On 4/3/2020 10:40 AM, James Elliott wrote:
This sounds promising! I just wanted to check if there is a mechanism to
specify a custom set of entitlements needed by the application when running
jpackage, in case it needs more than the normal set that Java itself does. Or
does Java already ask for every possible entitlement in its original
notarization?
Thanks,
-James
Although there is an existing enhancement request JDK-8241448 to add a
specific CLI to use different entitlements file, this code will give
user ability to override entitlements without that CLI using the
resource override mechanism as follows:
Create a directory , (call it RESOURCE_DIR), add to that directory
"APP_NAME.entitlements" file containing the entitlements you want then
use the CLI options "--name APP_NAME --resource-dir RESOURCE_DIR.
Then when signing APP_NAME this file will be used instead of the builtin
resource entitlements.plist.
/Andy
Date: Fri, 3 Apr 2020 10:20:21 -0400
From: Andy Herrick <andy.herr...@oracle.com>
To: core-libs-dev@openjdk.java.net
Subject: Re: RFR: JDK-8237490: [macos] Add support notarizing jpackage
app-image and dmg
Message-ID: <f3571d06-cfc4-ae42-53bc-a30463025...@oracle.com>
Content-Type: text/plain; charset=utf-8; format=flowed
sorry missing webrev pointer [4]
[4] - http://cr.openjdk.java.net/~herrick/8237490/webrev.07
/Andy
On 4/3/2020 9:24 AM, Andy Herrick wrote:
please review this revised webrev [4] to issue [2]
The previous version generated a signed app that could be notarized,
but then couldn't run because signing the whole app resigned the
executable with reduced entitlements.
This revision adds back in the entitlements when signing the whole
app, as well as fixing the unit test that was failing the spctl call
on Catalina due to signed app not being notarized.
/Andy
On 3/30/2020 1:19 PM, Andy Herrick wrote:
revised with minor fixes as per below - webrev at [3]
[3] http://cr.openjdk.java.net/~herrick/8237490/webrev.06/
/Andy
On 3/28/2020 9:43 AM, Andy Herrick wrote:
On 3/27/2020 5:18 PM, Alexander Matveev wrote:
Hi Andy,
http://cr.openjdk.java.net/~herrick/8237490/webrev.05/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/MacAppImageBuilder.java.frames.html
Line 819,857,902 - Looks like temp debug log message. Remove it or
align with rest of code.
I will fix this.
http://cr.openjdk.java.net/~herrick/8237490/webrev.05/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/resources/MacResources.properties.frames.html
Line 70 - Capital F.
and this
Since we added "--timestamp" and? "--options runtime" to codesign,
will it work with older Xcode and macOS we planning to support?
not sure - may need some discussion of what we support and possible
conditional code here.
Do we need any adjustments to signing tests we have?
The existing tests pass, but this is not unexpected (and really
means nothing) since the signing tests are all skipped unless
specific test certs are installed on target machine.
We need further discussion how one is expected to provision a
machine to run these tests.
/Andy
Otherwise looks fine.
Thanks,
Alexander
On 3/27/20 12:35 PM, Andy Herrick wrote:
Please review the fix to issue [1] at [2].
This change enables notarization on Mac for dmg images and
app-image zip files.
/Andy
[1]: https://bugs.openjdk.java.net/browse/JDK-8237490
[2]: http://cr.openjdk.java.net/~herrick/8237490
End of core-libs-dev Digest, Vol 156, Issue 12
**********************************************
