JDK-8237607 : [macos] Signing app bundle with jpackage fails if runtime is already signed
  • Type: Bug
  • Component: tools
  • Sub-Component: jpackage
  • Affected Version: 14,15
  • Priority: P2
  • Status: Resolved
  • Resolution: Fixed
  • OS: os_x
  • Submitted: 2020-01-22
  • Updated: 2020-08-17
  • Resolved: 2020-01-24
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 14 JDK 15
14 b34Fixed 15Fixed
Related Reports
Relates :  
JDK-8251892 - [macos] DMG is not signed at all although mac sign option is provided
Relates :  
JDK-8240636 - [macos] Signing app bundle with jpackage fails if runtime is already signed
Description
This issue can be reproduced with jdk14 and jdk15.

jdk-14.jdk/Contents/Home/bin/jpackage --input ./input --dest output --name Test --type dmg --main-jar hello.jar --main-class Hello --mac-sign --mac-signing-key-user-name jpackage.openjdk.java.net --mac-signing-keychain jpackagerTest.keychain --verbose

will fail with error below:
/var/folders/wv/v95v04852ssgxhyxm38xp9lh0000gn/T/jdk.incubator.jpackage15520659922256584206/images/image-4513431408695035725/Test.app/Contents/runtime: is already signed
java.io.IOException: Command [codesign, -s, Developer ID Application: jpackage.openjdk.java.net, --prefix, Hello., -vvvv, --keychain, jpackagerTest.keychain, /var/folders/wv/v95v04852ssgxhyxm38xp9lh0000gn/T/jdk.incubator.jpackage15520659922256584206/images/image-4513431408695035725/Test.app/Contents/runtime] exited with 1 code
Comments
Additional information for this issue: After signing all components it fails with error: /var/folders/9g/62bb9wjd1ks04kfxsd3_1tbr0000gn/T/jdk.incubator.jpackage12785038626377964102/images/image-7125624493142684957/griddlers.app: is already signed java.io.IOException: Command [codesign, -s, XXXXXX , -vvvv, /var/folders/9g/62bb9wjd1ks04kfxsd3_1tbr0000gn/T/jdk.incubator.jpackage12785038626377964102/images/image-7125624493142684957/myapp.app] exited with 1 code at jdk.incubator.jpackage/jdk.incubator.jpackage.internal.Executor.executeExpectSuccess(Executor.java:73) at jdk.incubator.jpackage/jdk.incubator.jpackage.internal.IOUtils.exec(IOUtils.java:165) at jdk.incubator.jpackage/jdk.incubator.jpackage.internal.IOUtils.exec(IOUtils.java:136) at jdk.incubator.jpackage/jdk.incubator.jpackage.internal.MacAppImageBuilder.signAppBundle(MacAppImageBuilder.java:895) at jdk.incubator.jpackage/jdk.incubator.jpackage.internal.MacAppImageBuilder.sign(MacAppImageBuilder.java:363) There could be also -f parameter on https://github.com/openjdk/jdk14/blob/5ed4b9f2c0a1572da09fef84aaf0ce899689c4c2/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/MacAppImageBuilder.java#L881 REGRESSION : Last worked in version 14 STEPS TO FOLLOW TO REPRODUCE THE PROBLEM : jpackage --verbose --type dmg -d dist -i target/input -n myapp \ --main-class com.igridd.client.Griddlers --main-jar myapp.jar \ --icon src/main/bundleresources/package/macosx/myapp.icns \ --mac-package-identifier myapp.com --mac-sign --mac-signing-key-user-name "developer" \ --resource-dir src/main/bundleresources/package/macosx \ --mac-package-signing-prefix com.myapp EXPECTED VERSUS ACTUAL BEHAVIOR : EXPECTED - complete dmg image ACTUAL - Error FREQUENCY : always
12-02-2020
Changeset: f8f98bdb Author: Alexander Matveev <almatvee@openjdk.org> Date: 2020-01-24 11:24:28 +0000 URL: https://git.openjdk.java.net/panama-foreign/commit/f8f98bdb
07-02-2020
URL: https://hg.openjdk.java.net/jdk/jdk14/rev/a676cfb90f39 User: herrick Date: 2020-01-24 16:25:32 +0000
24-01-2020
Fix request approved for JDK 14.
23-01-2020
Fix Request Original implementation (added in JDK14) was not taken in consideration that runtime used by jpackage can be already signed and thus was failing. Without fix signing will not work at all with JDK which is signed. Risk is low, since we just forcing signing on signed JDK. Webrev: http://cr.openjdk.java.net/~almatvee/8237607/webrev.00/ Review thread: https://mail.openjdk.java.net/pipermail/core-libs-dev/2020-January/064486.html
23-01-2020
http://cr.openjdk.java.net/~almatvee/8237607/webrev.00/ - Fixed by forcing signing even if runtime already signed. - Original implementation was not taken in consideration that runtime can be signed (JDK itself is signed from which jpackage is used or runtime provided via --runtime-image). - Signature of binaries files in runtime will not be change, with this fix we will generate new _CodeSignature/CodeResources file which contains signatures of all files inside runtime folder signed with user provided certificate.
23-01-2020