RFR: 8370126: Improve jpackage signing testing
Alexey Semenyuk
asemenyuk at openjdk.org
Tue Oct 21 00:53:03 UTC 2025
On Tue, 21 Oct 2025 00:02:25 GMT, Alexander Matveev <almatvee at openjdk.org> wrote:
>> - Rework the SigningPackageTwoStepTest test to cover the case of bundling an unsigned predefined app image into a signed .pkg installer; make it verify expected warnings in the jpackage output.
>>
>> - All jpackage tests will verify that without "--mac-sign" option, jpackage produces app images with a valid "adhoc" signature.
>>
>> Additionally:
>> - Fix jpackage to make it emit messages expected in the updated SigningPackageTwoStepTest test.
>> - Add helper code for signing testing.
>> - Automatically unlock jpackage test keychains in all signing tests.
>> - Add a workaround for the `/usr/bin/codesign—-verify` command, which sometimes fails if executed without `sudo`.
>
> test/jdk/tools/jpackage/helpers/jdk/jpackage/test/MacSignVerify.java line 205:
>
>> 203: // It is known to fail for some AppContentTest test cases and all FileAssociationsTest test cases.
>> 204: // Rerunning the command with "sudo" works, though.
>> 205: return str.equals(String.format("%s: Permission denied", path));
>
> Did you check permissions on generated application bundles in case of failure vs when it pass? Maybe we have issue with permissions in generated application images and by doing work around we hiding current bug or potential bugs.
This is what fails:
$ /usr/bin/codesign --verify --strict --verbose=2 /Applications/AppContentTest.app
/Applications/AppContentTest.app: Permission denied
This is what works:
$ sudo /usr/bin/codesign --verify --strict --verbose=2 /Applications/AppContentTest.app
/Applications/AppContentTest.app: valid on disk
/Applications/AppContentTest.app: satisfies its Designated Requirement
I can't spot anything suspicious, can you?
$ ls -alR /Applications/AppContentTest.app
total 0
drwxr-xr-x 3 root wheel 96B Oct 20 20:40 ./
drwxrwxr-x 31 root admin 992B Oct 20 20:40 ../
drwxr-xr-x 9 root wheel 288B Oct 20 20:40 Contents/
/Applications/AppContentTest.app/Contents:
total 16
drwxr-xr-x 9 root wheel 288B Oct 20 20:40 ./
drwxr-xr-x 3 root wheel 96B Oct 20 20:40 ../
-rw-r--r-- 1 root wheel 1.3K Oct 20 20:40 Info.plist
drwxr-xr-x 3 root wheel 96B Oct 20 20:40 MacOS/
-rw-r--r-- 1 root wheel 8B Oct 20 20:40 PkgInfo
drwxr-xr-x 5 root wheel 160B Oct 20 20:40 Resources/
drwxr-xr-x 3 root wheel 96B Oct 20 20:40 _CodeSignature/
drwxr-xr-x 5 root wheel 160B Oct 20 20:40 app/
drwxr-xr-x 3 root wheel 96B Oct 20 20:40 runtime/
/Applications/AppContentTest.app/Contents/MacOS:
total 440
drwxr-xr-x 3 root wheel 96B Oct 20 20:40 ./
drwxr-xr-x 9 root wheel 288B Oct 20 20:40 ../
-rwxr-xr-x 1 root wheel 217K Oct 20 20:40 AppContentTest*
/Applications/AppContentTest.app/Contents/Resources:
total 760
drwxr-xr-x 5 root wheel 160B Oct 20 20:40 ./
drwxr-xr-x 9 root wheel 288B Oct 20 20:40 ../
-rw-r--r-- 1 root wheel 370K Oct 20 20:40 AppContentTest.icns
-rwx------ 1 root wheel 3.5K Oct 20 20:40 PrintEnv.java*
-rwx------ 1 root wheel 1.4K Oct 20 20:40 dukeplug.png*
/Applications/AppContentTest.app/Contents/_CodeSignature:
total 16
drwxr-xr-x 3 root wheel 96B Oct 20 20:40 ./
drwxr-xr-x 9 root wheel 288B Oct 20 20:40 ../
-rw-r--r-- 1 root wheel 4.7K Oct 20 20:40 CodeResources
/Applications/AppContentTest.app/Contents/app:
total 32
drwxr-xr-x 5 root wheel 160B Oct 20 20:40 ./
drwxr-xr-x 9 root wheel 288B Oct 20 20:40 ../
-rw-r--r-- 1 root wheel 14B Oct 20 20:40 .package
-rw-r--r-- 1 root wheel 121B Oct 20 20:40 AppContentTest.cfg
-rw-r--r-- 1 root wheel 4.4K Oct 20 20:40 hello.jar
/Applications/AppContentTest.app/Contents/runtime:
total 0
drwxr-xr-x 3 root wheel 96B Oct 20 20:40 ./
drwxr-xr-x 9 root wheel 288B Oct 20 20:40 ../
drwxr-xr-x 6 root wheel 192B Oct 20 20:40 Contents/
/Applications/AppContentTest.app/Contents/runtime/Contents:
total 8
drwxr-xr-x 6 root wheel 192B Oct 20 20:40 ./
drwxr-xr-x 3 root wheel 96B Oct 20 20:40 ../
drwxr-xr-x 4 root wheel 128B Oct 20 20:40 Home/
-rw-r--r-- 1 root wheel 835B Oct 20 20:40 Info.plist
drwxr-xr-x 3 root wheel 96B Oct 20 20:40 MacOS/
drwxr-xr-x 7 root wheel 224B Oct 20 20:40 _CodeSignature/
/Applications/AppContentTest.app/Contents/runtime/Contents/Home:
total 0
drwxr-xr-x 4 root wheel 128B Oct 20 20:40 ./
drwxr-xr-x 6 root wheel 192B Oct 20 20:40 ../
drwxr-xr-x 3 root wheel 96B Oct 20 20:40 bin/
drwxr-xr-x 3 root wheel 96B Oct 20 20:40 lib/
/Applications/AppContentTest.app/Contents/runtime/Contents/Home/bin:
total 8
drwxr-xr-x 3 root wheel 96B Oct 20 20:40 ./
drwxr-xr-x 4 root wheel 128B Oct 20 20:40 ../
-rw-r--r-- 1 root wheel 4.0K Oct 20 20:40 bulk
/Applications/AppContentTest.app/Contents/runtime/Contents/Home/lib:
total 0
drwxr-xr-x 3 root wheel 96B Oct 20 20:40 ./
drwxr-xr-x 4 root wheel 128B Oct 20 20:40 ../
drwxr-xr-x 3 root wheel 96B Oct 20 20:40 jli/
/Applications/AppContentTest.app/Contents/runtime/Contents/Home/lib/jli:
total 8
drwxr-xr-x 3 root wheel 96B Oct 20 20:40 ./
drwxr-xr-x 3 root wheel 96B Oct 20 20:40 ../
-rw-r--r--@ 1 root wheel 4.0K Oct 20 20:40 libjli.dylib
/Applications/AppContentTest.app/Contents/runtime/Contents/MacOS:
total 8
drwxr-xr-x 3 root wheel 96B Oct 20 20:40 ./
drwxr-xr-x 6 root wheel 192B Oct 20 20:40 ../
-rw-r--r-- 1 root wheel 4.0K Oct 20 20:40 libjli.dylib
/Applications/AppContentTest.app/Contents/runtime/Contents/_CodeSignature:
total 32
drwxr-xr-x 7 root wheel 224B Oct 20 20:40 ./
drwxr-xr-x 6 root wheel 192B Oct 20 20:40 ../
-rw-r--r-- 1 root wheel 134B Oct 20 20:40 CodeDirectory
-rw-r--r-- 1 root wheel 12B Oct 20 20:40 CodeRequirements
-rw-r--r-- 1 root wheel 182B Oct 20 20:40 CodeRequirements-1
-rw-r--r-- 1 root wheel 2.6K Oct 20 20:40 CodeResources
-rw-r--r-- 1 root wheel 0B Oct 20 20:40 CodeSignature
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/27875#discussion_r2446457329
More information about the core-libs-dev
mailing list