsigned app-image to build signed dmg.

*** The app-image was actually a signed one. I’m not sure that matters. Also since this would normally be my intention should there be a warning? ***

codesign -v --verbose=4 ~/HalfPipe/halfpipe_jpkg/outputdir/HalfPipe.app
/Users/mjh/HalfPipe/halfpipe_jpkg/outputdir/HalfPipe.app: valid on disk
/Users/mjh/HalfPipe/halfpipe_jpkg/outputdir/HalfPipe.app: satisfies its Designated Requirement

*** Seems successful ***

Thanks again.

Possibly my mistake somehow but codesign seems to flag something if the application is actually unsigned.

${PACKAGER} \
--verbose \
   --add-modules java.desktop,java.prefs,java.se<http://java.se> \
   --type app-image \
--input ./input \
--app-version 1.0  \
--name BlackJack\ Blastoff_Unsigned \
--main-jar bjb.jar \
--main-class org.bjb.BlackJackApp \
--java-options '-Xmx1024m -XX:+UseG1GC -XX:MaxGCPauseMillis=50  -Dapple.laf.useScreenMenuBar=true -Dcom.apple.mrj.application.apple.menu.about.name=BlackjackBlastoff -Dapple.awt.application.name=Blackjack\ Blastoff’

[19:41:02.231] Creating app package: BlackJack Blastoff_Unsigned.app in /Users/mjh/Blackjack_Blastoff/bjb/bjb_jpkg
[19:41:05.516] Command [PID: -1]:
   jlink --output /Users/mjh/Blackjack_Blastoff/bjb/bjb_jpkg/BlackJack Blastoff_Unsigned.app/Contents/runtime/Contents/Home --module-path /Library/Java/JavaVirtualMachines/jdk-18.jdk/Contents/Home/jmods --add-modules java.desktop,java.prefs,java.se<http://java.se> --strip-native-commands --strip-debug --no-man-pages --no-header-files
[19:41:05.517] Output:

[19:41:05.518] Returned: 0

[19:41:05.545] Using default package resource JavaApp.icns [icon] (add BlackJack Blastoff_Unsigned.icns to the resource-dir to customize).
[19:41:05.547] Preparing Info.plist: /Users/mjh/Blackjack_Blastoff/bjb/bjb_jpkg/BlackJack Blastoff_Unsigned.app/Contents/Info.plist.
[19:41:05.547] Using default package resource Info-lite.plist.template [Application Info.plist] (add Info.plist to the resource-dir to customize).
[19:41:05.550] Using default package resource Runtime-Info.plist.template [Java Runtime Info.plist] (add Runtime-Info.plist to the resource-dir to customize).
[19:41:05.551] Succeeded in building Mac Application Image package

./build/*/images/jdk/bin/jpackage --app-image ~/Blackjack_Blastoff/bjb/bjb_jpkg/BlackJack\ Blastoff_Unsigned.app --mac-sign --mac-signing-key-user-name "Developer ID Application: Michael Hall (5X6BXQB3Q7)" --name BlackJack_Blastoff_Unsigned
Warning: Using unsigned app-image to build signed dmg.

open BlackJack_Blastoff_Unsigned-1.0.dmg

codesign -v --verbose=4 /Volumes/BlackJack_Blastoff_Unsigned/BlackJack\ Blastoff_Unsigned.app
/Volumes/BlackJack_Blastoff_Unsigned/BlackJack Blastoff_Unsigned.app: code has no resources but signature indicates they must be present
This is correct. You generated unsigned application image and then package it into DMG with signing enabled. In this case we will not sign app image. Only installer package will get signed and it applies only to PKG. DMG does not have any signing. This is was same behavior as before JDK-8286850.

You need to sign app image first:
./build/*/images/jdk/bin/jpackage --type app-image --app-image ~/Blackjack_Blastoff/bjb/bjb_jpkg/BlackJack\ Blastoff_Unsigned.app --mac-sign --mac-signing-key-user-name "Developer ID Application: Michael Hall (5X6BXQB3Q7)" --name BlackJack_Blastoff_Unsigned

Then run command to generate DMG or PKG. Enable signing if you want PKG to be signed. No need to specify it for DMG if you generating DMG from predefined application image.

As for "code has no resources but signature indicates they must be present” I believe it is due to JDK-8277493 and it was fixed in JDK 19.

I am using the installed jdk18 to create the app-image. Would that need to be done with the same jdk with the changes applied?
Yes, if you need to sign app image after post processing it should be generated with JDK version which contains JDK-8286850 fix. Unless something will change jpackage from JDK 20 should able to sign app image generated by JDK 19, but JDK 19 jpackage will not able to sign app image generated by JDK 18.

This is do to additional values are stored inside .jpackage.xml. As work around add following values into .jpackage.xml:
<main-class>MainClass</main-class> <- Your main class
<app-store>false</app-store> <- true if app image was generated with —mac-app-store.

Thanks,
Alexander