On Thu, 30 May 2024 22:54:12 GMT, Alexander Matveev <[email protected]>
wrote:
>> This issue is reproducible with and without `--mac-sign`. jpackage will
>> "_ad-hoc_" sign application bundle when `--mac-sign` is not specified by
>> using pseudo-identity "_-_". This is why jpackage tries to sign added files
>> and this is expected behavior by jpackage. "codesign" fails since added
>> content made application bundle structure invalid. There is nothing we can
>> do on jpackage side to sign such invalid bundles. As proposed solution we
>> will output possible reason for "codesign" failure if it fails and
>> `--app-content` was specified and possible solution. Proposed message: "One
>> of the possible reason for "codesign" failure is additional content provided
>> via "--app-content", which made application bundle structure invalid. Make
>> sure to provide additional content in a way it will not break application
>> bundle structure, otherwise add additional content as post-processing step."
>>
>> Example:
>> Lets assume we have "ReadMe" folder with "ReadMe.txt" file in it.
>> 1) jpackage --type app-image -n Test --app-content ReadMe/ReadMe.txt ...
>> "codesign" will fail with "In subcomponent: Test.app/Contents/ReadMe.txt".
>> This is expected and "ReadMe.txt" placed in "Test.app/Contents" which is
>> also expected.
>> 2) jpackage --type app-image -n Test --app-content ReadMe ...
>> Works and "ReadMe.txt" will be placed under "Test.app/Contents/ReadMe".
>>
>> Sample output before fix:
>>
>> Error: "codesign" failed with following output:
>> Test.app: replacing existing signature
>> Test.app: code object is not signed at all
>> In subcomponent: Test.app/Contents/ReadMe.txt
>>
>>
>> Sample output after fix:
>>
>> "codesign" failed and additional application content was supplied via the
>> "--app-content" parameter. Probably the additional content broke the
>> integrity of the application bundle and caused the failure. Ensure content
>> supplied via the "--app-content" parameter does not break the integrity of
>> the application bundle, or add it in the post-processing step.
>> Error: "codesign" failed with following output:
>> Test.app: replacing existing signature
>> Test.app: code object is not signed at all
>> In subcomponent: Test.app/Contents/ReadMe.txt
>
> Alexander Matveev has updated the pull request incrementally with one
> additional commit since the last revision:
>
> 8332110: jpackage tries to sign added files without the --mac-sign option
> [v2]
Marked as reviewed by asemenyuk (Reviewer).
test/jdk/tools/jpackage/macosx/SigningOptionsTest.java line 97:
> 95: new String[]{"--app-content", TEST_DUKE},
> 96: null,
> 97: "\"codesign\" failure is additional content provided
> via \"--app-content\""},
Why is this not a `One of the possible reason for "{0}" failure is additional
content provided via "--app-content"`?
-------------
PR Review: https://git.openjdk.org/jdk/pull/19377#pullrequestreview-2088429523
PR Review Comment: https://git.openjdk.org/jdk/pull/19377#discussion_r1620824169
