--- old/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/MacAppImageBuilder.java 2020-03-30 12:44:32.836094800 -0400 +++ new/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/MacAppImageBuilder.java 2020-03-30 12:44:31.039553500 -0400 @@ -368,14 +368,28 @@ String signingIdentity = DEVELOPER_ID_APP_SIGNING_KEY.fetchFrom(params); if (signingIdentity != null) { + prepareEntitlements(params); signAppBundle(params, root, signingIdentity, - BUNDLE_ID_SIGNING_PREFIX.fetchFrom(params), null, null); + BUNDLE_ID_SIGNING_PREFIX.fetchFrom(params), + getConfig_Entitlements(params)); } restoreKeychainList(params); } } - private String getLauncherName(Map params) { + static File getConfig_Entitlements(Map params) { + return new File(CONFIG_ROOT.fetchFrom(params), + getLauncherName(params) + ".entitlements"); + } + + static void prepareEntitlements(Map params) + throws IOException { + createResource("default.entitlements", params) + .setCategory(I18N.getString("resource.entitlements")) + .saveToFile(getConfig_Entitlements(params)); + } + + private static String getLauncherName(Map params) { if (APP_NAME.fetchFrom(params) != null) { return APP_NAME.fetchFrom(params); } else { @@ -735,16 +749,15 @@ IOUtils.exec(pb); } - public static void signAppBundle( + static void signAppBundle( Map params, Path appLocation, - String signingIdentity, String identifierPrefix, - String entitlementsFile, String inheritedEntitlements) + String signingIdentity, String identifierPrefix, File entitlements) throws IOException { AtomicReference toThrow = new AtomicReference<>(); String appExecutable = "/Contents/MacOS/" + APP_NAME.fetchFrom(params); String keyChain = SIGNING_KEYCHAIN.fetchFrom(params); - // sign all dylibs and jars + // sign all dylibs and executables try (Stream stream = Files.walk(appLocation)) { stream.peek(path -> { // fix permissions try { @@ -758,50 +771,44 @@ } catch (IOException e) { Log.verbose(e); } - }).filter(p -> Files.isRegularFile(p) - && !(p.toString().contains("/Contents/MacOS/libjli.dylib") - || p.toString().endsWith(appExecutable) + }).filter(p -> Files.isRegularFile(p) && + (Files.isExecutable(p) || p.toString().endsWith(".dylib")) + && !(p.toString().endsWith(appExecutable) || p.toString().contains("/Contents/runtime") - || p.toString().contains("/Contents/Frameworks"))).forEach(p -> { - //noinspection ThrowableResultOfMethodCallIgnored + || p.toString().contains("/Contents/Frameworks")) + ).forEach(p -> { + // noinspection ThrowableResultOfMethodCallIgnored if (toThrow.get() != null) return; // If p is a symlink then skip the signing process. if (Files.isSymbolicLink(p)) { - if (VERBOSE.fetchFrom(params)) { - Log.verbose(MessageFormat.format(I18N.getString( - "message.ignoring.symlink"), p.toString())); - } + Log.verbose(MessageFormat.format(I18N.getString( + "message.ignoring.symlink"), p.toString())); + } else if (isFileSigned(p)) { + // executable or lib already signed + Log.verbose(MessageFormat.format(I18N.getString( + "message.already.signed"), p.toString())); } else { - if (p.toString().endsWith(LIBRARY_NAME)) { - if (isFileSigned(p)) { - return; - } - } - List args = new ArrayList<>(); args.addAll(Arrays.asList("codesign", - "-s", signingIdentity, // sign with this key + "--timestamp", + "--options", "runtime", + "-s", signingIdentity, "--prefix", identifierPrefix, - // use the identifier as a prefix "-vvvv")); - if (entitlementsFile != null && - (p.toString().endsWith(".jar") - || p.toString().endsWith(".dylib"))) { - args.add("--entitlements"); - args.add(entitlementsFile); // entitlements - } else if (inheritedEntitlements != null && - Files.isExecutable(p)) { - args.add("--entitlements"); - args.add(inheritedEntitlements); - // inherited entitlements for executable processes - } if (keyChain != null && !keyChain.isEmpty()) { args.add("--keychain"); args.add(keyChain); } args.add(p.toString()); + if (Files.isExecutable(p)) { + if (entitlements != null) { + args.add("--entitlements"); + args.add(entitlements.toString()); + } + } + try { Set oldPermissions = Files.getPosixFilePermissions(p); @@ -809,6 +816,7 @@ f.setWritable(true, true); ProcessBuilder pb = new ProcessBuilder(args); + IOUtils.exec(pb); Files.setPosixFilePermissions(p, oldPermissions); @@ -831,32 +839,22 @@ try { List args = new ArrayList<>(); args.addAll(Arrays.asList("codesign", - "-f", + "--timestamp", + "--options", "runtime", + "--deep", + "--force", "-s", signingIdentity, // sign with this key "--prefix", identifierPrefix, // use the identifier as a prefix "-vvvv")); + if (keyChain != null && !keyChain.isEmpty()) { args.add("--keychain"); args.add(keyChain); } args.add(path.toString()); ProcessBuilder pb = new ProcessBuilder(args); - IOUtils.exec(pb); - args = new ArrayList<>(); - args.addAll(Arrays.asList("codesign", - "-s", signingIdentity, // sign with this key - "--prefix", identifierPrefix, - // use the identifier as a prefix - "-vvvv")); - if (keyChain != null && !keyChain.isEmpty()) { - args.add("--keychain"); - args.add(keyChain); - } - args.add(path.toString() - + "/Contents/_CodeSignature/CodeResources"); - pb = new ProcessBuilder(args); IOUtils.exec(pb); } catch (IOException e) { toThrow.set(e); @@ -886,12 +884,12 @@ // sign the app itself List args = new ArrayList<>(); args.addAll(Arrays.asList("codesign", - "-s", signingIdentity, // sign with this key - "-vvvv")); // super verbose output - if (entitlementsFile != null) { - args.add("--entitlements"); - args.add(entitlementsFile); // entitlements - } + "--timestamp", + "--options", "runtime", + "--deep", + "--force", + "-s", signingIdentity, + "-vvvv")); if (keyChain != null && !keyChain.isEmpty()) { args.add("--keychain"); args.add(keyChain); @@ -900,6 +898,7 @@ ProcessBuilder pb = new ProcessBuilder(args.toArray(new String[args.size()])); + IOUtils.exec(pb); } --- old/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/MacAppStoreBundler.java 2020-03-30 12:44:47.529035300 -0400 +++ new/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/MacAppStoreBundler.java 2020-03-30 12:44:45.792140600 -0400 @@ -40,10 +40,6 @@ "jdk.incubator.jpackage.internal.resources.MacResources"); private static final String TEMPLATE_BUNDLE_ICON_HIDPI = "java.icns"; - private final static String DEFAULT_ENTITLEMENTS = - "MacAppStore.entitlements"; - private final static String DEFAULT_INHERIT_ENTITLEMENTS = - "MacAppStore_Inherit.entitlements"; public static final BundlerParamInfo MAC_APP_STORE_APP_SIGNING_KEY = new StandardBundlerParam<>( @@ -94,13 +90,6 @@ }, (s, p) -> s); - public static final StandardBundlerParam MAC_APP_STORE_ENTITLEMENTS = - new StandardBundlerParam<>( - Arguments.CLIOptions.MAC_APP_STORE_ENTITLEMENTS.getId(), - File.class, - params -> null, - (s, p) -> new File(s)); - public static final BundlerParamInfo INSTALLER_SUFFIX = new StandardBundlerParam<> ( "mac.app-store.installerName.suffix", @@ -133,20 +122,15 @@ params.put(DEVELOPER_ID_APP_SIGNING_KEY.getID(), null); File appLocation = prepareAppBundle(params); - prepareEntitlements(params); - String signingIdentity = MAC_APP_STORE_APP_SIGNING_KEY.fetchFrom(params); String identifierPrefix = BUNDLE_ID_SIGNING_PREFIX.fetchFrom(params); - String entitlementsFile = - getConfig_Entitlements(params).toString(); - String inheritEntitlements = - getConfig_Inherit_Entitlements(params).toString(); + MacAppImageBuilder.prepareEntitlements(params); MacAppImageBuilder.signAppBundle(params, appLocation.toPath(), signingIdentity, identifierPrefix, - entitlementsFile, inheritEntitlements); + MacAppImageBuilder.getConfig_Entitlements(params)); MacAppImageBuilder.restoreKeychainList(params); ProcessBuilder pb; @@ -188,31 +172,6 @@ } } - private File getConfig_Entitlements(Map params) { - return new File(CONFIG_ROOT.fetchFrom(params), - APP_NAME.fetchFrom(params) + ".entitlements"); - } - - private File getConfig_Inherit_Entitlements( - Map params) { - return new File(CONFIG_ROOT.fetchFrom(params), - APP_NAME.fetchFrom(params) + "_Inherit.entitlements"); - } - - private void prepareEntitlements(Map params) - throws IOException { - createResource(DEFAULT_ENTITLEMENTS, params) - .setCategory( - I18N.getString("resource.mac-app-store-entitlements")) - .setExternal(MAC_APP_STORE_ENTITLEMENTS.fetchFrom(params)) - .saveToFile(getConfig_Entitlements(params)); - - createResource(DEFAULT_INHERIT_ENTITLEMENTS, params) - .setCategory(I18N.getString( - "resource.mac-app-store-inherit-entitlements")) - .saveToFile(getConfig_Entitlements(params)); - } - /////////////////////////////////////////////////////////////////////// // Implement Bundler /////////////////////////////////////////////////////////////////////// --- old/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/resources/MacResources.properties 2020-03-30 12:45:01.029280400 -0400 +++ new/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/resources/MacResources.properties 2020-03-30 12:44:59.231830300 -0400 @@ -46,8 +46,7 @@ resource.bundle-config-file=Bundle config file resource.app-info-plist=Application Info.plist resource.runtime-info-plist=Java Runtime Info.plist -resource.mac-app-store-entitlements=Mac App Store Entitlements -resource.mac-app-store-inherit-entitlements=Mac App Store Inherit Entitlements +resource.entitlements=Mac Entitlements resource.dmg-setup-script=DMG setup script resource.license-setup=License setup resource.dmg-background=dmg background @@ -68,6 +67,7 @@ message.version-string-numbers-only=Version strings can consist of only numbers and up to two dots. message.creating-association-with-null-extension=Creating association with null extension. message.ignoring.symlink=Warning: codesign is skipping the symlink {0}. +message.already.signed=File already signed: {0}. message.keychain.error=Error: unable to get keychain list. message.building-bundle=Building Mac App Store Package for {0}. message.app-image-dir-does-not-exist=Specified application image directory {0}: {1} does not exists. --- old/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/resources/MacResources_ja.properties 2020-03-30 12:45:14.046728600 -0400 +++ new/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/resources/MacResources_ja.properties 2020-03-30 12:45:12.304094300 -0400 @@ -46,8 +46,7 @@ resource.bundle-config-file=\u30D0\u30F3\u30C9\u30EB\u69CB\u6210\u30D5\u30A1\u30A4\u30EB resource.app-info-plist=\u30A2\u30D7\u30EA\u30B1\u30FC\u30B7\u30E7\u30F3\u306EInfo.plist resource.runtime-info-plist=Java\u30E9\u30F3\u30BF\u30A4\u30E0\u306EInfo.plist -resource.mac-app-store-entitlements=Mac App Store\u6A29\u9650 -resource.mac-app-store-inherit-entitlements=Mac App Store\u7D99\u627F\u6A29\u9650 +resource.entitlements=Mac Entitlements resource.dmg-setup-script=DMG\u8A2D\u5B9A\u30B9\u30AF\u30EA\u30D7\u30C8 resource.license-setup=\u30E9\u30A4\u30BB\u30F3\u30B9\u306E\u8A2D\u5B9A resource.dmg-background=dmg\u80CC\u666F @@ -68,6 +67,7 @@ message.version-string-numbers-only=\u30D0\u30FC\u30B8\u30E7\u30F3\u6587\u5B57\u5217\u306F\u3001\u6570\u5B57\u30682\u3064\u307E\u3067\u306E\u30C9\u30C3\u30C8\u3067\u306E\u307F\u69CB\u6210\u3067\u304D\u307E\u3059\u3002 message.creating-association-with-null-extension=null\u62E1\u5F35\u5B50\u3068\u306E\u95A2\u9023\u4ED8\u3051\u3092\u4F5C\u6210\u3057\u3066\u3044\u307E\u3059\u3002 message.ignoring.symlink=\u8B66\u544A: codesign\u304Csymlink {0}\u3092\u30B9\u30AD\u30C3\u30D7\u3057\u3066\u3044\u307E\u3059 +message.already.signed=File already signed: {0}. message.keychain.error=\u30A8\u30E9\u30FC: \u30AD\u30FC\u30C1\u30A7\u30FC\u30F3\u30FB\u30EA\u30B9\u30C8\u3092\u53D6\u5F97\u3067\u304D\u307E\u305B\u3093\u3002 message.building-bundle={0}\u306EMac App Store\u30D1\u30C3\u30B1\u30FC\u30B8\u3092\u4F5C\u6210\u3057\u3066\u3044\u307E\u3059\u3002 message.app-image-dir-does-not-exist=\u6307\u5B9A\u3055\u308C\u305F\u30A2\u30D7\u30EA\u30B1\u30FC\u30B7\u30E7\u30F3\u30FB\u30A4\u30E1\u30FC\u30B8\u30FB\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA {0}: {1}\u306F\u5B58\u5728\u3057\u307E\u305B\u3093\u3002 --- old/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/resources/MacResources_zh_CN.properties 2020-03-30 12:45:26.968794900 -0400 +++ new/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/resources/MacResources_zh_CN.properties 2020-03-30 12:45:25.235090200 -0400 @@ -46,8 +46,7 @@ resource.bundle-config-file=\u5305\u914D\u7F6E\u6587\u4EF6 resource.app-info-plist=\u5E94\u7528\u7A0B\u5E8F Info.plist resource.runtime-info-plist=Java \u8FD0\u884C\u65F6 Info.plist -resource.mac-app-store-entitlements=Mac App Store \u6743\u5229 -resource.mac-app-store-inherit-entitlements=Mac App Store \u7EE7\u627F\u6743\u5229 +resource.entitlements=Mac Entitlements resource.dmg-setup-script=DMG \u8BBE\u7F6E\u811A\u672C resource.license-setup=\u8BB8\u53EF\u8BC1\u8BBE\u7F6E resource.dmg-background=DMG \u80CC\u666F @@ -68,6 +67,7 @@ message.version-string-numbers-only=\u7248\u672C\u5B57\u7B26\u4E32\u53EA\u80FD\u5305\u542B\u6570\u5B57\u548C\u6700\u591A\u4E24\u4E2A\u70B9\u3002 message.creating-association-with-null-extension=\u6B63\u5728\u4F7F\u7528\u7A7A\u6269\u5C55\u540D\u521B\u5EFA\u5173\u8054\u3002 message.ignoring.symlink=\u8B66\u544A: codesign \u6B63\u5728\u8DF3\u8FC7\u7B26\u53F7\u94FE\u63A5 {0}\u3002 +message.already.signed=File already signed: {0}. message.keychain.error=\u9519\u8BEF\uFF1A\u65E0\u6CD5\u83B7\u53D6\u5BC6\u94A5\u94FE\u5217\u8868\u3002 message.building-bundle=\u6B63\u5728\u4E3A {0} \u6784\u5EFA Mac App Store \u7A0B\u5E8F\u5305\u3002 message.app-image-dir-does-not-exist=\u6307\u5B9A\u7684\u5E94\u7528\u7A0B\u5E8F\u6620\u50CF\u76EE\u5F55 {0}\uFF1A{1} \u4E0D\u5B58\u5728\u3002 --- old/src/jdk.incubator.jpackage/share/classes/jdk/incubator/jpackage/internal/Arguments.java 2020-03-30 12:45:40.048498500 -0400 +++ new/src/jdk.incubator.jpackage/share/classes/jdk/incubator/jpackage/internal/Arguments.java 2020-03-30 12:45:38.258410800 -0400 @@ -285,9 +285,6 @@ MAC_SIGNING_KEYCHAIN ("mac-signing-keychain", OptionCategories.PLATFORM_MAC), - MAC_APP_STORE_ENTITLEMENTS ("mac-app-store-entitlements", - OptionCategories.PLATFORM_MAC), - WIN_MENU_HINT ("win-menu", OptionCategories.PLATFORM_WIN, () -> { setOptionValue("win-menu", true); }), --- old/src/jdk.incubator.jpackage/share/classes/jdk/incubator/jpackage/internal/ValidOptions.java 2020-03-30 12:45:53.278844700 -0400 +++ new/src/jdk.incubator.jpackage/share/classes/jdk/incubator/jpackage/internal/ValidOptions.java 2020-03-30 12:45:51.507916200 -0400 @@ -109,12 +109,9 @@ options.put(CLIOptions.MAC_SIGN.getId(), USE.ALL); options.put(CLIOptions.MAC_BUNDLE_NAME.getId(), USE.ALL); options.put(CLIOptions.MAC_BUNDLE_IDENTIFIER.getId(), USE.ALL); - options.put(CLIOptions.MAC_BUNDLE_SIGNING_PREFIX.getId(), - USE.ALL); + options.put(CLIOptions.MAC_BUNDLE_SIGNING_PREFIX.getId(), USE.ALL); options.put(CLIOptions.MAC_SIGNING_KEY_NAME.getId(), USE.ALL); options.put(CLIOptions.MAC_SIGNING_KEYCHAIN.getId(), USE.ALL); - options.put(CLIOptions.MAC_APP_STORE_ENTITLEMENTS.getId(), - USE.ALL); } if (Platform.getPlatform() == Platform.LINUX) { --- /dev/null 2020-03-30 12:46:07.000000000 -0400 +++ new/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/resources/default.entitlements 2020-03-30 12:46:04.247457500 -0400 @@ -0,0 +1,8 @@ + + + + + com.apple.security.app-sandbox + + + --- old/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/resources/MacAppStore.entitlements 2020-03-30 12:46:15.777668700 -0400 +++ /dev/null 2020-03-30 12:46:17.000000000 -0400 @@ -1,8 +0,0 @@ - - - - - com.apple.security.app-sandbox - - - --- old/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/resources/MacAppStore_Inherit.entitlements 2020-03-30 12:46:23.104006400 -0400 +++ /dev/null 2020-03-30 12:46:24.000000000 -0400 @@ -1,10 +0,0 @@ - - - - - com.apple.security.app-sandbox - - com.apple.security.inherit - - -