8277494: [BACKOUT] JDK-8276150 Quarantined jpackage apps are labeled as "damaged"

Reviewed-by: asemenyuk, tschatzl
2021-11-19 22:37:28 +00:00 · 2021-11-19 22:37:28 +00:00 · c79a485f1c
commit c79a485f1c
parent 2ab43ec242
2 changed files with 33 additions and 80 deletions
--- a/src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacAppImageBuilder.java
+++ b/src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacAppImageBuilder.java
@ -329,8 +329,7 @@ public class MacAppImageBuilder extends AbstractAppImageBuilder {
        }
        copyRuntimeFiles(params);
-
+        sign(params);
        doSigning(params);
    }
    private void copyRuntimeFiles(Map<String, ? super Object> params)
@ -356,12 +355,7 @@ public class MacAppImageBuilder extends AbstractAppImageBuilder {
        }
    }
-    private void doSigning(Map<String, ? super Object> params)
+    private void sign(Map<String, ? super Object> params) throws IOException {
            throws IOException {
        // signing or not, unsign first ...
        unsignAppBundle(params, root);
        if (Optional.ofNullable(
                SIGN_BUNDLE.fetchFrom(params)).orElse(Boolean.TRUE)) {
            try {
@ -653,52 +647,7 @@ public class MacAppImageBuilder extends AbstractAppImageBuilder {
        IOUtils.exec(pb);
    }
-    private static void unsignAppBundle(Map<String, ? super Object> params,
+    static void signAppBundle(
            Path appLocation) throws IOException {
        // unsign all dylibs and executables
        try (Stream<Path> stream = Files.walk(appLocation)) {
            stream.peek(path -> { // fix permissions
                try {
                    Set<PosixFilePermission> pfp =
                            Files.getPosixFilePermissions(path);
                    if (!pfp.contains(PosixFilePermission.OWNER_WRITE)) {
                        pfp = EnumSet.copyOf(pfp);
                        pfp.add(PosixFilePermission.OWNER_WRITE);
                        Files.setPosixFilePermissions(path, pfp);
                    }
                } catch (IOException e) {
                    Log.verbose(e);
                }
            }).filter(p -> Files.isRegularFile(p) &&
                      (Files.isExecutable(p) || p.toString().endsWith(".dylib"))
                      && !(p.toString().contains("dylib.dSYM/Contents"))
                     ).forEach(p -> {
                // If p is a symlink then skip.
                if (Files.isSymbolicLink(p)) {
                    Log.verbose(MessageFormat.format(I18N.getString(
                            "message.ignoring.symlink"), p.toString()));
                } else {
                    List<String> args = new ArrayList<>();
                    args.addAll(Arrays.asList("/usr/bin/codesign",
                            "--remove-signature", p.toString()));
                    try {
                        Set<PosixFilePermission> oldPermissions =
                                Files.getPosixFilePermissions(p);
                        p.toFile().setWritable(true, true);
                        ProcessBuilder pb = new ProcessBuilder(args);
                        IOUtils.exec(pb);
                        Files.setPosixFilePermissions(p,oldPermissions);
                    } catch (IOException ioe) {
                        Log.verbose(ioe);
                        return;
                    }
                }
            });
        }
    }
    private static void signAppBundle(
            Map<String, ? super Object> params, Path appLocation,
            String signingIdentity, String identifierPrefix, Path entitlements)
            throws IOException {
@ -733,7 +682,29 @@ public class MacAppImageBuilder extends AbstractAppImageBuilder {
                    Log.verbose(MessageFormat.format(I18N.getString(
                            "message.ignoring.symlink"), p.toString()));
                } else {
-                    List<String> args = new ArrayList<>();
+                    List<String> args;
                    // runtime and Framework files will be signed below
                    // but they need to be unsigned first here
                    if ((p.toString().contains("/Contents/runtime")) ||
                        (p.toString().contains("/Contents/Frameworks"))) {
                        args = new ArrayList<>();
                        args.addAll(Arrays.asList("/usr/bin/codesign",
                                "--remove-signature", p.toString()));
                        try {
                            Set<PosixFilePermission> oldPermissions =
                                    Files.getPosixFilePermissions(p);
                            p.toFile().setWritable(true, true);
                            ProcessBuilder pb = new ProcessBuilder(args);
                            IOUtils.exec(pb);
                            Files.setPosixFilePermissions(p,oldPermissions);
                        } catch (IOException ioe) {
                            Log.verbose(ioe);
                            toThrow.set(ioe);
                            return;
                        }
                    }
                    args = new ArrayList<>();
                    args.addAll(Arrays.asList("/usr/bin/codesign",
                            "--timestamp",
                            "--options", "runtime",
--- a/test/jdk/tools/jpackage/macosx/SigningAppImageTest.java
+++ b/test/jdk/tools/jpackage/macosx/SigningAppImageTest.java
@ -22,11 +22,8 @@
 */
 import java.nio.file.Path;
 import java.util.List;
 import jdk.jpackage.test.JPackageCommand;
 import jdk.jpackage.test.Annotations.Test;
 import jdk.jpackage.test.Annotations.Parameters;
 /**
 * Tests generation of app image with --mac-sign and related arguments. Test will
@ -60,36 +57,21 @@ import jdk.jpackage.test.Annotations.Parameters;
 */
 public class SigningAppImageTest {
    final boolean doSign;
    public SigningAppImageTest(String flag) {
        this.doSign = "true".equals(flag);
    }
    @Parameters
    public static List<Object[]> data() {
        return List.of(new Object[][] {{"true"}, {"false"}});
    }
    @Test
-    public void test() throws Exception {
+    public static void test() throws Exception {
        SigningCheck.checkCertificates();
        JPackageCommand cmd = JPackageCommand.helloAppImage();
        if (doSign) {
        cmd.addArguments("--mac-sign", "--mac-signing-key-user-name",
                SigningBase.DEV_NAME, "--mac-signing-keychain",
                SigningBase.KEYCHAIN);
        }
        cmd.executeAndAssertHelloAppImageCreated();
        Path launcherPath = cmd.appLauncherPath();
-        SigningBase.verifyCodesign(launcherPath, doSign);
+        SigningBase.verifyCodesign(launcherPath, true);
        Path appImage = cmd.outputBundle();
-        SigningBase.verifyCodesign(appImage, doSign);
+        SigningBase.verifyCodesign(appImage, true);
        if (doSign) {
        SigningBase.verifySpctl(appImage, "exec");
    }
 }
 }