RFR: 8370126: Improve jpackage signing testing
Alexey Semenyuk
asemenyuk at openjdk.org
Tue Oct 21 00:58:00 UTC 2025
On Tue, 21 Oct 2025 00:50:29 GMT, Alexey Semenyuk <asemenyuk at openjdk.org> wrote:
>> This is what fails:
>>
>> $ /usr/bin/codesign --verify --strict --verbose=2 /Applications/AppContentTest.app
>> /Applications/AppContentTest.app: Permission denied
>>
>> This is what works:
>>
>> $ sudo /usr/bin/codesign --verify --strict --verbose=2 /Applications/AppContentTest.app
>> /Applications/AppContentTest.app: valid on disk
>> /Applications/AppContentTest.app: satisfies its Designated Requirement
>>
>>
>> I can't spot anything suspicious, can you?
>>
>>
>> $ ls -alR /Applications/AppContentTest.app
>> total 0
>> drwxr-xr-x 3 root wheel 96B Oct 20 20:40 ./
>> drwxrwxr-x 31 root admin 992B Oct 20 20:40 ../
>> drwxr-xr-x 9 root wheel 288B Oct 20 20:40 Contents/
>>
>> /Applications/AppContentTest.app/Contents:
>> total 16
>> drwxr-xr-x 9 root wheel 288B Oct 20 20:40 ./
>> drwxr-xr-x 3 root wheel 96B Oct 20 20:40 ../
>> -rw-r--r-- 1 root wheel 1.3K Oct 20 20:40 Info.plist
>> drwxr-xr-x 3 root wheel 96B Oct 20 20:40 MacOS/
>> -rw-r--r-- 1 root wheel 8B Oct 20 20:40 PkgInfo
>> drwxr-xr-x 5 root wheel 160B Oct 20 20:40 Resources/
>> drwxr-xr-x 3 root wheel 96B Oct 20 20:40 _CodeSignature/
>> drwxr-xr-x 5 root wheel 160B Oct 20 20:40 app/
>> drwxr-xr-x 3 root wheel 96B Oct 20 20:40 runtime/
>>
>> /Applications/AppContentTest.app/Contents/MacOS:
>> total 440
>> drwxr-xr-x 3 root wheel 96B Oct 20 20:40 ./
>> drwxr-xr-x 9 root wheel 288B Oct 20 20:40 ../
>> -rwxr-xr-x 1 root wheel 217K Oct 20 20:40 AppContentTest*
>>
>> /Applications/AppContentTest.app/Contents/Resources:
>> total 760
>> drwxr-xr-x 5 root wheel 160B Oct 20 20:40 ./
>> drwxr-xr-x 9 root wheel 288B Oct 20 20:40 ../
>> -rw-r--r-- 1 root wheel 370K Oct 20 20:40 AppContentTest.icns
>> -rwx------ 1 root wheel 3.5K Oct 20 20:40 PrintEnv.java*
>> -rwx------ 1 root wheel 1.4K Oct 20 20:40 dukeplug.png*
>>
>> /Applications/AppContentTest.app/Contents/_CodeSignature:
>> total 16
>> drwxr-xr-x 3 root wheel 96B Oct 20 20:40 ./
>> drwxr-xr-x 9 root wheel 288B Oct 20 20:40 ../
>> -rw-r--r-- 1 root wheel 4.7K Oct 20 20:40 CodeResources
>>
>> /Applications/AppContentTest.app/Contents/app:
>> total 32
>> drwxr-xr-x 5 root wheel 160B Oct 20 20:40 ./
>> drwxr-xr-x 9 root wheel 288B Oct 20 20:40 ../
>> -rw-r--r-- 1 root wheel 14B Oct 20 20:40 .package
>> -rw-r--r-- 1 root wheel 121B Oct 20 20:40 AppContentTest.cfg
>> -rw-r--r-- 1 root wheel 4.4K Oct 20 20:40 hello.jar
>>
>> /Applications/AppContentTest.app/Contents/runtime:
>> total 0
>> ...
>
> It always fails for me. This is an unsigned bundle, and we never checked the signature of unsigned bundles before this fix in the tests.
Looks like this is antivirus blocking access to the main launcher:
$ /usr/bin/codesign --verify --strict --verbose=2 /Applications/AppContentTest.app/Contents/MacOS/AppContentTest
/Applications/AppContentTest.app/Contents/MacOS/AppContentTest: Permission denied
$ /usr/bin/codesign --verify --strict --verbose=2 /Applications/AppContentTest.app/Contents/runtime/Contents/MacOS/libjli.dylib
/Applications/AppContentTest.app/Contents/runtime/Contents/MacOS/libjli.dylib: valid on disk
/Applications/AppContentTest.app/Contents/runtime/Contents/MacOS/libjli.dylib: satisfies its Designated Requirement
I tried to run the main launcher:
$ /Applications/AppContentTest.app/Contents/MacOS/AppContentTest
Killed: 9
Next attempt - it is gone. Got deleted by Crowdstrike 100%
$ /Applications/AppContentTest.app/Contents/MacOS/AppContentTest
-bash: /Applications/AppContentTest.app/Contents/MacOS/AppContentTest: No such file or directory
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/27875#discussion_r2446466264
More information about the core-libs-dev
mailing list