JDK-8293462 : [macos] app image signature invalid when creating DMG or PKG from post processed signed image
  • Type: Bug
  • Component: tools
  • Sub-Component: jpackage
  • Affected Version: 19
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2022-09-07
  • Updated: 2024-10-17
  • Resolved: 2022-09-26
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 20
20 b17Fixed
Related Reports
Relates :  
JDK-8317283 - jpackage tests run osx-specific checks on windows and linux
Relates :  
JDK-8289030 - [macos] app image signature invalid when creating DMG or PKG
Relates :  
JDK-8313904 - [macos] All signing tests which verifies unsigned app images are failing
Relates :  
JDK-8286850 - [macos] Add support for signing user provided app image
Relates :  
JDK-8342544 - Potential issue in jpackage test helper
Relates :  
JDK-8250950 - Allow per-user and system wide configuration of a jpackaged app
Description
App image signature invalid when creating DMG or PKG from post processed signed image.

Steps to reproduce this issue:
1) Generate unsigned app-image
jpackage --type app-image -i input -n Test --main-class components.DynamicTreeDemo --main-jar DynamicTreeDemo.jar
2) Sign generated app image
jpackage --type app-image --app-image Test.app --mac-sign
3) Generate DMG from signed app image
jpackage --type dmg --app-image Test.app
4) Mount DMG and check signature. Expected: Signature valid. Actual: Signature invalid.
codesign -vvv /Volumes/Test/Test.app 
/Volumes/Test/Test.app: a sealed resource is missing or invalid
file added: /Volumes/Test/Test.app/Contents/app/.package
Comments
Changeset: 1e222bcc Author: Alexander Matveev <almatvee@openjdk.org> Date: 2022-09-26 22:48:25 +0000 URL: https://git.openjdk.org/jdk/commit/1e222bccd3807c1be0d1d824e0ff9745751d8375
26-09-2022
A pull request was submitted for review. URL: https://git.openjdk.org/jdk/pull/10316 Date: 2022-09-16 22:55:52 +0000
16-09-2022
Suggested workaround for this issue is to generate signed application image at step 1, then post process it and sign again at step 2. Another option is to generate unsigned application image and change value of <signed> from false to true in "APPNAME.app/Contents/app/.jpackage.xml" and then do post process and sign it again. Problem is that JDK-8286850 never set correct value in .jpackage.xml to mark image as signed. JDK-8289030 reads this value to check if we can add per-user and system wide configuration to jpackaged app. If image is unsigned we will add ".package" and if image is signed we will not add this file, since signed app image cannot be modified.
07-09-2022