Signing shared libraries and questions about loading
Armin Schrenk
armin.schrenk at skymatic.de
Wed Nov 16 14:29:12 UTC 2022
Hello,
for our application, a customer reported that the shared libraries (in
this case DLLs) used by JFX are unsigned and thus were blocked from
loading, which blocks the app from starting. The culprit for blocking is
a new security feature for Windows 11, Smart App Control
(https://support.microsoft.com/en-gb/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003).
Since this feature seems to be a future part of Windows, i suggest to
sign the shared libs before the maven release. In our case, the archive
javafx-graphics-*-win.jar contains the DLLs.
Apart from this feature request, we want to fix the issue on our side.
To do that, I investigated into the sharedLib loading of JFX.
SharedLib Loading is in JFX is done with the NativeLibLoader
(https://github.com/openjdk/jfx/blob/19+11/modules/javafx.graphics/src/main/java/com/sun/glass/utils/NativeLibLoader.java).
It does the following to load the native lib:
1. Load the DLLs from a certain path (see below)
2. On Failure, load the DLLs from a resource (aka the jar) by extracting
them to a cache directory and load them from there
3. On Failure, do other stuff not of interest
Our app is modular (or as much as possible), thus, the DLLs were always
loaded from the resource. But this extract-and-cache approach is
unsatisfying from our point of view. The app uses a custom JRE via jlink
and is packaged with jpackage, and we would like to place the sharedLibs
at build time somewhere in the app directory.
So I had to figure out the where to place the DLLs, or more
specifically, what path is checked in Step 1 of shared libLoading.
Reading the inline comment starting at line 117, it should be the same
dir as the jar is placed. Unfortunately, this is not the case and i had
to dig more through the code to find out.
Our app has the following structure:
|- JarsAndMods
| - Mods
| - modul1.jar
| - modul2.jar
| - ...
| - javafx-graphics-XXX-win.jar
| - ...
| - nonModular1.jar
| - nonModular2.jar
| - ...
|- executable
According to the comment, the path to place all DLLs should be
/JarsAndMods/Mods.
But verbose logging showed and later proofed by the code, it has to be
/JarsAndMods/bin.
My questions are:
Why does JFX require only for Windows the `../bin` directory?
Additionally, this inline comment has a FIXME that Step 1 of
SharedLibLoading should be removed in the future. Is there already an ETA?
And lastly, I would love to see some Documentation for this. I can write
it and create the PR, but where should it be placed?
Best wishes,
Armin
More information about the openjfx-dev
mailing list