JDK-8263156 : [macos]: OS X application signing concerns - a sealed resource is missing or invalid
  • Type: Bug
  • Component: tools
  • Sub-Component: jpackage
  • Affected Version: 15
  • Priority: P4
  • Status: Closed
  • Resolution: Incomplete
  • OS: os_x
  • CPU: x86_64
  • Submitted: 2021-03-04
  • Updated: 2021-04-17
  • Resolved: 2021-03-09
Description
ADDITIONAL SYSTEM INFORMATION :
macOS Catalina 10.15.7

openjdk version "15.0.2" 2021-01-19
OpenJDK Runtime Environment (build 15.0.2+7-27)
OpenJDK 64-Bit Server VM (build 15.0.2+7-27, mixed mode, sharing)

WARNING: Using incubator modules: jdk.incubator.jpackage
15.0.2

A DESCRIPTION OF THE PROBLEM :
codesign verification of signatures indicates errors

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Signed application with...

	--mac-sign \
	--mac-signing-key-user-name "Michael Hall"



EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The signed applications would codesign verify without error.
ACTUAL -
This is used to verify...
codesign --verify --verbose <application path>

HalfPipe.app: a sealed resource is missing or invalid
file modified: /Users/mjh/HalfPipe/HalfPipe_jpkg/outputdir/HalfPipe.app/Contents/runtime/Contents/Home/legal/java.management.rmi/LICENSE
file modified: /Users/mjh/HalfPipe/HalfPipe_jpkg/outputdir/HalfPipe.app/Contents/runtime/Contents/Home/legal/java.management.rmi/ADDITIONAL_LICENSE_INFO
file modified: /Users/mjh/HalfPipe/HalfPipe_jpkg/outputdir/HalfPipe.app/Contents/runtime/Contents/Home/legal/java.management.rmi/ASSEMBLY_EXCEPTION
file modified: /Users/mjh/HalfPipe/HalfPipe_jpkg/outputdir/HalfPipe.app/Contents/runtime/Contents/Home/legal/java.se/LICENSE
file modified: /Users/mjh/HalfPipe/HalfPipe_jpkg/outputdir/HalfPipe.app/Contents/runtime/Contents/Home/legal/java.se/ADDITIONAL_LICENSE_INFO
file modified: /Users/mjh/HalfPipe/HalfPipe_jpkg/outputdir/HalfPipe.app/Contents/runtime/Contents/Home/legal/java.se/ASSEMBLY_EXCEPTION
file modified: /Users/mjh/HalfPipe/HalfPipe_jpkg/outputdir/HalfPipe.app/Contents/runtime/Contents/Home/legal/java.security.jgss/LICENSE
file modified: /Users/mjh/HalfPipe/HalfPipe_jpkg/outputdir/HalfPipe.app/Contents/runtime/Contents/Home/legal/java.security.jgss/ADDITIONAL_LICENSE_INFO
file modified: /Users/mjh/HalfPipe/HalfPipe_jpkg/outputdir/HalfPipe.app/Contents/runtime/Contents/Home/legal/java.security.jgss/ASSEMBLY_EXCEPTION
...
and many more about the same.



---------- BEGIN SOURCE ----------
See above jpackage invocations
---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
This is not currently causing me any problems. I mainly wanted to see if the application would correctly display that I had signed it ( codesign -d -vvv ) , which it does seem to do.
I came across the codesign verification invocation which indicated the reported errors.

FREQUENCY : always



Comments
I was testing with a completely trivial app, the attached hello.java, compiled, jared, and resulting jar (hello.jar) put in directory "input-test" then used jpackage with the following script: $JDK_HOME/bin/jpackage \ --type pkg \ --input input-test \ --dest output \ --name test \ --vendor "Oracle Test" \ --description "Test simple app image" \ --main-jar hello.jar \ --main-class hello \ --mac-sign \ --mac-signing-key-user-name 'Oracle America, Inc. (VB5E2TV963)' \ --mac-signing-keychain "login.JPackageTest" \ $1 $2 $3 $4 NOTE: my Keychain Access has certs "Developer ID Application: Oracle America, Inc. (VB5E2TV963)" and "Developer ID Installer: Oracle America, Inc. (VB5E2TV963)" in custom keychain "JPackageTest".
17-04-2021

No suitable reproducer has been provided by the submitter yet.
06-04-2021

Even using the openjdk-15.0.2 bundles from jdk.java.net/15 I cannot reproduce this. The warnings are from within the runtime, so should be the same for any app, I am using a simple app called "test". I tried both creating an app-image and directly running codesign --verify --verbose on it, and creating a pkg, installing it, and then running codesign -verify on it. Using all of openjdk 15.0.2, openjdk 16, and my private builds of 17 (both signed and unsigned runtimes). In every case codesign says : test.app: valid on disk test.app: satisfies it's Designated Requirements I am resolving this as incomplete until a reproducible test case is provided or discovered.
09-03-2021

Additional information received from submitter ====================================== This incident was more informational than a problem. Just that I am seeing errors indicated when verifying with��� codesign --verify ���verbose <application path> You would need my applications to exactly reproduce. Trying it on any Developer signed application should probably give the same or similar results
08-03-2021

Requested for a simple reproducer from the submitter
05-03-2021