RFR: 8332110: [macos] jpackage tries to sign added files without the --mac-sign option

Alexander Matveev alexander.matveev at oracle.com
Fri May 24 21:14:40 UTC 2024 

Hi Michael,

> Doesn’t this still leave you with an application that isn’t validly signed? And probably won’t run because of that.
Yes, it will leave you with an application that isn’t signed. I was able to run such application on same machine as it was generated by jpackage.

> For your example. This almost seems like an Apple bug if you can add a directory to the Contents directory but not a file?
Not sure if it is an Apple bug.

> Would it also generally be a good idea to include a final codesign verify to fail the build if something is wrong with the signature?
Yes, you already suggested it. See https://bugs.openjdk.org/browse/JDK-8318063 and it was closed as won’t fix because such verification is redundant.

Thanks,
Alexander

From: Michael Hall <mik3hall at gmail.com>
Date: Friday, May 24, 2024 at 1:47 AM
To: Alexander Matveev <almatvee at openjdk.org>
Cc: core-libs-dev <core-libs-dev at openjdk.org>
Subject: Re: RFR: 8332110: [macos] jpackage tries to sign added files without the --mac-sign option



On May 24, 2024, at 3:08 AM, Michael Hall <mik3hall at gmail.com> wrote:

On May 23, 2024, at 8:13 PM, Alexander Matveev <almatvee at openjdk.org<mailto:almatvee at openjdk.org>> wrote:

otherwise add additional content as post-processing step.

Doesn’t this still leave you with an application that isn’t validly signed? And probably won’t run because of that.

2) jpackage --type app-image -n Test --app-content ReadMe ...

For your example. This almost seems like an Apple bug if you can add a directory to the Contents directory but not a file?

Sorry I made my prior off-list.

Would it also generally be a good idea to include a final codesign verify to fail the build if something is wrong with the signature?

Something like…

echo '*******************'
echo 'verifying signature'
echo '*******************'
codesign -v --verbose=4 outputdir/HalfPipe.app

Expected output…

*******************
verifying signature
*******************
outputdir/HalfPipe.app: valid on disk
outputdir/HalfPipe.app: satisfies its Designated Requirement

I think I have suggested this before but don’t remember if I did an enhancement request. Maybe you do that and I’m just not aware of it if it doesn’t appear in the jpackage output.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/core-libs-dev/attachments/20240524/a8387c0b/attachment-0001.htm>

More information about the core-libs-dev mailing list