RFR: 8332110: [macos] jpackage tries to sign added files without the --mac-sign option [v2]

Alexey Semenyuk asemenyuk at openjdk.org
Fri May 31 03:06:07 UTC 2024 

On Thu, 30 May 2024 22:54:12 GMT, Alexander Matveev <almatvee at openjdk.org> wrote:

>> This issue is reproducible with and without `--mac-sign`. jpackage will "_ad-hoc_" sign application bundle when `--mac-sign` is not specified by using pseudo-identity "_-_". This is why jpackage tries to sign added files and this is expected behavior by jpackage. "codesign" fails since added content made application bundle structure invalid. There is nothing we can do on jpackage side to sign such invalid bundles. As proposed solution we will output possible reason for "codesign" failure if it fails and `--app-content` was specified and possible solution. Proposed message: "One of the possible reason for "codesign" failure is additional content provided via "--app-content", which made application bundle structure invalid. Make sure to provide additional content in a way it will not break application bundle structure, otherwise add additional content as post-processing step."
>> 
>> Example:
>> Lets assume we have "ReadMe" folder with "ReadMe.txt" file in it.
>> 1) jpackage --type app-image -n Test --app-content ReadMe/ReadMe.txt ...
>> "codesign" will fail with "In subcomponent: Test.app/Contents/ReadMe.txt". This is expected and "ReadMe.txt" placed in "Test.app/Contents" which is also expected.
>> 2) jpackage --type app-image -n Test --app-content ReadMe ...
>> Works and "ReadMe.txt" will be placed under "Test.app/Contents/ReadMe".
>> 
>> Sample output before fix:
>> 
>> Error: "codesign" failed with following output:
>> Test.app: replacing existing signature
>> Test.app: code object is not signed at all
>> In subcomponent: Test.app/Contents/ReadMe.txt
>> 
>> 
>> Sample output after fix:
>> 
>> "codesign" failed and additional application content was supplied via the "--app-content" parameter. Probably the additional content broke the integrity of the application bundle and caused the failure. Ensure content supplied via the "--app-content" parameter does not break the integrity of the application bundle, or add it in the post-processing step.
>> Error: "codesign" failed with following output:
>> Test.app: replacing existing signature
>> Test.app: code object is not signed at all
>> In subcomponent: Test.app/Contents/ReadMe.txt
>
> Alexander Matveev has updated the pull request incrementally with one additional commit since the last revision:
> 
>   8332110: jpackage tries to sign added files without the --mac-sign option [v2]

Marked as reviewed by asemenyuk (Reviewer).

test/jdk/tools/jpackage/macosx/SigningOptionsTest.java line 97:

> 95:                     new String[]{"--app-content", TEST_DUKE},
> 96:                     null,
> 97:                     "\"codesign\" failure is additional content provided via \"--app-content\""},

Why is this not a `One of the possible reason for "{0}" failure is additional content provided via "--app-content"`?

-------------

PR Review: https://git.openjdk.org/jdk/pull/19377#pullrequestreview-2088429523
PR Review Comment: https://git.openjdk.org/jdk/pull/19377#discussion_r1620824169

More information about the core-libs-dev mailing list