Signing shared libraries and questions about loading

Armin Schrenk armin.schrenk at skymatic.de
Wed Nov 16 14:29:12 UTC 2022 

Hello,

for our application, a customer reported that the shared libraries (in 
this case DLLs) used by JFX are unsigned and thus were blocked from 
loading, which blocks the app from starting. The culprit for blocking is 
a new security feature for Windows 11, Smart App Control 
(https://support.microsoft.com/en-gb/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003). 
Since this feature seems to be a future part of Windows, i suggest to 
sign the shared libs before the maven release. In our case, the archive 
javafx-graphics-*-win.jar contains the DLLs.

Apart from this feature request, we want to fix the issue on our side. 
To do that, I investigated into the sharedLib loading of JFX.

SharedLib Loading is in JFX is done with the NativeLibLoader 
(https://github.com/openjdk/jfx/blob/19+11/modules/javafx.graphics/src/main/java/com/sun/glass/utils/NativeLibLoader.java). 
It does the following to load the native lib:

1. Load the DLLs from a certain path (see below)
2. On Failure, load the DLLs from a resource (aka the jar) by extracting 
them to a cache directory and load them from there
3. On Failure, do other stuff not of interest

Our app is modular (or as much as possible), thus, the DLLs were always 
loaded from the resource. But this extract-and-cache approach is 
unsatisfying from our point of view. The app uses a custom JRE via jlink 
and is packaged with jpackage, and we would like to place the sharedLibs 
at build time somewhere in the app directory.

So I had to figure out the where to place the DLLs, or more 
specifically, what path is checked in Step 1 of shared libLoading. 
Reading the inline comment starting at line 117, it should be the same 
dir as the jar is placed. Unfortunately, this is not the case and i had 
to dig more through the code to find out.

Our app has the following structure:
|- JarsAndMods
     | - Mods
         | - modul1.jar
         | - modul2.jar
         | - ...
         | - javafx-graphics-XXX-win.jar
         | - ...
     | - nonModular1.jar
     | - nonModular2.jar
     | - ...
|- executable

According to the comment, the path to place all DLLs should be 
/JarsAndMods/Mods.
But verbose logging showed and later proofed by the code, it has to be 
/JarsAndMods/bin.

My questions are:

Why does JFX require only for Windows the `../bin` directory?

Additionally, this inline comment has a FIXME that Step 1 of 
SharedLibLoading should be removed in the future. Is there already an ETA?

And lastly, I would love to see some Documentation for this. I can write 
it and create the PR, but where should it be placed?


Best wishes,

Armin

More information about the openjfx-dev mailing list