From c79a485f1c3f9c0c3a79b8847fdcd50a141cd529 Mon Sep 17 00:00:00 2001 From: "Daniel D. Daugherty" Date: Fri, 19 Nov 2021 22:37:28 +0000 Subject: [PATCH] 8277494: [BACKOUT] JDK-8276150 Quarantined jpackage apps are labeled as "damaged" Reviewed-by: asemenyuk, tschatzl --- .../jpackage/internal/MacAppImageBuilder.java | 81 ++++++------------- .../jpackage/macosx/SigningAppImageTest.java | 32 ++------ 2 files changed, 33 insertions(+), 80 deletions(-) diff --git a/src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacAppImageBuilder.java b/src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacAppImageBuilder.java index c89612a260c..f1eed5f5f15 100644 --- a/src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacAppImageBuilder.java +++ b/src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacAppImageBuilder.java @@ -329,8 +329,7 @@ public class MacAppImageBuilder extends AbstractAppImageBuilder { } copyRuntimeFiles(params); - - doSigning(params); + sign(params); } private void copyRuntimeFiles(Map params) @@ -356,12 +355,7 @@ public class MacAppImageBuilder extends AbstractAppImageBuilder { } } - private void doSigning(Map params) - throws IOException { - - // signing or not, unsign first ... - unsignAppBundle(params, root); - + private void sign(Map params) throws IOException { if (Optional.ofNullable( SIGN_BUNDLE.fetchFrom(params)).orElse(Boolean.TRUE)) { try { @@ -653,52 +647,7 @@ public class MacAppImageBuilder extends AbstractAppImageBuilder { IOUtils.exec(pb); } - private static void unsignAppBundle(Map params, - Path appLocation) throws IOException { - - // unsign all dylibs and executables - try (Stream stream = Files.walk(appLocation)) { - stream.peek(path -> { // fix permissions - try { - Set pfp = - Files.getPosixFilePermissions(path); - if (!pfp.contains(PosixFilePermission.OWNER_WRITE)) { - pfp = EnumSet.copyOf(pfp); - pfp.add(PosixFilePermission.OWNER_WRITE); - Files.setPosixFilePermissions(path, pfp); - } - } catch (IOException e) { - Log.verbose(e); - } - }).filter(p -> Files.isRegularFile(p) && - (Files.isExecutable(p) || p.toString().endsWith(".dylib")) - && !(p.toString().contains("dylib.dSYM/Contents")) - ).forEach(p -> { - // If p is a symlink then skip. - if (Files.isSymbolicLink(p)) { - Log.verbose(MessageFormat.format(I18N.getString( - "message.ignoring.symlink"), p.toString())); - } else { - List args = new ArrayList<>(); - args.addAll(Arrays.asList("/usr/bin/codesign", - "--remove-signature", p.toString())); - try { - Set oldPermissions = - Files.getPosixFilePermissions(p); - p.toFile().setWritable(true, true); - ProcessBuilder pb = new ProcessBuilder(args); - IOUtils.exec(pb); - Files.setPosixFilePermissions(p,oldPermissions); - } catch (IOException ioe) { - Log.verbose(ioe); - return; - } - } - }); - } - } - - private static void signAppBundle( + static void signAppBundle( Map params, Path appLocation, String signingIdentity, String identifierPrefix, Path entitlements) throws IOException { @@ -733,7 +682,29 @@ public class MacAppImageBuilder extends AbstractAppImageBuilder { Log.verbose(MessageFormat.format(I18N.getString( "message.ignoring.symlink"), p.toString())); } else { - List args = new ArrayList<>(); + List args; + // runtime and Framework files will be signed below + // but they need to be unsigned first here + if ((p.toString().contains("/Contents/runtime")) || + (p.toString().contains("/Contents/Frameworks"))) { + + args = new ArrayList<>(); + args.addAll(Arrays.asList("/usr/bin/codesign", + "--remove-signature", p.toString())); + try { + Set oldPermissions = + Files.getPosixFilePermissions(p); + p.toFile().setWritable(true, true); + ProcessBuilder pb = new ProcessBuilder(args); + IOUtils.exec(pb); + Files.setPosixFilePermissions(p,oldPermissions); + } catch (IOException ioe) { + Log.verbose(ioe); + toThrow.set(ioe); + return; + } + } + args = new ArrayList<>(); args.addAll(Arrays.asList("/usr/bin/codesign", "--timestamp", "--options", "runtime", diff --git a/test/jdk/tools/jpackage/macosx/SigningAppImageTest.java b/test/jdk/tools/jpackage/macosx/SigningAppImageTest.java index a94b449dcba..cd30b24f350 100644 --- a/test/jdk/tools/jpackage/macosx/SigningAppImageTest.java +++ b/test/jdk/tools/jpackage/macosx/SigningAppImageTest.java @@ -22,11 +22,8 @@ */ import java.nio.file.Path; -import java.util.List; - import jdk.jpackage.test.JPackageCommand; import jdk.jpackage.test.Annotations.Test; -import jdk.jpackage.test.Annotations.Parameters; /** * Tests generation of app image with --mac-sign and related arguments. Test will @@ -60,36 +57,21 @@ import jdk.jpackage.test.Annotations.Parameters; */ public class SigningAppImageTest { - final boolean doSign; - - public SigningAppImageTest(String flag) { - this.doSign = "true".equals(flag); - } - - @Parameters - public static List data() { - return List.of(new Object[][] {{"true"}, {"false"}}); - } - @Test - public void test() throws Exception { + public static void test() throws Exception { SigningCheck.checkCertificates(); JPackageCommand cmd = JPackageCommand.helloAppImage(); - if (doSign) { - cmd.addArguments("--mac-sign", "--mac-signing-key-user-name", - SigningBase.DEV_NAME, "--mac-signing-keychain", - SigningBase.KEYCHAIN); - } + cmd.addArguments("--mac-sign", "--mac-signing-key-user-name", + SigningBase.DEV_NAME, "--mac-signing-keychain", + SigningBase.KEYCHAIN); cmd.executeAndAssertHelloAppImageCreated(); Path launcherPath = cmd.appLauncherPath(); - SigningBase.verifyCodesign(launcherPath, doSign); + SigningBase.verifyCodesign(launcherPath, true); Path appImage = cmd.outputBundle(); - SigningBase.verifyCodesign(appImage, doSign); - if (doSign) { - SigningBase.verifySpctl(appImage, "exec"); - } + SigningBase.verifyCodesign(appImage, true); + SigningBase.verifySpctl(appImage, "exec"); } }