From 936f7ff49ed86adb74bb1ff10d93cb3d7f7d70a0 Mon Sep 17 00:00:00 2001 From: Andy Herrick Date: Fri, 19 Nov 2021 14:23:04 +0000 Subject: [PATCH] 8276150: Quarantined jpackage apps are labeled as "damaged" Reviewed-by: almatvee --- .../jpackage/internal/MacAppImageBuilder.java | 81 +++++++++++++------ .../jpackage/macosx/SigningAppImageTest.java | 32 ++++++-- 2 files changed, 80 insertions(+), 33 deletions(-) diff --git a/src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacAppImageBuilder.java b/src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacAppImageBuilder.java index f1eed5f5f15..c89612a260c 100644 --- a/src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacAppImageBuilder.java +++ b/src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacAppImageBuilder.java @@ -329,7 +329,8 @@ public class MacAppImageBuilder extends AbstractAppImageBuilder { } copyRuntimeFiles(params); - sign(params); + + doSigning(params); } private void copyRuntimeFiles(Map params) @@ -355,7 +356,12 @@ public class MacAppImageBuilder extends AbstractAppImageBuilder { } } - private void sign(Map params) throws IOException { + private void doSigning(Map params) + throws IOException { + + // signing or not, unsign first ... + unsignAppBundle(params, root); + if (Optional.ofNullable( SIGN_BUNDLE.fetchFrom(params)).orElse(Boolean.TRUE)) { try { @@ -647,7 +653,52 @@ public class MacAppImageBuilder extends AbstractAppImageBuilder { IOUtils.exec(pb); } - static void signAppBundle( + private static void unsignAppBundle(Map params, + Path appLocation) throws IOException { + + // unsign all dylibs and executables + try (Stream stream = Files.walk(appLocation)) { + stream.peek(path -> { // fix permissions + try { + Set pfp = + Files.getPosixFilePermissions(path); + if (!pfp.contains(PosixFilePermission.OWNER_WRITE)) { + pfp = EnumSet.copyOf(pfp); + pfp.add(PosixFilePermission.OWNER_WRITE); + Files.setPosixFilePermissions(path, pfp); + } + } catch (IOException e) { + Log.verbose(e); + } + }).filter(p -> Files.isRegularFile(p) && + (Files.isExecutable(p) || p.toString().endsWith(".dylib")) + && !(p.toString().contains("dylib.dSYM/Contents")) + ).forEach(p -> { + // If p is a symlink then skip. + if (Files.isSymbolicLink(p)) { + Log.verbose(MessageFormat.format(I18N.getString( + "message.ignoring.symlink"), p.toString())); + } else { + List args = new ArrayList<>(); + args.addAll(Arrays.asList("/usr/bin/codesign", + "--remove-signature", p.toString())); + try { + Set oldPermissions = + Files.getPosixFilePermissions(p); + p.toFile().setWritable(true, true); + ProcessBuilder pb = new ProcessBuilder(args); + IOUtils.exec(pb); + Files.setPosixFilePermissions(p,oldPermissions); + } catch (IOException ioe) { + Log.verbose(ioe); + return; + } + } + }); + } + } + + private static void signAppBundle( Map params, Path appLocation, String signingIdentity, String identifierPrefix, Path entitlements) throws IOException { @@ -682,29 +733,7 @@ public class MacAppImageBuilder extends AbstractAppImageBuilder { Log.verbose(MessageFormat.format(I18N.getString( "message.ignoring.symlink"), p.toString())); } else { - List args; - // runtime and Framework files will be signed below - // but they need to be unsigned first here - if ((p.toString().contains("/Contents/runtime")) || - (p.toString().contains("/Contents/Frameworks"))) { - - args = new ArrayList<>(); - args.addAll(Arrays.asList("/usr/bin/codesign", - "--remove-signature", p.toString())); - try { - Set oldPermissions = - Files.getPosixFilePermissions(p); - p.toFile().setWritable(true, true); - ProcessBuilder pb = new ProcessBuilder(args); - IOUtils.exec(pb); - Files.setPosixFilePermissions(p,oldPermissions); - } catch (IOException ioe) { - Log.verbose(ioe); - toThrow.set(ioe); - return; - } - } - args = new ArrayList<>(); + List args = new ArrayList<>(); args.addAll(Arrays.asList("/usr/bin/codesign", "--timestamp", "--options", "runtime", diff --git a/test/jdk/tools/jpackage/macosx/SigningAppImageTest.java b/test/jdk/tools/jpackage/macosx/SigningAppImageTest.java index cd30b24f350..a94b449dcba 100644 --- a/test/jdk/tools/jpackage/macosx/SigningAppImageTest.java +++ b/test/jdk/tools/jpackage/macosx/SigningAppImageTest.java @@ -22,8 +22,11 @@ */ import java.nio.file.Path; +import java.util.List; + import jdk.jpackage.test.JPackageCommand; import jdk.jpackage.test.Annotations.Test; +import jdk.jpackage.test.Annotations.Parameters; /** * Tests generation of app image with --mac-sign and related arguments. Test will @@ -57,21 +60,36 @@ import jdk.jpackage.test.Annotations.Test; */ public class SigningAppImageTest { + final boolean doSign; + + public SigningAppImageTest(String flag) { + this.doSign = "true".equals(flag); + } + + @Parameters + public static List data() { + return List.of(new Object[][] {{"true"}, {"false"}}); + } + @Test - public static void test() throws Exception { + public void test() throws Exception { SigningCheck.checkCertificates(); JPackageCommand cmd = JPackageCommand.helloAppImage(); - cmd.addArguments("--mac-sign", "--mac-signing-key-user-name", - SigningBase.DEV_NAME, "--mac-signing-keychain", - SigningBase.KEYCHAIN); + if (doSign) { + cmd.addArguments("--mac-sign", "--mac-signing-key-user-name", + SigningBase.DEV_NAME, "--mac-signing-keychain", + SigningBase.KEYCHAIN); + } cmd.executeAndAssertHelloAppImageCreated(); Path launcherPath = cmd.appLauncherPath(); - SigningBase.verifyCodesign(launcherPath, true); + SigningBase.verifyCodesign(launcherPath, doSign); Path appImage = cmd.outputBundle(); - SigningBase.verifyCodesign(appImage, true); - SigningBase.verifySpctl(appImage, "exec"); + SigningBase.verifyCodesign(appImage, doSign); + if (doSign) { + SigningBase.verifySpctl(appImage, "exec"); + } } }