8277494: [BACKOUT] JDK-8276150 Quarantined jpackage apps are labeled as "damaged"

Daniel D. Daugherty · Daniel D. Daugherty · commit c79a485f1c3f · 2021-11-19T22:37:28.000Z
Reviewed-by: asemenyuk, tschatzl
diff --git a/src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacAppImageBuilder.java b/src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacAppImageBuilder.java
@@ -329,8 +329,7 @@ public void prepareApplicationFiles(Map<String, ? super Object> params)
         }
 
         copyRuntimeFiles(params);
-
-        doSigning(params);
+        sign(params);
     }
 
     private void copyRuntimeFiles(Map<String, ? super Object> params)
@@ -356,12 +355,7 @@ private void copyRuntimeFiles(Map<String, ? super Object> params)
         }
     }
 
-    private void doSigning(Map<String, ? super Object> params)
-            throws IOException {
-
-        // signing or not, unsign first ...
-        unsignAppBundle(params, root);
-
+    private void sign(Map<String, ? super Object> params) throws IOException {
         if (Optional.ofNullable(
                 SIGN_BUNDLE.fetchFrom(params)).orElse(Boolean.TRUE)) {
             try {
@@ -653,52 +647,7 @@ public static void restoreKeychainList(Map<String, ? super Object> params)
         IOUtils.exec(pb);
     }
 
-    private static void unsignAppBundle(Map<String, ? super Object> params,
-            Path appLocation) throws IOException {
-
-        // unsign all dylibs and executables
-        try (Stream<Path> stream = Files.walk(appLocation)) {
-            stream.peek(path -> { // fix permissions
-                try {
-                    Set<PosixFilePermission> pfp =
-                            Files.getPosixFilePermissions(path);
-                    if (!pfp.contains(PosixFilePermission.OWNER_WRITE)) {
-                        pfp = EnumSet.copyOf(pfp);
-                        pfp.add(PosixFilePermission.OWNER_WRITE);
-                        Files.setPosixFilePermissions(path, pfp);
-                    }
-                } catch (IOException e) {
-                    Log.verbose(e);
-                }
-            }).filter(p -> Files.isRegularFile(p) &&
-                      (Files.isExecutable(p) || p.toString().endsWith(".dylib"))
-                      && !(p.toString().contains("dylib.dSYM/Contents"))
-                     ).forEach(p -> {
-                // If p is a symlink then skip.
-                if (Files.isSymbolicLink(p)) {
-                    Log.verbose(MessageFormat.format(I18N.getString(
-                            "message.ignoring.symlink"), p.toString()));
-                } else {
-                    List<String> args = new ArrayList<>();
-                    args.addAll(Arrays.asList("/usr/bin/codesign",
-                            "--remove-signature", p.toString()));
-                    try {
-                        Set<PosixFilePermission> oldPermissions =
-                                Files.getPosixFilePermissions(p);
-                        p.toFile().setWritable(true, true);
-                        ProcessBuilder pb = new ProcessBuilder(args);
-                        IOUtils.exec(pb);
-                        Files.setPosixFilePermissions(p,oldPermissions);
-                    } catch (IOException ioe) {
-                        Log.verbose(ioe);
-                        return;
-                    }
-                }
-            });
-        }
-    }
-
-    private static void signAppBundle(
+    static void signAppBundle(
             Map<String, ? super Object> params, Path appLocation,
             String signingIdentity, String identifierPrefix, Path entitlements)
             throws IOException {
@@ -733,7 +682,29 @@ private static void signAppBundle(
                     Log.verbose(MessageFormat.format(I18N.getString(
                             "message.ignoring.symlink"), p.toString()));
                 } else {
-                    List<String> args = new ArrayList<>();
+                    List<String> args;
+                    // runtime and Framework files will be signed below
+                    // but they need to be unsigned first here
+                    if ((p.toString().contains("/Contents/runtime")) ||
+                        (p.toString().contains("/Contents/Frameworks"))) {
+
+                        args = new ArrayList<>();
+                        args.addAll(Arrays.asList("/usr/bin/codesign",
+                                "--remove-signature", p.toString()));
+                        try {
+                            Set<PosixFilePermission> oldPermissions =
+                                    Files.getPosixFilePermissions(p);
+                            p.toFile().setWritable(true, true);
+                            ProcessBuilder pb = new ProcessBuilder(args);
+                            IOUtils.exec(pb);
+                            Files.setPosixFilePermissions(p,oldPermissions);
+                        } catch (IOException ioe) {
+                            Log.verbose(ioe);
+                            toThrow.set(ioe);
+                            return;
+                        }
+                    }
+                    args = new ArrayList<>();
                     args.addAll(Arrays.asList("/usr/bin/codesign",
                             "--timestamp",
                             "--options", "runtime",
diff --git a/test/jdk/tools/jpackage/macosx/SigningAppImageTest.java b/test/jdk/tools/jpackage/macosx/SigningAppImageTest.java
@@ -22,11 +22,8 @@
  */
 
 import java.nio.file.Path;
-import java.util.List;
-
 import jdk.jpackage.test.JPackageCommand;
 import jdk.jpackage.test.Annotations.Test;
-import jdk.jpackage.test.Annotations.Parameters;
 
 /**
  * Tests generation of app image with --mac-sign and related arguments. Test will
@@ -60,36 +57,21 @@
  */
 public class SigningAppImageTest {
 
-    final boolean doSign;
-
-    public SigningAppImageTest(String flag) {
-        this.doSign = "true".equals(flag);
-    }
-
-    @Parameters
-    public static List<Object[]> data() {
-        return List.of(new Object[][] {{"true"}, {"false"}});
-    }
-
     @Test
-    public void test() throws Exception {
+    public static void test() throws Exception {
         SigningCheck.checkCertificates();
 
         JPackageCommand cmd = JPackageCommand.helloAppImage();
-        if (doSign) {
-            cmd.addArguments("--mac-sign", "--mac-signing-key-user-name",
-                    SigningBase.DEV_NAME, "--mac-signing-keychain",
-                    SigningBase.KEYCHAIN);
-        }
+        cmd.addArguments("--mac-sign", "--mac-signing-key-user-name",
+                SigningBase.DEV_NAME, "--mac-signing-keychain",
+                SigningBase.KEYCHAIN);
         cmd.executeAndAssertHelloAppImageCreated();
 
         Path launcherPath = cmd.appLauncherPath();
-        SigningBase.verifyCodesign(launcherPath, doSign);
+        SigningBase.verifyCodesign(launcherPath, true);
 
         Path appImage = cmd.outputBundle();
-        SigningBase.verifyCodesign(appImage, doSign);
-        if (doSign) {
-            SigningBase.verifySpctl(appImage, "exec");
-        }
+        SigningBase.verifyCodesign(appImage, true);
+        SigningBase.verifySpctl(appImage, "exec");
     }
 }
