ADDITIONAL SYSTEM INFORMATION :
OS X 12
jdk 19 and 17 tested
A DESCRIPTION OF THE PROBLEM :
In MacAppImageBuilder :: signAppBundle(...)
https://github.com/openjdk/jdk/blob/master/src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacAppImageBuilder.java
It can be seen that it:
1. unsigns everything
2. if (signingIdentity != null) { do the signing }
Why this was noticed:
In an app we have chromium bundled. We have jpackage codesign disabled. Jpackage is trying to unsign a chromium framework file. The unsign fails on Chromium Framework with reason "bundle format unrecognized, invalid, or unsuitable"
History:
In the original release of jdk 17, jpackage skipped unsigning some files which can be seen in this diff https://github.com/openjdk/jdk/commit/7696897932a35708b1632517127c1a3a59919878
--remove-signature was only run
if ((p.toString().contains("/Contents/runtime")) || (p.toString().contains("/Contents/Frameworks"))) {
This check would skip the unsign of the "Chromium Framework" file that is now failing.
In short:
should "--remove-signature" be skipped if code signing is not enabled? Or maybe something like "--skip-remove-signature" should be a flag on jpackage?
OS X 12
jdk 19 and 17 tested
A DESCRIPTION OF THE PROBLEM :
In MacAppImageBuilder :: signAppBundle(...)
https://github.com/openjdk/jdk/blob/master/src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacAppImageBuilder.java
It can be seen that it:
1. unsigns everything
2. if (signingIdentity != null) { do the signing }
Why this was noticed:
In an app we have chromium bundled. We have jpackage codesign disabled. Jpackage is trying to unsign a chromium framework file. The unsign fails on Chromium Framework with reason "bundle format unrecognized, invalid, or unsuitable"
History:
In the original release of jdk 17, jpackage skipped unsigning some files which can be seen in this diff https://github.com/openjdk/jdk/commit/7696897932a35708b1632517127c1a3a59919878
--remove-signature was only run
if ((p.toString().contains("/Contents/runtime")) || (p.toString().contains("/Contents/Frameworks"))) {
This check would skip the unsign of the "Chromium Framework" file that is now failing.
In short:
should "--remove-signature" be skipped if code signing is not enabled? Or maybe something like "--skip-remove-signature" should be a flag on jpackage?
- relates to
-
JDK-8276837 [macos]: Error when signing the additional launcher
-
- Resolved
-