--- old/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/MacAppImageBuilder.java 2020-03-24 12:59:29.287972900 -0400 +++ new/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/MacAppImageBuilder.java 2020-03-24 12:59:27.493808000 -0400 @@ -368,13 +368,40 @@ String signingIdentity = DEVELOPER_ID_APP_SIGNING_KEY.fetchFrom(params); if (signingIdentity != null) { + prepareEntitlements(params); signAppBundle(params, root, signingIdentity, - BUNDLE_ID_SIGNING_PREFIX.fetchFrom(params), null, null); + BUNDLE_ID_SIGNING_PREFIX.fetchFrom(params), + getConfig_Entitlements(params).toString(), + getConfig_Inherit_Entitlements(params).toString()); } restoreKeychainList(params); } } + private File getConfig_Entitlements(Map params) { + return new File(CONFIG_ROOT.fetchFrom(params), + getLauncherName(params) + ".entitlements"); + } + + private File getConfig_Inherit_Entitlements( + Map params) { + return new File(CONFIG_ROOT.fetchFrom(params), + getLauncherName(params) + "_Inherit.entitlements"); + } + + private void prepareEntitlements(Map params) + throws IOException { + createResource("Mac.entitlements", params) + .setCategory(I18N.getString("resource.mac-entitlements")) + .saveToFile(getConfig_Entitlements(params)); + + createResource("Mac_Inherit.entitlements", params) + .setCategory(I18N.getString( + "resource.mac-inherit-entitlements")) + .saveToFile(getConfig_Inherit_Entitlements(params)); + } + + private String getLauncherName(Map params) { if (APP_NAME.fetchFrom(params) != null) { return APP_NAME.fetchFrom(params); @@ -762,7 +789,8 @@ && !(p.toString().contains("/Contents/MacOS/libjli.dylib") || p.toString().endsWith(appExecutable) || p.toString().contains("/Contents/runtime") - || p.toString().contains("/Contents/Frameworks"))).forEach(p -> { + || p.toString().contains("/Contents/Frameworks")) + ).forEach(p -> { //noinspection ThrowableResultOfMethodCallIgnored if (toThrow.get() != null) return; @@ -778,12 +806,14 @@ return; } } - List args = new ArrayList<>(); args.addAll(Arrays.asList("codesign", - "-s", signingIdentity, // sign with this key + "--timestamp", + "--options", "runtime", + "--deep", + "--force", + "-s", signingIdentity, "--prefix", identifierPrefix, - // use the identifier as a prefix "-vvvv")); if (entitlementsFile != null && (p.toString().endsWith(".jar") @@ -836,6 +866,19 @@ "--prefix", identifierPrefix, // use the identifier as a prefix "-vvvv")); + + if (entitlementsFile != null && + (path.toString().endsWith(".jar") + || path.toString().endsWith(".dylib"))) { + args.add("--entitlements"); + args.add(entitlementsFile); // entitlements + } else if (inheritedEntitlements != null && + Files.isExecutable(path)) { + args.add("--entitlements"); + args.add(inheritedEntitlements); + // inherited entitlements for executable processes + } + if (keyChain != null && !keyChain.isEmpty()) { args.add("--keychain"); args.add(keyChain); @@ -844,11 +887,15 @@ ProcessBuilder pb = new ProcessBuilder(args); IOUtils.exec(pb); + args = new ArrayList<>(); args.addAll(Arrays.asList("codesign", - "-s", signingIdentity, // sign with this key + "--timestamp", + "--options", "runtime", + "--deep", + "--force", + "-s", signingIdentity, "--prefix", identifierPrefix, - // use the identifier as a prefix "-vvvv")); if (keyChain != null && !keyChain.isEmpty()) { args.add("--keychain"); @@ -886,8 +933,12 @@ // sign the app itself List args = new ArrayList<>(); args.addAll(Arrays.asList("codesign", - "-s", signingIdentity, // sign with this key - "-vvvv")); // super verbose output + "--timestamp", + "--options", "runtime", + "--deep", + "--force", + "-s", signingIdentity, + "-vvvv")); if (entitlementsFile != null) { args.add("--entitlements"); args.add(entitlementsFile); // entitlements --- old/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/MacAppStoreBundler.java 2020-03-24 12:59:43.064094400 -0400 +++ new/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/MacAppStoreBundler.java 2020-03-24 12:59:41.213884600 -0400 @@ -40,10 +40,6 @@ "jdk.incubator.jpackage.internal.resources.MacResources"); private static final String TEMPLATE_BUNDLE_ICON_HIDPI = "java.icns"; - private final static String DEFAULT_ENTITLEMENTS = - "MacAppStore.entitlements"; - private final static String DEFAULT_INHERIT_ENTITLEMENTS = - "MacAppStore_Inherit.entitlements"; public static final BundlerParamInfo MAC_APP_STORE_APP_SIGNING_KEY = new StandardBundlerParam<>( @@ -94,13 +90,6 @@ }, (s, p) -> s); - public static final StandardBundlerParam MAC_APP_STORE_ENTITLEMENTS = - new StandardBundlerParam<>( - Arguments.CLIOptions.MAC_APP_STORE_ENTITLEMENTS.getId(), - File.class, - params -> null, - (s, p) -> new File(s)); - public static final BundlerParamInfo INSTALLER_SUFFIX = new StandardBundlerParam<> ( "mac.app-store.installerName.suffix", @@ -201,16 +190,14 @@ private void prepareEntitlements(Map params) throws IOException { - createResource(DEFAULT_ENTITLEMENTS, params) - .setCategory( - I18N.getString("resource.mac-app-store-entitlements")) - .setExternal(MAC_APP_STORE_ENTITLEMENTS.fetchFrom(params)) + createResource("Mac.entitlements", params) + .setCategory( I18N.getString("resource.mac-entitlements")) .saveToFile(getConfig_Entitlements(params)); - createResource(DEFAULT_INHERIT_ENTITLEMENTS, params) + createResource("Mac_Inherit.entitlements", params) .setCategory(I18N.getString( - "resource.mac-app-store-inherit-entitlements")) - .saveToFile(getConfig_Entitlements(params)); + "resource.mac-inherit-entitlements")) + .saveToFile(getConfig_Inherit_Entitlements(params)); } /////////////////////////////////////////////////////////////////////// --- old/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/resources/MacResources.properties 2020-03-24 12:59:56.841917800 -0400 +++ new/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/resources/MacResources.properties 2020-03-24 12:59:55.057435600 -0400 @@ -46,8 +46,8 @@ resource.bundle-config-file=Bundle config file resource.app-info-plist=Application Info.plist resource.runtime-info-plist=Java Runtime Info.plist -resource.mac-app-store-entitlements=Mac App Store Entitlements -resource.mac-app-store-inherit-entitlements=Mac App Store Inherit Entitlements +resource.mac-entitlements=Mac Entitlements +resource.mac-inherit-entitlements=Mac Inherit Entitlements resource.dmg-setup-script=DMG setup script resource.license-setup=License setup resource.dmg-background=dmg background --- old/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/resources/MacResources_ja.properties 2020-03-24 13:00:09.861368500 -0400 +++ new/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/resources/MacResources_ja.properties 2020-03-24 13:00:08.095148900 -0400 @@ -46,8 +46,8 @@ resource.bundle-config-file=\u30D0\u30F3\u30C9\u30EB\u69CB\u6210\u30D5\u30A1\u30A4\u30EB resource.app-info-plist=\u30A2\u30D7\u30EA\u30B1\u30FC\u30B7\u30E7\u30F3\u306EInfo.plist resource.runtime-info-plist=Java\u30E9\u30F3\u30BF\u30A4\u30E0\u306EInfo.plist -resource.mac-app-store-entitlements=Mac App Store\u6A29\u9650 -resource.mac-app-store-inherit-entitlements=Mac App Store\u7D99\u627F\u6A29\u9650 +resource.mac-entitlements=Mac \u6A29\u9650 +resource.mac-inherit-entitlements=Mac \u7D99\u627F\u6A29\u9650 resource.dmg-setup-script=DMG\u8A2D\u5B9A\u30B9\u30AF\u30EA\u30D7\u30C8 resource.license-setup=\u30E9\u30A4\u30BB\u30F3\u30B9\u306E\u8A2D\u5B9A resource.dmg-background=dmg\u80CC\u666F --- old/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/resources/MacResources_zh_CN.properties 2020-03-24 13:00:22.969296000 -0400 +++ new/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/resources/MacResources_zh_CN.properties 2020-03-24 13:00:21.076970300 -0400 @@ -46,8 +46,8 @@ resource.bundle-config-file=\u5305\u914D\u7F6E\u6587\u4EF6 resource.app-info-plist=\u5E94\u7528\u7A0B\u5E8F Info.plist resource.runtime-info-plist=Java \u8FD0\u884C\u65F6 Info.plist -resource.mac-app-store-entitlements=Mac App Store \u6743\u5229 -resource.mac-app-store-inherit-entitlements=Mac App Store \u7EE7\u627F\u6743\u5229 +resource.mac-entitlements=Mac \u6743\u5229 +resource.mac-inherit-entitlements=Mac \u7EE7\u627F\u6743\u5229 resource.dmg-setup-script=DMG \u8BBE\u7F6E\u811A\u672C resource.license-setup=\u8BB8\u53EF\u8BC1\u8BBE\u7F6E resource.dmg-background=DMG \u80CC\u666F --- old/src/jdk.incubator.jpackage/share/classes/jdk/incubator/jpackage/internal/Arguments.java 2020-03-24 13:00:36.148394600 -0400 +++ new/src/jdk.incubator.jpackage/share/classes/jdk/incubator/jpackage/internal/Arguments.java 2020-03-24 13:00:34.399242000 -0400 @@ -285,9 +285,6 @@ MAC_SIGNING_KEYCHAIN ("mac-signing-keychain", OptionCategories.PLATFORM_MAC), - MAC_APP_STORE_ENTITLEMENTS ("mac-app-store-entitlements", - OptionCategories.PLATFORM_MAC), - WIN_MENU_HINT ("win-menu", OptionCategories.PLATFORM_WIN, () -> { setOptionValue("win-menu", true); }), --- old/src/jdk.incubator.jpackage/share/classes/jdk/incubator/jpackage/internal/ValidOptions.java 2020-03-24 13:00:49.504320100 -0400 +++ new/src/jdk.incubator.jpackage/share/classes/jdk/incubator/jpackage/internal/ValidOptions.java 2020-03-24 13:00:47.693036000 -0400 @@ -109,12 +109,9 @@ options.put(CLIOptions.MAC_SIGN.getId(), USE.ALL); options.put(CLIOptions.MAC_BUNDLE_NAME.getId(), USE.ALL); options.put(CLIOptions.MAC_BUNDLE_IDENTIFIER.getId(), USE.ALL); - options.put(CLIOptions.MAC_BUNDLE_SIGNING_PREFIX.getId(), - USE.ALL); + options.put(CLIOptions.MAC_BUNDLE_SIGNING_PREFIX.getId(), USE.ALL); options.put(CLIOptions.MAC_SIGNING_KEY_NAME.getId(), USE.ALL); options.put(CLIOptions.MAC_SIGNING_KEYCHAIN.getId(), USE.ALL); - options.put(CLIOptions.MAC_APP_STORE_ENTITLEMENTS.getId(), - USE.ALL); } if (Platform.getPlatform() == Platform.LINUX) { --- /dev/null 2020-03-24 13:01:04.000000000 -0400 +++ new/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/resources/Mac.entitlements 2020-03-24 13:01:01.000733200 -0400 @@ -0,0 +1,18 @@ + + + + + com.apple.security.app-sandbox + + com.apple.security.cs.allow-jit + + com.apple.security.cs.allow-unsigned-executable-memory + + com.apple.security.cs.disable-library-validation + + com.apple.security.cs.allow-dyld-environment-variables + + com.apple.security.cs.debugger + + + --- /dev/null 2020-03-24 13:01:13.000000000 -0400 +++ new/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/resources/Mac_Inherit.entitlements 2020-03-24 13:01:10.671593400 -0400 @@ -0,0 +1,20 @@ + + + + + com.apple.security.app-sandbox + + com.apple.security.inherit + + com.apple.security.cs.allow-jit + + com.apple.security.cs.allow-unsigned-executable-memory + + com.apple.security.cs.disable-library-validation + + com.apple.security.cs.allow-dyld-environment-variables + + com.apple.security.cs.debugger + + + --- old/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/resources/MacAppStore.entitlements 2020-03-24 13:01:22.015027300 -0400 +++ /dev/null 2020-03-24 13:01:23.000000000 -0400 @@ -1,8 +0,0 @@ - - - - - com.apple.security.app-sandbox - - - --- old/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/resources/MacAppStore_Inherit.entitlements 2020-03-24 13:01:29.399843300 -0400 +++ /dev/null 2020-03-24 13:01:30.000000000 -0400 @@ -1,10 +0,0 @@ - - - - - com.apple.security.app-sandbox - - com.apple.security.inherit - - -