JDK-8313904 : [macos] All signing tests which verifies unsigned app images are failing
  • Type: Bug
  • Component: tools
  • Sub-Component: jpackage
  • Affected Version: 17.0.8-oracle,20,21,22
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS: os_x
  • Submitted: 2023-08-08
  • Updated: 2024-08-28
  • Resolved: 2023-08-11
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 17 JDK 21 JDK 22
17.0.10-oracleFixed 21.0.1Fixed 22 b11Fixed
Related Reports
Blocks :  
JDK-8308042 - [macOS] Developer ID Application Certificate not picked up by jpackage if it contains UNICODE characters
Relates :  
JDK-8298488 - [macos13] tools/jpackage tests failing with "Exit code: 137" on macOS
Relates :  
JDK-8293462 - [macos] app image signature invalid when creating DMG or PKG from post processed signed image
Description
All signing tests which verify unsigned app images are failing. This is regression from JDK-8298488.

tools/jpackage/macosx/SigningAppImageTest.java
tools/jpackage/macosx/SigningAppImageTwoStepsTest.java
tools/jpackage/macosx/SigningPackageFromTwoStepAppImageTest.java:
tools/jpackage/macosx/SigningPackageTwoStepTest.java

They all failed for same reason:
----------System.err:(45/3004)----------
java.lang.AssertionError: Expected [1]. Actual [0]: Check command [/usr/bin/codesign --verify --deep --strict --verbose=2 ./test.e003ef3f/output/SigningAppImageTest.app/Contents/MacOS/SigningAppImageTest](6) exited with 1 code
	at jdk.jpackage.test.TKit.error(TKit.java:273)
	at jdk.jpackage.test.TKit.assertEquals(TKit.java:576)
	at jdk.jpackage.test.Executor$Result.assertExitCodeIs(Executor.java:186)
	at jdk.jpackage.test.Executor.execute(Executor.java:224)
	at SigningBase.codesignResult(SigningBase.java:59)
	at SigningBase.verifyCodesign(SigningBase.java:135)
	at SigningAppImageTest.test(SigningAppImageTest.java:80)

To reproduce issue just run above tests.
Comments
A pull request was submitted for review. URL: https://git.openjdk.org/jdk21u/pull/67 Date: 2023-08-17 00:10:11 +0000
17-08-2023
Fix Request Without this fix all signing tests which verifies unsigned app images will fail and it will be hard to test any fixes related to jpackage macOS signing since tests are broken. These tests are not run automatically, but executed by dev/SQE as needed due to special setup requirements. Also, this fix fixes issue when post-process unsigned app images when used with DMG or PKG will result in broken installed app image. Patch applies cleanly, low risk since it is fix to test and ad-hoc re-signing post process image should not cause any issues.
17-08-2023
Changeset: ec0cc630 Author: Alexander Matveev <almatvee@openjdk.org> Date: 2023-08-11 21:00:52 +0000 URL: https://git.openjdk.org/jdk/commit/ec0cc6300a02dd92b25d9072b8b3859dab583bbd
11-08-2023
A pull request was submitted for review. URL: https://git.openjdk.org/jdk/pull/15235 Date: 2023-08-10 22:58:18 +0000
10-08-2023
Another issue discovered while working on this one. Unsigned app image becomes invalid when we creating DMG/PKG image from it. 1) jpackage --type app-image -i input -n Test --main-class components.DynamicTreeDemo --main-jar DynamicTreeDemo.jar 2) jpackage --type dmg --app-image Test.app or 2) jpackage --type pkg --app-image Test.app 3) Mount DMG or install PKG 4) /usr/bin/codesign --verify --deep --strict --verbose=2 /Volumes/Test/Test.app /Volumes/Test/Test.app: a sealed resource is missing or invalid file added: /Volumes/Test/Test.app/Contents/app/.package or 4) /usr/bin/codesign --verify --deep --strict --verbose=2 /Applications/Test.app /Applications/Test.app: a sealed resource is missing or invalid file added: /Applications/Test.app/Contents/app/.package Original image: /usr/bin/codesign --verify --deep --strict --verbose=2 Test.app Test.app: valid on disk Test.app: satisfies its Designated Requirement Adhoc code signing failed and thus app considered invalid. Reason for this is that we adding .package file to "unsigned" app image and "unsigned" app image is actually signed with adhoc signature and cannot be modified. Since root cause is same as this issue and it is regression from same JDK-8298488, this additional issue will be fixed as part of this bug.
10-08-2023