openjdk · andyherrick · Nov 15, 2021
diff --git a/src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacAppImageBuilder.java b/src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacAppImageBuilder.java
@@ -329,7 +329,8 @@ public void prepareApplicationFiles(Map<String, ? super Object> params)
         }
 
         copyRuntimeFiles(params);
-        sign(params);
+
+        doSigning(params);
     }
 
     private void copyRuntimeFiles(Map<String, ? super Object> params)
@@ -355,7 +356,12 @@ private void copyRuntimeFiles(Map<String, ? super Object> params)
         }
     }
 
-    private void sign(Map<String, ? super Object> params) throws IOException {
+    private void doSigning(Map<String, ? super Object> params)
+            throws IOException {
+
+        // signing or not, unsign first ...
+        unsignAppBundle(params, root);
+
         if (Optional.ofNullable(
                 SIGN_BUNDLE.fetchFrom(params)).orElse(Boolean.TRUE)) {
             try {
@@ -647,7 +653,52 @@ public static void restoreKeychainList(Map<String, ? super Object> params)
         IOUtils.exec(pb);
     }
 
-    static void signAppBundle(
+    private static void unsignAppBundle(Map<String, ? super Object> params,
+            Path appLocation) throws IOException {
+
+        // unsign all dylibs and executables
+        try (Stream<Path> stream = Files.walk(appLocation)) {
+            stream.peek(path -> { // fix permissions
+                try {
+                    Set<PosixFilePermission> pfp =
+                            Files.getPosixFilePermissions(path);
+                    if (!pfp.contains(PosixFilePermission.OWNER_WRITE)) {
+                        pfp = EnumSet.copyOf(pfp);
+                        pfp.add(PosixFilePermission.OWNER_WRITE);
+                        Files.setPosixFilePermissions(path, pfp);
+                    }
+                } catch (IOException e) {
+                    Log.verbose(e);
+                }
+            }).filter(p -> Files.isRegularFile(p) &&
+                      (Files.isExecutable(p) || p.toString().endsWith(".dylib"))
+                      && !(p.toString().contains("dylib.dSYM/Contents"))
+                     ).forEach(p -> {
+                // If p is a symlink then skip.
+                if (Files.isSymbolicLink(p)) {
+                    Log.verbose(MessageFormat.format(I18N.getString(
+                            "message.ignoring.symlink"), p.toString()));
+                } else {
+                    List<String> args = new ArrayList<>();
+                    args.addAll(Arrays.asList("/usr/bin/codesign",
+                            "--remove-signature", p.toString()));
+                    try {
+                        Set<PosixFilePermission> oldPermissions =
+                                Files.getPosixFilePermissions(p);
+                        p.toFile().setWritable(true, true);
+                        ProcessBuilder pb = new ProcessBuilder(args);
+                        IOUtils.exec(pb);
+                        Files.setPosixFilePermissions(p,oldPermissions);
+                    } catch (IOException ioe) {
+                        Log.verbose(ioe);
+                        return;
+                    }
+                }
+            });
+        }
+    }
+
+    private static void signAppBundle(
             Map<String, ? super Object> params, Path appLocation,
             String signingIdentity, String identifierPrefix, Path entitlements)
             throws IOException {
@@ -682,29 +733,7 @@ static void signAppBundle(
                     Log.verbose(MessageFormat.format(I18N.getString(
                             "message.ignoring.symlink"), p.toString()));
                 } else {
-                    List<String> args;
-                    // runtime and Framework files will be signed below
-                    // but they need to be unsigned first here
-                    if ((p.toString().contains("/Contents/runtime")) ||
-                        (p.toString().contains("/Contents/Frameworks"))) {
-
-                        args = new ArrayList<>();
-                        args.addAll(Arrays.asList("/usr/bin/codesign",
-                                "--remove-signature", p.toString()));
-                        try {
-                            Set<PosixFilePermission> oldPermissions =
-                                    Files.getPosixFilePermissions(p);
-                            p.toFile().setWritable(true, true);
-                            ProcessBuilder pb = new ProcessBuilder(args);
-                            IOUtils.exec(pb);
-                            Files.setPosixFilePermissions(p,oldPermissions);
-                        } catch (IOException ioe) {
-                            Log.verbose(ioe);
-                            toThrow.set(ioe);
-                            return;
-                        }
-                    }
-                    args = new ArrayList<>();
+                    List<String> args = new ArrayList<>();
                     args.addAll(Arrays.asList("/usr/bin/codesign",
                             "--timestamp",
                             "--options", "runtime",

diff --git a/test/jdk/tools/jpackage/macosx/SigningAppImageTest.java b/test/jdk/tools/jpackage/macosx/SigningAppImageTest.java
@@ -22,8 +22,11 @@
  */
 
 import java.nio.file.Path;
+import java.util.List;
+
 import jdk.jpackage.test.JPackageCommand;
 import jdk.jpackage.test.Annotations.Test;
+import jdk.jpackage.test.Annotations.Parameters;
 
 /**
  * Tests generation of app image with --mac-sign and related arguments. Test will
@@ -57,21 +60,36 @@
  */
 public class SigningAppImageTest {
 
+    final boolean doSign;
+
+    public SigningAppImageTest(String flag) {
+        this.doSign = "true".equals(flag);
+    }
+
+    @Parameters
+    public static List<Object[]> data() {
+        return List.of(new Object[][] {{"true"}, {"false"}});
+    }
+
     @Test
-    public static void test() throws Exception {
+    public void test() throws Exception {
         SigningCheck.checkCertificates();
 
         JPackageCommand cmd = JPackageCommand.helloAppImage();
-        cmd.addArguments("--mac-sign", "--mac-signing-key-user-name",
-                SigningBase.DEV_NAME, "--mac-signing-keychain",
-                SigningBase.KEYCHAIN);
+        if (doSign) {
+            cmd.addArguments("--mac-sign", "--mac-signing-key-user-name",
+                    SigningBase.DEV_NAME, "--mac-signing-keychain",
+                    SigningBase.KEYCHAIN);
+        }
         cmd.executeAndAssertHelloAppImageCreated();
 
         Path launcherPath = cmd.appLauncherPath();
-        SigningBase.verifyCodesign(launcherPath, true);
+        SigningBase.verifyCodesign(launcherPath, doSign);
 
         Path appImage = cmd.outputBundle();
-        SigningBase.verifyCodesign(appImage, true);
-        SigningBase.verifySpctl(appImage, "exec");
+        SigningBase.verifyCodesign(appImage, doSign);
+        if (doSign) {
+            SigningBase.verifySpctl(appImage, "exec");
+        }
     }
 }