8277494: [BACKOUT] JDK-8276150 Quarantined jpackage apps are labeled as "damaged"

Reviewed-by: asemenyuk, tschatzl
This commit is contained in:
Daniel D. Daugherty 2021-11-19 22:37:28 +00:00
parent 2ab43ec242
commit c79a485f1c
2 changed files with 33 additions and 80 deletions

View File

@ -329,8 +329,7 @@ public class MacAppImageBuilder extends AbstractAppImageBuilder {
} }
copyRuntimeFiles(params); copyRuntimeFiles(params);
sign(params);
doSigning(params);
} }
private void copyRuntimeFiles(Map<String, ? super Object> params) private void copyRuntimeFiles(Map<String, ? super Object> params)
@ -356,12 +355,7 @@ public class MacAppImageBuilder extends AbstractAppImageBuilder {
} }
} }
private void doSigning(Map<String, ? super Object> params) private void sign(Map<String, ? super Object> params) throws IOException {
throws IOException {
// signing or not, unsign first ...
unsignAppBundle(params, root);
if (Optional.ofNullable( if (Optional.ofNullable(
SIGN_BUNDLE.fetchFrom(params)).orElse(Boolean.TRUE)) { SIGN_BUNDLE.fetchFrom(params)).orElse(Boolean.TRUE)) {
try { try {
@ -653,52 +647,7 @@ public class MacAppImageBuilder extends AbstractAppImageBuilder {
IOUtils.exec(pb); IOUtils.exec(pb);
} }
private static void unsignAppBundle(Map<String, ? super Object> params, static void signAppBundle(
Path appLocation) throws IOException {
// unsign all dylibs and executables
try (Stream<Path> stream = Files.walk(appLocation)) {
stream.peek(path -> { // fix permissions
try {
Set<PosixFilePermission> pfp =
Files.getPosixFilePermissions(path);
if (!pfp.contains(PosixFilePermission.OWNER_WRITE)) {
pfp = EnumSet.copyOf(pfp);
pfp.add(PosixFilePermission.OWNER_WRITE);
Files.setPosixFilePermissions(path, pfp);
}
} catch (IOException e) {
Log.verbose(e);
}
}).filter(p -> Files.isRegularFile(p) &&
(Files.isExecutable(p) || p.toString().endsWith(".dylib"))
&& !(p.toString().contains("dylib.dSYM/Contents"))
).forEach(p -> {
// If p is a symlink then skip.
if (Files.isSymbolicLink(p)) {
Log.verbose(MessageFormat.format(I18N.getString(
"message.ignoring.symlink"), p.toString()));
} else {
List<String> args = new ArrayList<>();
args.addAll(Arrays.asList("/usr/bin/codesign",
"--remove-signature", p.toString()));
try {
Set<PosixFilePermission> oldPermissions =
Files.getPosixFilePermissions(p);
p.toFile().setWritable(true, true);
ProcessBuilder pb = new ProcessBuilder(args);
IOUtils.exec(pb);
Files.setPosixFilePermissions(p,oldPermissions);
} catch (IOException ioe) {
Log.verbose(ioe);
return;
}
}
});
}
}
private static void signAppBundle(
Map<String, ? super Object> params, Path appLocation, Map<String, ? super Object> params, Path appLocation,
String signingIdentity, String identifierPrefix, Path entitlements) String signingIdentity, String identifierPrefix, Path entitlements)
throws IOException { throws IOException {
@ -733,7 +682,29 @@ public class MacAppImageBuilder extends AbstractAppImageBuilder {
Log.verbose(MessageFormat.format(I18N.getString( Log.verbose(MessageFormat.format(I18N.getString(
"message.ignoring.symlink"), p.toString())); "message.ignoring.symlink"), p.toString()));
} else { } else {
List<String> args = new ArrayList<>(); List<String> args;
// runtime and Framework files will be signed below
// but they need to be unsigned first here
if ((p.toString().contains("/Contents/runtime")) ||
(p.toString().contains("/Contents/Frameworks"))) {
args = new ArrayList<>();
args.addAll(Arrays.asList("/usr/bin/codesign",
"--remove-signature", p.toString()));
try {
Set<PosixFilePermission> oldPermissions =
Files.getPosixFilePermissions(p);
p.toFile().setWritable(true, true);
ProcessBuilder pb = new ProcessBuilder(args);
IOUtils.exec(pb);
Files.setPosixFilePermissions(p,oldPermissions);
} catch (IOException ioe) {
Log.verbose(ioe);
toThrow.set(ioe);
return;
}
}
args = new ArrayList<>();
args.addAll(Arrays.asList("/usr/bin/codesign", args.addAll(Arrays.asList("/usr/bin/codesign",
"--timestamp", "--timestamp",
"--options", "runtime", "--options", "runtime",

View File

@ -22,11 +22,8 @@
*/ */
import java.nio.file.Path; import java.nio.file.Path;
import java.util.List;
import jdk.jpackage.test.JPackageCommand; import jdk.jpackage.test.JPackageCommand;
import jdk.jpackage.test.Annotations.Test; import jdk.jpackage.test.Annotations.Test;
import jdk.jpackage.test.Annotations.Parameters;
/** /**
* Tests generation of app image with --mac-sign and related arguments. Test will * Tests generation of app image with --mac-sign and related arguments. Test will
@ -60,36 +57,21 @@ import jdk.jpackage.test.Annotations.Parameters;
*/ */
public class SigningAppImageTest { public class SigningAppImageTest {
final boolean doSign;
public SigningAppImageTest(String flag) {
this.doSign = "true".equals(flag);
}
@Parameters
public static List<Object[]> data() {
return List.of(new Object[][] {{"true"}, {"false"}});
}
@Test @Test
public void test() throws Exception { public static void test() throws Exception {
SigningCheck.checkCertificates(); SigningCheck.checkCertificates();
JPackageCommand cmd = JPackageCommand.helloAppImage(); JPackageCommand cmd = JPackageCommand.helloAppImage();
if (doSign) { cmd.addArguments("--mac-sign", "--mac-signing-key-user-name",
cmd.addArguments("--mac-sign", "--mac-signing-key-user-name", SigningBase.DEV_NAME, "--mac-signing-keychain",
SigningBase.DEV_NAME, "--mac-signing-keychain", SigningBase.KEYCHAIN);
SigningBase.KEYCHAIN);
}
cmd.executeAndAssertHelloAppImageCreated(); cmd.executeAndAssertHelloAppImageCreated();
Path launcherPath = cmd.appLauncherPath(); Path launcherPath = cmd.appLauncherPath();
SigningBase.verifyCodesign(launcherPath, doSign); SigningBase.verifyCodesign(launcherPath, true);
Path appImage = cmd.outputBundle(); Path appImage = cmd.outputBundle();
SigningBase.verifyCodesign(appImage, doSign); SigningBase.verifyCodesign(appImage, true);
if (doSign) { SigningBase.verifySpctl(appImage, "exec");
SigningBase.verifySpctl(appImage, "exec");
}
} }
} }