Re: [jdk19] RFR: 8289030: [macos] app image signature invalid when creating DMG or PKG [v2]
> Fixed 3 issues which made signature invalid: > - We should not remove .jpackage.xml from signed app image when creating DMG > or PKG otherwise it invalidates signature. > - .package should be created when app image is generated, so this file can be > signed. > - Copying predefine app image for DMG and PKG should not follow symbolic > links, otherwise several files from runtime (COPYRIGHT and LICENSE) will be > copied instead of symbolic links being created, since it invalidates > signature as well. > > Added additional test to validate signature when DMG or PKG is generated from > predefined app image. Alexander Matveev has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains three additional commits since the last revision: - Merge remote-tracking branch 'upstream/master' into JDK-8289030 - 8289030: [macos] app image signature invalid when creating DMG or PKG [v2] - 8289030: [macos] app image signature invalid when creating DMG or PKG - Changes: - all: https://git.openjdk.org/jdk19/pull/89/files - new: https://git.openjdk.org/jdk19/pull/89/files/5e47a1e3..4d5d4bce Webrevs: - full: https://webrevs.openjdk.org/?repo=jdk19&pr=89&range=01 - incr: https://webrevs.openjdk.org/?repo=jdk19&pr=89&range=00-01 Stats: 1986 lines in 64 files changed: 1671 ins; 95 del; 220 mod Patch: https://git.openjdk.org/jdk19/pull/89.diff Fetch: git fetch https://git.openjdk.org/jdk19 pull/89/head:pull/89 PR: https://git.openjdk.org/jdk19/pull/89
Re: [jdk19] RFR: 8289030: [macos] app image signature invalid when creating DMG or PKG [v2]
On Thu, 7 Jul 2022 17:07:51 GMT, Alexey Semenyuk wrote:
>> Alexander Matveev has updated the pull request with a new target base due to
>> a merge or a rebase. The incremental webrev excludes the unrelated changes
>> brought in by the merge/rebase. The pull request contains three additional
>> commits since the last revision:
>>
>> - Merge remote-tracking branch 'upstream/master' into JDK-8289030
>> - 8289030: [macos] app image signature invalid when creating DMG or PKG [v2]
>> - 8289030: [macos] app image signature invalid when creating DMG or PKG
>
> src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacBaseInstallerBundler.java
> line 171:
>
>> 169:Files.deleteIfExists(AppImageFile.getPathInAppImage(appDir));
>> 170: }
>> 171:
>
> I think there is no need to modify AbstractAppImageBuilder.java, and
> AppImageBundler.java.
> It is sufficient to modify the condition controlling the creation of
> `.package` file:
>
> if (predefinedImage == null ||
> (!StandardBundlerParam.isRuntimeInstaller(params) &&
> !AppImageFile.load(predefinedImage).isSigned())) {
> new PackageFile(APP_NAME.fetchFrom(params)).save(
> ApplicationLayout.macAppImage().resolveAt(appDir));
> Files.deleteIfExists(AppImageFile.getPathInAppImage(appDir));
> }
>
> Besides `.package` file logically doesn't belong to app image, it belongs to
> the installed application, so it must not be referenced from the classes
> creating app images.
We need to add `.package` file during app image creation, since we need to sign
it. With your proposed change we will add `.package` file to already signed app
image.
-
PR: https://git.openjdk.org/jdk19/pull/89
Re: [jdk19] RFR: 8289030: [macos] app image signature invalid when creating DMG or PKG [v2]
On Thu, 7 Jul 2022 19:30:07 GMT, Alexander Matveev wrote:
>> src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacBaseInstallerBundler.java
>> line 171:
>>
>>> 169:
>>> Files.deleteIfExists(AppImageFile.getPathInAppImage(appDir));
>>> 170: }
>>> 171:
>>
>> I think there is no need to modify AbstractAppImageBuilder.java, and
>> AppImageBundler.java.
>> It is sufficient to modify the condition controlling the creation of
>> `.package` file:
>>
>> if (predefinedImage == null ||
>> (!StandardBundlerParam.isRuntimeInstaller(params) &&
>> !AppImageFile.load(predefinedImage).isSigned())) {
>> new PackageFile(APP_NAME.fetchFrom(params)).save(
>> ApplicationLayout.macAppImage().resolveAt(appDir));
>> Files.deleteIfExists(AppImageFile.getPathInAppImage(appDir));
>> }
>>
>> Besides `.package` file logically doesn't belong to app image, it belongs to
>> the installed application, so it must not be referenced from the classes
>> creating app images.
>
> We need to add `.package` file during app image creation, since we need to
> sign it. With your proposed change we will add `.package` file to already
> signed app image.
Oh, right.
Anyways let's keep `.package`-related stuff away from
AbstractAppImageBuilder.java, and AppImageBundler.java.
I'd move `.package`-related logic from AbstractAppImageBuilder to
MacAppImageBuilder and change
public MacAppBundler() {
setAppImageSupplier(MacAppImageBuilder::new);
setParamsValidator(MacAppBundler::doValidate);
}
to something like this
public MacAppBundler() {
public MacAppBundler() {
setAppImageSupplier(imageOutDir -> {
return new MacAppImageBuilder(imageOutDir, isDependentTask());
});
setParamsValidator(MacAppBundler::doValidate);
}
Need to add `AppImageBundler.sDependentTask()` method and change signature if
MacAppImageBuilder ctor from `MacAppImageBuilder(Path imageOutDir)` to
`MacAppImageBuilder(Path imageOutDir, boolean withPackageFile)`
-
PR: https://git.openjdk.org/jdk19/pull/89
Re: [jdk19] RFR: 8289030: [macos] app image signature invalid when creating DMG or PKG [v2]
On Thu, 7 Jul 2022 07:27:56 GMT, Alexander Matveev wrote:
>> Fixed 3 issues which made signature invalid:
>> - We should not remove .jpackage.xml from signed app image when creating DMG
>> or PKG otherwise it invalidates signature.
>> - .package should be created when app image is generated, so this file can
>> be signed.
>> - Copying predefine app image for DMG and PKG should not follow symbolic
>> links, otherwise several files from runtime (COPYRIGHT and LICENSE) will be
>> copied instead of symbolic links being created, since it invalidates
>> signature as well.
>>
>> Added additional test to validate signature when DMG or PKG is generated
>> from predefined app image.
>
> Alexander Matveev has updated the pull request with a new target base due to
> a merge or a rebase. The incremental webrev excludes the unrelated changes
> brought in by the merge/rebase. The pull request contains three additional
> commits since the last revision:
>
> - Merge remote-tracking branch 'upstream/master' into JDK-8289030
> - 8289030: [macos] app image signature invalid when creating DMG or PKG [v2]
> - 8289030: [macos] app image signature invalid when creating DMG or PKG
Changes requested by asemenyuk (Reviewer).
src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacBaseInstallerBundler.java
line 171:
> 169:Files.deleteIfExists(AppImageFile.getPathInAppImage(appDir));
> 170: }
> 171:
I think there is no need to modify AbstractAppImageBuilder.java, and
AppImageBundler.java.
It is sufficient to modify the condition controlling the creation of `.package`
file:
if (predefinedImage == null ||
(!StandardBundlerParam.isRuntimeInstaller(params) &&
!AppImageFile.load(predefinedImage).isSigned())) {
new PackageFile(APP_NAME.fetchFrom(params)).save(
ApplicationLayout.macAppImage().resolveAt(appDir));
Files.deleteIfExists(AppImageFile.getPathInAppImage(appDir));
}
Besides `.package` file logically doesn't belong to app image, it belongs to
the installed application, so it must not be referenced from the classes
creating app images.
test/jdk/tools/jpackage/macosx/SigningPackageTwoStepTest.java line 87:
> 85: private static void verifyAppImageInDMG(JPackageCommand cmd) {
> 86: MacHelper.withExplodedDmg(cmd, dmgImage -> {
> 87: Path launcherPath = dmgImage.resolve(Path.of("Contents",
> "MacOS", cmd.name()));
I'd replace it with
`ApplicationLayout.macAppImage().resolveAt(dmgImage).launchersDirectory(cmd.name())`
-
PR: https://git.openjdk.org/jdk19/pull/89
Re: [jdk19] RFR: 8289030: [macos] app image signature invalid when creating DMG or PKG [v2]
On Thu, 7 Jul 2022 17:11:23 GMT, Alexey Semenyuk wrote:
>> Alexander Matveev has updated the pull request with a new target base due to
>> a merge or a rebase. The incremental webrev excludes the unrelated changes
>> brought in by the merge/rebase. The pull request contains three additional
>> commits since the last revision:
>>
>> - Merge remote-tracking branch 'upstream/master' into JDK-8289030
>> - 8289030: [macos] app image signature invalid when creating DMG or PKG [v2]
>> - 8289030: [macos] app image signature invalid when creating DMG or PKG
>
> test/jdk/tools/jpackage/macosx/SigningPackageTwoStepTest.java line 87:
>
>> 85: private static void verifyAppImageInDMG(JPackageCommand cmd) {
>> 86: MacHelper.withExplodedDmg(cmd, dmgImage -> {
>> 87: Path launcherPath = dmgImage.resolve(Path.of("Contents",
>> "MacOS", cmd.name()));
>
> I'd replace it with
> `ApplicationLayout.macAppImage().resolveAt(dmgImage).launchersDirectory(cmd.name())`
Fixed.
-
PR: https://git.openjdk.org/jdk19/pull/89
