Re: [jdk19] RFR: 8289030: [macos] app image signature invalid when creating DMG or PKG [v2]

Fri, 08 Jul 2022 02:33:55 -0700 

On Thu, 7 Jul 2022 07:27:56 GMT, Alexander Matveev <almat...@openjdk.org> wrote:

>> Fixed 3 issues which made signature invalid:
>> - We should not remove .jpackage.xml from signed app image when creating DMG 
>> or PKG otherwise it invalidates signature.
>> - .package should be created when app image is generated, so this file can 
>> be signed.
>> - Copying predefine app image for DMG and PKG should not follow symbolic 
>> links, otherwise several files from runtime (COPYRIGHT and LICENSE) will be 
>> copied instead of symbolic links being created, since it invalidates 
>> signature as well.
>> 
>> Added additional test to validate signature when DMG or PKG is generated 
>> from predefined app image.
>
> Alexander Matveev has updated the pull request with a new target base due to 
> a merge or a rebase. The incremental webrev excludes the unrelated changes 
> brought in by the merge/rebase. The pull request contains three additional 
> commits since the last revision:
> 
>  - Merge remote-tracking branch 'upstream/master' into JDK-8289030
>  - 8289030: [macos] app image signature invalid when creating DMG or PKG [v2]
>  - 8289030: [macos] app image signature invalid when creating DMG or PKG

Changes requested by asemenyuk (Reviewer).

src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacBaseInstallerBundler.java
 line 171:

> 169:            Files.deleteIfExists(AppImageFile.getPathInAppImage(appDir));
> 170:         }
> 171: 

I think there is no need to modify AbstractAppImageBuilder.java, and 
AppImageBundler.java.
It is sufficient to modify the condition controlling the creation of `.package` 
file:

if (predefinedImage == null || 
(!StandardBundlerParam.isRuntimeInstaller(params) && 
!AppImageFile.load(predefinedImage).isSigned())) {
    new PackageFile(APP_NAME.fetchFrom(params)).save(
        ApplicationLayout.macAppImage().resolveAt(appDir));
    Files.deleteIfExists(AppImageFile.getPathInAppImage(appDir));
}

Besides `.package` file logically doesn't belong to app image, it belongs to 
the installed application, so it must not be referenced from the classes 
creating app images.

test/jdk/tools/jpackage/macosx/SigningPackageTwoStepTest.java line 87:

> 85:     private static void verifyAppImageInDMG(JPackageCommand cmd) {
> 86:         MacHelper.withExplodedDmg(cmd, dmgImage -> {
> 87:             Path launcherPath = dmgImage.resolve(Path.of("Contents", 
> "MacOS", cmd.name()));

I'd replace it with 
`ApplicationLayout.macAppImage().resolveAt(dmgImage).launchersDirectory(cmd.name())`

-------------

PR: https://git.openjdk.org/jdk19/pull/89

Reply via email to