On Tue, 20 May 2025 17:00:21 GMT, Alexey Semenyuk <asemen...@openjdk.org> wrote:
>> Fixed jpackage to produce valid Java runtimes based on description below: >> >> Definitions: >> >> - JDK bundle defined as bundle which contains "Contents/Home", >> "Contents/MacOS/libjli.dylib" and "Contents/Info.plist". >> - Signed JDK bundle contains all files as JDK bundle + >> "Contents/_CodeSignature". >> - JDK image defined as content of "Contents/Home". >> - Signed JDK image does not exist, since it cannot be signed as bundle. >> >> jpackage output based on input: >> >> 1. "--runtime-image" points to unsigned JDK bundle and --mac-sign is not >> provided: >> - jpackage will copy all files as is from provided path and run ad-hoc >> codesign. >> >> 2. "--runtime-image" points to unsigned JDK bundle and --mac-sign is >> provided: >> - jpackage will copy all files as is from provided path and run codesign >> with appropriate certificate based on same logic as we do for application >> image. >> >> 3. "--runtime-image" points to signed JDK bundle and --mac-sign is not >> provided: >> - jpackage will copy all files as is from provided path including >> "Contents/_CodeSignature" to preserve signing. >> >> 4. "--runtime-image" points to signed JDK bundle and --mac-sign is provided: >> - jpackage will copy all files as is from provided path including >> "Contents/_CodeSignature" and will re-sign bundle with appropriate >> certificate. >> >> 5. "--runtime-image" points to JDK image and --mac-sign is not provided: >> - jpackage will check for libjli.dylib presence in "lib" folder. >> - Create JDK bundle by putting all files from provided path to >> "Contents/Home", libjli.dylib from "lib" to "Contents/MacOS/libjli.dylib" >> and create default "Contents/Info.plist" similar to what we do for runtime >> in application image. >> - Ad-hoc signing will done. >> >> 6. "--runtime-image" points to JDK image and --mac-sign is provided: >> - 2 first steps from 5 and certificate signing will be done. > > test/jdk/tools/jpackage/helpers/jdk/jpackage/test/JPackageCommand.java line > 1004: > >> 1002: // External runtime image should be R/O unless it is on >> macOS. >> 1003: // On macOS it will be signed ad-hoc or with real >> certificate. >> 1004: return !TKit.isOSX(); > > Do I get the comment right, and jpackage will modify the image supplied with > `--runtime-image` parameter? This is wrong. jpackage must not modify any > externally supplied files/directories unless this is app image signing on > macos. Yes, you get the comment right. We do sign runtime image as well (same as app image). We do ad-hoc signing for runtime image if signing is not requested. Ad-hoc signing will modify runtime image. I think you mean case when "--app-image" and "--runtime-image" is specified, then yes we should not modify it, but when we packaging just runtime it will be modify due to signature. I will update test to reflect it. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/25314#discussion_r2099145308
