--- old/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/MacAppImageBuilder.java 2020-03-24 12:59:29.287972900 -0400 +++ new/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/MacAppImageBuilder.java 2020-03-24 12:59:27.493808000 -0400 @@ -368,13 +368,40 @@ String signingIdentity = DEVELOPER_ID_APP_SIGNING_KEY.fetchFrom(params); if (signingIdentity != null) { + prepareEntitlements(params); signAppBundle(params, root, signingIdentity, - BUNDLE_ID_SIGNING_PREFIX.fetchFrom(params), null, null); + BUNDLE_ID_SIGNING_PREFIX.fetchFrom(params), + getConfig_Entitlements(params).toString(), + getConfig_Inherit_Entitlements(params).toString()); } restoreKeychainList(params); } } + private File getConfig_Entitlements(Map params) { + return new File(CONFIG_ROOT.fetchFrom(params), + getLauncherName(params) + ".entitlements"); + } + + private File getConfig_Inherit_Entitlements( + Map params) { + return new File(CONFIG_ROOT.fetchFrom(params), + getLauncherName(params) + "_Inherit.entitlements"); + } + + private void prepareEntitlements(Map params) + throws IOException { + createResource("Mac.entitlements", params) + .setCategory(I18N.getString("resource.mac-entitlements")) + .saveToFile(getConfig_Entitlements(params)); + + createResource("Mac_Inherit.entitlements", params) + .setCategory(I18N.getString( + "resource.mac-inherit-entitlements")) + .saveToFile(getConfig_Inherit_Entitlements(params)); + } + + private String getLauncherName(Map params) { if (APP_NAME.fetchFrom(params) != null) { return APP_NAME.fetchFrom(params); @@ -762,7 +789,8 @@ && !(p.toString().contains("/Contents/MacOS/libjli.dylib") || p.toString().endsWith(appExecutable) || p.toString().contains("/Contents/runtime") - || p.toString().contains("/Contents/Frameworks"))).forEach(p -> { + || p.toString().contains("/Contents/Frameworks")) + ).forEach(p -> { //noinspection ThrowableResultOfMethodCallIgnored if (toThrow.get() != null) return; @@ -778,12 +806,14 @@ return; } } - List args = new ArrayList<>(); args.addAll(Arrays.asList("codesign", - "-s", signingIdentity, // sign with this key + "--timestamp", + "--options", "runtime", + "--deep", + "--force", + "-s", signingIdentity, "--prefix", identifierPrefix, - // use the identifier as a prefix "-vvvv")); if (entitlementsFile != null && (p.toString().endsWith(".jar") @@ -836,6 +866,19 @@ "--prefix", identifierPrefix, // use the identifier as a prefix "-vvvv")); + + if (entitlementsFile != null && + (path.toString().endsWith(".jar") + || path.toString().endsWith(".dylib"))) { + args.add("--entitlements"); + args.add(entitlementsFile); // entitlements + } else if (inheritedEntitlements != null && + Files.isExecutable(path)) { + args.add("--entitlements"); + args.add(inheritedEntitlements); + // inherited entitlements for executable processes + } + if (keyChain != null && !keyChain.isEmpty()) { args.add("--keychain"); args.add(keyChain); @@ -844,11 +887,15 @@ ProcessBuilder pb = new ProcessBuilder(args); IOUtils.exec(pb); + args = new ArrayList<>(); args.addAll(Arrays.asList("codesign", - "-s", signingIdentity, // sign with this key + "--timestamp", + "--options", "runtime", + "--deep", + "--force", + "-s", signingIdentity, "--prefix", identifierPrefix, - // use the identifier as a prefix "-vvvv")); if (keyChain != null && !keyChain.isEmpty()) { args.add("--keychain"); @@ -886,8 +933,12 @@ // sign the app itself List args = new ArrayList<>(); args.addAll(Arrays.asList("codesign", - "-s", signingIdentity, // sign with this key - "-vvvv")); // super verbose output + "--timestamp", + "--options", "runtime", + "--deep", + "--force", + "-s", signingIdentity, + "-vvvv")); if (entitlementsFile != null) { args.add("--entitlements"); args.add(entitlementsFile); // entitlements