--- old/src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacAppImageBuilder.java 2019-09-11 20:47:46.000000000 -0700 +++ new/src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacAppImageBuilder.java 2019-09-11 20:47:45.000000000 -0700 @@ -779,12 +779,10 @@ String keyChain = SIGNING_KEYCHAIN.fetchFrom(params); // sign all dylibs and jars - Files.walk(appLocation) - // fix permissions - .peek(path -> { + Files.walk(appLocation).peek(path -> { // fix permissions try { Set pfp = - Files.getPosixFilePermissions(path); + Files.getPosixFilePermissions(path); if (!pfp.contains(PosixFilePermission.OWNER_WRITE)) { pfp = EnumSet.copyOf(pfp); pfp.add(PosixFilePermission.OWNER_WRITE); @@ -793,60 +791,65 @@ } catch (IOException e) { Log.verbose(e); } - }) - .filter(p -> Files.isRegularFile(p) && - !(p.toString().contains("/Contents/MacOS/libjli.dylib") - || p.toString().endsWith(appExecutable)) - ).forEach(p -> { - //noinspection ThrowableResultOfMethodCallIgnored - if (toThrow.get() != null) return; + }).filter(p -> Files.isRegularFile(p) + && !(p.toString().contains("/Contents/MacOS/libjli.dylib") + || p.toString().endsWith(appExecutable) + || p.toString().contains("/Contents/runtime") + || p.toString().contains("/Contents/Frameworks"))).forEach(p -> { + //noinspection ThrowableResultOfMethodCallIgnored + if (toThrow.get() != null) return; + + // If p is a symlink then skip the signing process. + if (Files.isSymbolicLink(p)) { + if (VERBOSE.fetchFrom(params)) { + Log.verbose(MessageFormat.format(I18N.getString( + "message.ignoring.symlink"), p.toString())); + } + } else { + if (p.toString().endsWith(LIBRARY_NAME)) { + if (isFileSigned(p)) { + return; + } + } - // If p is a symlink then skip the signing process. - if (Files.isSymbolicLink(p)) { - if (VERBOSE.fetchFrom(params)) { - Log.verbose(MessageFormat.format(I18N.getString( - "message.ignoring.symlink"), p.toString())); - } - } - else { - List args = new ArrayList<>(); - args.addAll(Arrays.asList("codesign", - "-s", signingIdentity, // sign with this key - "--prefix", identifierPrefix, + List args = new ArrayList<>(); + args.addAll(Arrays.asList("codesign", + "-s", signingIdentity, // sign with this key + "--prefix", identifierPrefix, // use the identifier as a prefix - "-vvvv")); - if (entitlementsFile != null && - (p.toString().endsWith(".jar") + "-vvvv")); + if (entitlementsFile != null && + (p.toString().endsWith(".jar") || p.toString().endsWith(".dylib"))) { - args.add("--entitlements"); - args.add(entitlementsFile); // entitlements - } else if (inheritedEntitlements != null && - Files.isExecutable(p)) { - args.add("--entitlements"); - args.add(inheritedEntitlements); + args.add("--entitlements"); + args.add(entitlementsFile); // entitlements + } else if (inheritedEntitlements != null && + Files.isExecutable(p)) { + args.add("--entitlements"); + args.add(inheritedEntitlements); // inherited entitlements for executable processes - } - if (keyChain != null && !keyChain.isEmpty()) { - args.add("--keychain"); - args.add(keyChain); - } - args.add(p.toString()); + } + if (keyChain != null && !keyChain.isEmpty()) { + args.add("--keychain"); + args.add(keyChain); + } + args.add(p.toString()); - try { - Set oldPermissions = - Files.getPosixFilePermissions(p); - File f = p.toFile(); - f.setWritable(true, true); - - ProcessBuilder pb = new ProcessBuilder(args); - IOUtils.exec(pb); - - Files.setPosixFilePermissions(p, oldPermissions); - } catch (IOException ioe) { - toThrow.set(ioe); - } - } - }); + try { + Set oldPermissions = + Files.getPosixFilePermissions(p); + File f = p.toFile(); + f.setWritable(true, true); + + ProcessBuilder pb = new ProcessBuilder(args); + IOUtils.exec(pb); + + Files.setPosixFilePermissions(p, oldPermissions); + } catch (IOException ioe) { + toThrow.set(ioe); + } + } + }); IOException ioe = toThrow.get(); if (ioe != null) { @@ -863,7 +866,7 @@ args.addAll(Arrays.asList("codesign", "-s", signingIdentity, // sign with this key "--prefix", identifierPrefix, - // use the identifier as a prefix + // use the identifier as a prefix "-vvvv")); if (keyChain != null && !keyChain.isEmpty()) { args.add("--keychain"); @@ -877,7 +880,7 @@ args.addAll(Arrays.asList("codesign", "-s", signingIdentity, // sign with this key "--prefix", identifierPrefix, - // use the identifier as a prefix + // use the identifier as a prefix "-vvvv")); if (keyChain != null && !keyChain.isEmpty()) { args.add("--keychain"); @@ -932,4 +935,22 @@ IOUtils.exec(pb); } + private static boolean isFileSigned(Path file) { + List args = new ArrayList<>(); + args.addAll(Arrays.asList("codesign", + "--verify", + file.toString())); + + ProcessBuilder pb + = new ProcessBuilder(args.toArray(new String[args.size()])); + + try { + IOUtils.exec(pb); + } catch (IOException ex) { + return false; + } + + return true; + } + }