Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8254662

[macos] macOS tells an app to be damaged when created from jpackage and downloaded from external location

    XMLWordPrintable

Details

    • x86_64
    • os_x

    Description

      ADDITIONAL SYSTEM INFORMATION :
      MacOSX 10.14.6
      javac 14.0.1 from adoptopenJDK
      jpackage launched through a gradlew script
      jpackage installer and image options specified :
      --description
      --app-version
      --vendor
      --icon
      --mac-package-name

      A DESCRIPTION OF THE PROBLEM :
      I create an unsigned .app and .dmg with Jpackager, and I specify the following parameters :
      --icon, --description, --app-version, --vendor, --mac-package-name

      .dmg and .app work fine if they are not quarantined.
      When this .dmg is downloaded from any website, it gets quarantined by MacOS. Its extraction works correctly and I get a quarantined .app installed.
      Launching the .app displays the message :
       "xxxxxx.app is damaged and can’t be opened, you should move it to the trash"

      The problem is that this is not the usual "xxxxxx.app is an app downloaded from the internet. Are you sure you want to open it ?"
      MacOS users are used to this message and know how to open it by going to the security center to validate the opening.

      But the "damaged message" is much less common, and most of MacOS users don’t know they can remove the quarantine attribute with the xattr command.
      Once the quarantine attributes are removed, the app launches fine.

      I think that Jpackage generates an app structure which somewhere doesn’t comply with what MacOS likes. When I create manually the .app from the bin folder (also created by Jpackage, and I add basic Info.plist file etc..), and package it with create-dmg tool, I get a dmg and then a .app opening with the standard "downloaded from the internet" message. It demonstrates that this issue is not related to my app but to the way Jpakager packages it.

      A few more infos:
      When checking the extended attributes of my manually created .app, quarantined by the download, on any of its files I get:
      $ xattr Info.plist
      com.apple.TextEncoding
      com.apple.lastuseddate#PS
      com.apple.quarantine

      Whereas with the Jpackaged .app quarantined by the download, I only get :
      $ xattr Info.plist
      com.apple.quarantine


      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      Use jpackage to build and package any java app
      Upload the .dmg produced on any web server
      Download on a Mac the .dmg and launch it
      Install the .app by sliding it from the dmg window to /Applications
      Launch the App

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      The first launch of the app should display the message of this kind:
      xxxxxx.app is an app downloaded from the internet. Are you sure you want to open it ? (That is the message I get when app was manually created from the bin folder jlink build, and dmg packaged with create-dmg tool)
      ACTUAL -
      The first launch of this app displays :
      xxxxxx.app is damaged and can’t be opened, you should move it to the trash

      CUSTOMER SUBMITTED WORKAROUND :
      Ask users to use the xattr command after download, to remove quarantine flags. No other way to open the app.

      FREQUENCY : always


      Attachments

        1. ErrorMsg.png
          42 kB
          ANUPAM DEV
        2. helloApp-1.0.dmg
          47.64 MB
          ANUPAM DEV
        3. JDK-14.0.2.png
          52 kB
          Alexander Matveev
        4. JDK-16.png
          56 kB
          Alexander Matveev

        Issue Links

          Activity

            People

              almatvee Alexander Matveev
              webbuggrp Webbug Group
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: