On Tue, 20 May 2025 00:47:09 GMT, Alexander Matveev <almat...@openjdk.org> wrote:
> Fixed jpackage to produce valid Java runtimes based on description below: > > Definitions: > > - JDK bundle defined as bundle which contains "Contents/Home", > "Contents/MacOS/libjli.dylib" and "Contents/Info.plist". > - Signed JDK bundle contains all files as JDK bundle + > "Contents/_CodeSignature". > - JDK image defined as content of "Contents/Home". > - Signed JDK image does not exist, since it cannot be signed as bundle. > > jpackage output based on input: > > 1. "--runtime-image" points to unsigned JDK bundle and --mac-sign is not > provided: > - jpackage will copy all files as is from provided path and run ad-hoc > codesign. > > 2. "--runtime-image" points to unsigned JDK bundle and --mac-sign is provided: > - jpackage will copy all files as is from provided path and run codesign with > appropriate certificate based on same logic as we do for application image. > > 3. "--runtime-image" points to signed JDK bundle and --mac-sign is not > provided: > - jpackage will copy all files as is from provided path including > "Contents/_CodeSignature" to preserve signing. > > 4. "--runtime-image" points to signed JDK bundle and --mac-sign is provided: > - jpackage will copy all files as is from provided path including > "Contents/_CodeSignature" and will re-sign bundle with appropriate > certificate. > > 5. "--runtime-image" points to JDK image and --mac-sign is not provided: > - jpackage will check for libjli.dylib presence in "lib" folder. > - Create JDK bundle by putting all files from provided path to > "Contents/Home", libjli.dylib from "lib" to "Contents/MacOS/libjli.dylib" and > create default "Contents/Info.plist" similar to what we do for runtime in > application image. > - Ad-hoc signing will done. > > 6. "--runtime-image" points to JDK image and --mac-sign is provided: > - 2 first steps from 5 and certificate signing will be done. test/jdk/tools/jpackage/helpers/jdk/jpackage/test/JPackageCommand.java line 1004: > 1002: // External runtime image should be R/O unless it is on > macOS. > 1003: // On macOS it will be signed ad-hoc or with real > certificate. > 1004: return !TKit.isOSX(); Should be return !(TKit.isOSX() && MacHelper.signPredefinedAppImage(cmd)); Otherwise, it will be turned off for macOS entirely. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/25314#discussion_r2098467190
