724 w.close();
725 }
726
727 private void writePkgInfo(File file) throws IOException {
728 //hardcoded as it does not seem we need to change it ever
729 String signature = "????";
730
731 try (Writer out = new BufferedWriter(new FileWriter(file))) {
732 out.write(OS_TYPE_CODE + signature);
733 out.flush();
734 }
735 }
736
737 public static void signAppBundle(Map<String, ? super Object> params, Path appLocation, String signingIdentity, String identifierPrefix, String entitlementsFile, String inheritedEntitlements) throws IOException {
738 AtomicReference<IOException> toThrow = new AtomicReference<>();
739 String appExecutable = "/Contents/MacOS/" + APP_NAME.fetchFrom(params);
740 String keyChain = SIGNING_KEYCHAIN.fetchFrom(params);
741
742 // sign all dylibs and jars
743 Files.walk(appLocation)
744 // while we are searching let's fix permissions
745 .peek(path -> {
746 try {
747 Set<PosixFilePermission> pfp = Files.getPosixFilePermissions(path);
748 if (!pfp.contains(PosixFilePermission.OWNER_WRITE)) {
749 pfp = EnumSet.copyOf(pfp);
750 pfp.add(PosixFilePermission.OWNER_WRITE);
751 Files.setPosixFilePermissions(path, pfp);
752 }
753 } catch (IOException e) {
754 Log.debug(e);
755 }
756 })
757 .filter(p -> Files.isRegularFile(p) &&
758 !(p.toString().contains("/Contents/MacOS/libjli.dylib")
759 || p.toString().contains("/Contents/MacOS/JavaAppletPlugin")
760 || p.toString().endsWith(appExecutable))
761 ).forEach(p -> {
762 //noinspection ThrowableResultOfMethodCallIgnored
763 if (toThrow.get() != null) return;
764
765 List<String> args = new ArrayList<>();
766 args.addAll(Arrays.asList("codesign",
767 "-s", signingIdentity, // sign with this key
768 "--prefix", identifierPrefix, // use the identifier as a prefix
769 "-vvvv"));
770 if (entitlementsFile != null &&
771 (p.toString().endsWith(".jar")
772 || p.toString().endsWith(".dylib"))) {
773 args.add("--entitlements");
774 args.add(entitlementsFile); // entitlements
775 } else if (inheritedEntitlements != null && Files.isExecutable(p)) {
776 args.add("--entitlements");
777 args.add(inheritedEntitlements); // inherited entitlements for executable processes
778 }
779 if (keyChain != null && !keyChain.isEmpty()) {
780 args.add("--keychain");
781 args.add(keyChain);
782 }
783 args.add(p.toString());
784
785 try {
786 Set<PosixFilePermission> oldPermissions = Files.getPosixFilePermissions(p);
787 File f = p.toFile();
788 f.setWritable(true, true);
789
790 ProcessBuilder pb = new ProcessBuilder(args);
791 IOUtils.exec(pb, VERBOSE.fetchFrom(params));
792
793 Files.setPosixFilePermissions(p, oldPermissions);
794 } catch (IOException ioe) {
795 toThrow.set(ioe);
796 }
797 });
798
799 IOException ioe = toThrow.get();
800 if (ioe != null) {
801 throw ioe;
802 }
803
804 // sign all plugins and frameworks
805 Consumer<? super Path> signIdentifiedByPList = path -> {
806 //noinspection ThrowableResultOfMethodCallIgnored
807 if (toThrow.get() != null) return;
808
809 try {
810 List<String> args = new ArrayList<>();
811 args.addAll(Arrays.asList("codesign",
812 "-s", signingIdentity, // sign with this key
813 "--prefix", identifierPrefix, // use the identifier as a prefix
814 "-vvvv"));
815 if (keyChain != null && !keyChain.isEmpty()) {
816 args.add("--keychain");
|
724 w.close();
725 }
726
727 private void writePkgInfo(File file) throws IOException {
728 //hardcoded as it does not seem we need to change it ever
729 String signature = "????";
730
731 try (Writer out = new BufferedWriter(new FileWriter(file))) {
732 out.write(OS_TYPE_CODE + signature);
733 out.flush();
734 }
735 }
736
737 public static void signAppBundle(Map<String, ? super Object> params, Path appLocation, String signingIdentity, String identifierPrefix, String entitlementsFile, String inheritedEntitlements) throws IOException {
738 AtomicReference<IOException> toThrow = new AtomicReference<>();
739 String appExecutable = "/Contents/MacOS/" + APP_NAME.fetchFrom(params);
740 String keyChain = SIGNING_KEYCHAIN.fetchFrom(params);
741
742 // sign all dylibs and jars
743 Files.walk(appLocation)
744 // fix permissions
745 .peek(path -> {
746 try {
747 Set<PosixFilePermission> pfp = Files.getPosixFilePermissions(path);
748 if (!pfp.contains(PosixFilePermission.OWNER_WRITE)) {
749 pfp = EnumSet.copyOf(pfp);
750 pfp.add(PosixFilePermission.OWNER_WRITE);
751 Files.setPosixFilePermissions(path, pfp);
752 }
753 } catch (IOException e) {
754 Log.debug(e);
755 }
756 })
757 .filter(p -> Files.isRegularFile(p) &&
758 !(p.toString().contains("/Contents/MacOS/libjli.dylib")
759 || p.toString().contains("/Contents/MacOS/JavaAppletPlugin")
760 || p.toString().endsWith(appExecutable))
761 ).forEach(p -> {
762 //noinspection ThrowableResultOfMethodCallIgnored
763 if (toThrow.get() != null) return;
764
765 // If p is a symlink then skip the signing process.
766 if (!Files.isSymbolicLink(p)) {
767 List<String> args = new ArrayList<>();
768 args.addAll(Arrays.asList("codesign",
769 "-s", signingIdentity, // sign with this key
770 "--prefix", identifierPrefix, // use the identifier as a prefix
771 "-vvvv"));
772 if (entitlementsFile != null &&
773 (p.toString().endsWith(".jar")
774 || p.toString().endsWith(".dylib"))) {
775 args.add("--entitlements");
776 args.add(entitlementsFile); // entitlements
777 } else if (inheritedEntitlements != null && Files.isExecutable(p)) {
778 args.add("--entitlements");
779 args.add(inheritedEntitlements); // inherited entitlements for executable processes
780 }
781 if (keyChain != null && !keyChain.isEmpty()) {
782 args.add("--keychain");
783 args.add(keyChain);
784 }
785 args.add(p.toString());
786
787 try {
788 Set<PosixFilePermission> oldPermissions = Files.getPosixFilePermissions(p);
789 File f = p.toFile();
790 f.setWritable(true, true);
791
792 ProcessBuilder pb = new ProcessBuilder(args);
793 IOUtils.exec(pb, VERBOSE.fetchFrom(params));
794
795 Files.setPosixFilePermissions(p, oldPermissions);
796 } catch (IOException ioe) {
797 toThrow.set(ioe);
798 }
799 }
800 });
801
802 IOException ioe = toThrow.get();
803 if (ioe != null) {
804 throw ioe;
805 }
806
807 // sign all plugins and frameworks
808 Consumer<? super Path> signIdentifiedByPList = path -> {
809 //noinspection ThrowableResultOfMethodCallIgnored
810 if (toThrow.get() != null) return;
811
812 try {
813 List<String> args = new ArrayList<>();
814 args.addAll(Arrays.asList("codesign",
815 "-s", signingIdentity, // sign with this key
816 "--prefix", identifierPrefix, // use the identifier as a prefix
817 "-vvvv"));
818 if (keyChain != null && !keyChain.isEmpty()) {
819 args.add("--keychain");
|