--- old/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/MacAppImageBuilder.java 2020-03-26 13:05:09.276808100 -0400 +++ new/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/MacAppImageBuilder.java 2020-03-26 13:05:07.455768400 -0400 @@ -369,7 +369,7 @@ DEVELOPER_ID_APP_SIGNING_KEY.fetchFrom(params); if (signingIdentity != null) { signAppBundle(params, root, signingIdentity, - BUNDLE_ID_SIGNING_PREFIX.fetchFrom(params), null, null); + BUNDLE_ID_SIGNING_PREFIX.fetchFrom(params)); } restoreKeychainList(params); } @@ -737,14 +737,13 @@ public static void signAppBundle( Map params, Path appLocation, - String signingIdentity, String identifierPrefix, - String entitlementsFile, String inheritedEntitlements) + String signingIdentity, String identifierPrefix) throws IOException { AtomicReference toThrow = new AtomicReference<>(); String appExecutable = "/Contents/MacOS/" + APP_NAME.fetchFrom(params); String keyChain = SIGNING_KEYCHAIN.fetchFrom(params); - // sign all dylibs and jars + // sign all dylibs and executables try (Stream stream = Files.walk(appLocation)) { stream.peek(path -> { // fix permissions try { @@ -758,12 +757,13 @@ } catch (IOException e) { Log.verbose(e); } - }).filter(p -> Files.isRegularFile(p) - && !(p.toString().contains("/Contents/MacOS/libjli.dylib") - || p.toString().endsWith(appExecutable) + }).filter(p -> Files.isRegularFile(p) && + (Files.isExecutable(p) || p.toString().endsWith(".dylib")) + && !(p.toString().endsWith(appExecutable) || p.toString().contains("/Contents/runtime") - || p.toString().contains("/Contents/Frameworks"))).forEach(p -> { - //noinspection ThrowableResultOfMethodCallIgnored + || p.toString().contains("/Contents/Frameworks")) + ).forEach(p -> { + // noinspection ThrowableResultOfMethodCallIgnored if (toThrow.get() != null) return; // If p is a symlink then skip the signing process. @@ -778,24 +778,13 @@ return; } } - List args = new ArrayList<>(); args.addAll(Arrays.asList("codesign", - "-s", signingIdentity, // sign with this key + "--timestamp", + "--options", "runtime", + "-s", signingIdentity, "--prefix", identifierPrefix, - // use the identifier as a prefix "-vvvv")); - if (entitlementsFile != null && - (p.toString().endsWith(".jar") - || p.toString().endsWith(".dylib"))) { - args.add("--entitlements"); - args.add(entitlementsFile); // entitlements - } else if (inheritedEntitlements != null && - Files.isExecutable(p)) { - args.add("--entitlements"); - args.add(inheritedEntitlements); - // inherited entitlements for executable processes - } if (keyChain != null && !keyChain.isEmpty()) { args.add("--keychain"); args.add(keyChain); @@ -809,6 +798,7 @@ f.setWritable(true, true); ProcessBuilder pb = new ProcessBuilder(args); + IOUtils.exec(pb); Files.setPosixFilePermissions(p, oldPermissions); @@ -831,32 +821,22 @@ try { List args = new ArrayList<>(); args.addAll(Arrays.asList("codesign", - "-f", + "--timestamp", + "--options", "runtime", + "--deep", + "--force", "-s", signingIdentity, // sign with this key "--prefix", identifierPrefix, // use the identifier as a prefix "-vvvv")); + if (keyChain != null && !keyChain.isEmpty()) { args.add("--keychain"); args.add(keyChain); } args.add(path.toString()); ProcessBuilder pb = new ProcessBuilder(args); - IOUtils.exec(pb); - args = new ArrayList<>(); - args.addAll(Arrays.asList("codesign", - "-s", signingIdentity, // sign with this key - "--prefix", identifierPrefix, - // use the identifier as a prefix - "-vvvv")); - if (keyChain != null && !keyChain.isEmpty()) { - args.add("--keychain"); - args.add(keyChain); - } - args.add(path.toString() - + "/Contents/_CodeSignature/CodeResources"); - pb = new ProcessBuilder(args); IOUtils.exec(pb); } catch (IOException e) { toThrow.set(e); @@ -886,12 +866,12 @@ // sign the app itself List args = new ArrayList<>(); args.addAll(Arrays.asList("codesign", - "-s", signingIdentity, // sign with this key - "-vvvv")); // super verbose output - if (entitlementsFile != null) { - args.add("--entitlements"); - args.add(entitlementsFile); // entitlements - } + "--timestamp", + "--options", "runtime", + "--deep", + "--force", + "-s", signingIdentity, + "-vvvv")); if (keyChain != null && !keyChain.isEmpty()) { args.add("--keychain"); args.add(keyChain); @@ -900,6 +880,7 @@ ProcessBuilder pb = new ProcessBuilder(args.toArray(new String[args.size()])); + IOUtils.exec(pb); }