JDK-8276837 : [macos]: Error when signing the additional launcher
  • Type: Bug
  • Component: tools
  • Sub-Component: jpackage
  • Affected Version: 17
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS: os_x_10.15
  • CPU: generic
  • Submitted: 2021-10-30
  • Updated: 2023-01-09
  • Resolved: 2021-12-02
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 17 JDK 18
17.0.5-oracleFixed 18 b27Fixed
Related Reports
Relates :  
JDK-8299793 - jpackage runs "codesign --remove-signature" on OSX when signing is not enabled
Relates :  
JDK-8278233 - [macos] tools/jpackage tests timeout due to /usr/bin/osascript
Description
ADDITIONAL SYSTEM INFORMATION :
OS X 10.15

A DESCRIPTION OF THE PROBLEM :
The second launcher cannot be signed because it is already signed. It's like being signed twice.
The same build works before version 17.0.0

REGRESSION : Last worked in version 16

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Build an application with a second launcher



EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
jpackage should exit with 0
ACTUAL -
java.io.IOException: Command [/usr/bin/codesign, --timestamp, --options, runtime, -s, ***, --prefix, org.weasis.launcher., -vvvv, --keychain, /Users/runner/Library/Keychains/signing_temp.keychain-db, --entitlements, /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/jdk.jpackage16166130837195785450/config/Weasis.entitlements, weasis-distributions/target/native-dist/Weasis.app/Contents/MacOS/Dicomizer] exited with 1 code
Error: Process completed with exit code 1.

---------- BEGIN SOURCE ----------
Unfortunately, it is not possible to provide a simple test that requires a real certificate and user information. Here is an example of a command:

jpackage --type app-image --add-launcher "Dicomizer=second-launcher.properties" --mac-package-identifier" "org.launcher" "--mac-signing-keychain" "$HOME/Library/Keychains/signing_temp.keychain-db" "--mac-sign ...
---------- END SOURCE ----------

FREQUENCY : always
Comments
Fix request [17u] I backport this for parity with 17.0.5-oracle. Needed to properly package on macos. Clean backport. SAP nighlty testing passed.
21-07-2022
A pull request was submitted for review. URL: https://git.openjdk.org/jdk17u-dev/pull/562 Date: 2022-07-19 09:12:34 +0000
19-07-2022
Changeset: 76968979 Author: Andy Herrick <herrick@openjdk.org> Date: 2021-12-02 14:08:33 +0000 URL: https://git.openjdk.java.net/jdk/commit/7696897932a35708b1632517127c1a3a59919878
02-12-2021
We need to unsign all executables and libraries in the app-image before signing (not just those in the runtime or Framework(s). Also, clean up excessive output by executing the individual file unsigning and signing commands in quiet mode.
01-12-2021
this will happen whenever we have a signed runtime, because the jpackaggeapplauncher (which all the launchers are copies of) is signed. We intentionally skip the main executable in the loop to sign everything, but not the additional launchers. We then unsign only the runtime and framework files before signing everything. as a result, main launcher doesn't get unsigned or signed here (that happens at the end), additional launchers don't get unsigned, but they do get signed. We should be unsigning everything.
29-11-2021