changeset 8974:f5b6e9bfedc6 8u45-b10

RT-40016: [packager] Apple Store submission fails Summary: Re-work signing so we don't need the --deep option
author shemnon
date Thu, 19 Feb 2015 14:36:09 -0700
parents 0bd5bb9d4978
children 5a883d6f9213 0c70ed3bce9d
files modules/fxpackager/src/main/java/com/oracle/tools/packager/mac/MacBaseInstallerBundler.java modules/fxpackager/src/test/java/com/oracle/tools/packager/mac/MacAppBundlerTest.java
diffstat 2 files changed, 46 insertions(+), 64 deletions(-) [+]
line wrap: on
line diff
--- a/modules/fxpackager/src/main/java/com/oracle/tools/packager/mac/MacBaseInstallerBundler.java	Wed Feb 18 13:18:47 2015 -0700
+++ b/modules/fxpackager/src/main/java/com/oracle/tools/packager/mac/MacBaseInstallerBundler.java	Thu Feb 19 14:36:09 2015 -0700
@@ -213,6 +213,7 @@
 
     public static void signAppBundle(Map<String, ? super Object> params, File appLocation, String signingIdentity, String identifierPrefix, String entitlementsFile, String inheritedEntitlements) throws IOException {
         AtomicReference<IOException> toThrow = new AtomicReference<>();
+        String appExecutable = "/Contents/MacOS/" + APP_NAME.fetchFrom(params);
         // sign all dylibs and jars
         Files.walk(appLocation.toPath())
                 // while we are searching let's fix permissions
@@ -228,80 +229,50 @@
                         Log.debug(e);
                     }
                 })
-                // now only care about jars and dylibs
-                .filter(p -> (p.toString().endsWith(".jar")
-                                || p.toString().endsWith(".dylib")
-                        && !p.toString().contains("/Contents/MacOS/libjli.dylib"))
+                .filter(p -> Files.isRegularFile(p) && 
+                                !(p.toString().contains("/Contents/MacOS/libjli.dylib")
+                                  || p.toString().contains("/Contents/MacOS/JavaAppletPlugin")
+                                  || p.toString().endsWith(appExecutable))
                 ).forEach(p -> {
-                    //noinspection ThrowableResultOfMethodCallIgnored
-                    if (toThrow.get() != null) return;
+            //noinspection ThrowableResultOfMethodCallIgnored
+            if (toThrow.get() != null) return;
 
-                    List<String> args = new ArrayList<>();
-                    args.addAll(Arrays.asList("codesign",
-                            "-s", signingIdentity, // sign with this key
-                            "--prefix", identifierPrefix, // use the identifier as a prefix
-                            "-vvvv")); 
-                    if (entitlementsFile != null) {
-                        args.add("--entitlements");
-                        args.add(entitlementsFile); // entitlements
-                    }
-                    args.add(p.toString());
+            List<String> args = new ArrayList<>();
+            args.addAll(Arrays.asList("codesign",
+                    "-s", signingIdentity, // sign with this key
+                    "--prefix", identifierPrefix, // use the identifier as a prefix
+                    "-vvvv"));
+            if (entitlementsFile != null && 
+                    (p.toString().endsWith(".jar")
+                      || p.toString().endsWith(".dylib"))) 
+            {
+                args.add("--entitlements");
+                args.add(entitlementsFile); // entitlements
+            } else if (inheritedEntitlements != null && Files.isExecutable(p)) {
+                args.add("--entitlements");
+                args.add(inheritedEntitlements); // inherited entitlements for executable processes
+            }
+            args.add(p.toString());
 
-                    try {
-                        Set<PosixFilePermission> oldPermissions = Files.getPosixFilePermissions(p);
-                        File f = p.toFile();
-                        f.setWritable(true, true);
+            try {
+                Set<PosixFilePermission> oldPermissions = Files.getPosixFilePermissions(p);
+                File f = p.toFile();
+                f.setWritable(true, true);
 
-                        ProcessBuilder pb = new ProcessBuilder(args);
-                        IOUtils.exec(pb, VERBOSE.fetchFrom(params));
+                ProcessBuilder pb = new ProcessBuilder(args);
+                IOUtils.exec(pb, VERBOSE.fetchFrom(params));
 
-                        Files.setPosixFilePermissions(p, oldPermissions);
-                    } catch (IOException ioe) {
-                        toThrow.set(ioe);
-                    }
-                });
+                Files.setPosixFilePermissions(p, oldPermissions);
+            } catch (IOException ioe) {
+                toThrow.set(ioe);
+            }
+        });
 
         IOException ioe = toThrow.get();
         if (ioe != null) {
             throw ioe;
         }
-        // sign all contained executables with an inherit entitlement
-        Files.find(appLocation.toPath().resolve("Contents"), Integer.MAX_VALUE,
-                (path, attr) -> (Files.isExecutable(path) && Files.isRegularFile(path)))
-                .filter(path -> (!path.toString().endsWith(".dylib") && !path.toString().contains("/Contents/MacOS/")))
-                .forEachOrdered(path -> {
-                    //noinspection ThrowableResultOfMethodCallIgnored
-                    if (toThrow.get() != null) return;
 
-                    List<String> args = new ArrayList<>();
-                    args.addAll(Arrays.asList("codesign",
-                            "-s", signingIdentity, // sign with this key
-                            "--prefix", identifierPrefix, // use the identifier as a prefix
-                            "-vvvv")); 
-                    if (inheritedEntitlements != null) {
-                        args.add("--entitlements");
-                        args.add(inheritedEntitlements); // entitlements
-                    }
-                    args.add(path.toString()); // this is what we are signing
-
-                    try {
-                        Set<PosixFilePermission> oldPermissions = Files.getPosixFilePermissions(path);
-                        File f = path.toFile();
-                        f.setWritable(true, true);
-
-                        ProcessBuilder pb = new ProcessBuilder(args);
-                        IOUtils.exec(pb, VERBOSE.fetchFrom(params));
-
-                        Files.setPosixFilePermissions(path, oldPermissions);
-                    } catch (IOException e) {
-                        toThrow.set(e);
-                    }
-                });
-
-        ioe = toThrow.get();
-        if (ioe != null) {
-            throw ioe;
-        }
         // sign all plugins and frameworks
         Consumer<? super Path> signIdentifiedByPList = path -> {
             //noinspection ThrowableResultOfMethodCallIgnored
@@ -316,6 +287,15 @@
                 args.add(path.toString());
                 ProcessBuilder pb = new ProcessBuilder(args);
                 IOUtils.exec(pb, VERBOSE.fetchFrom(params));
+
+                args = new ArrayList<>();
+                args.addAll(Arrays.asList("codesign",
+                        "-s", signingIdentity, // sign with this key
+                        "--prefix", identifierPrefix, // use the identifier as a prefix
+                        "-vvvv"));
+                args.add(path.toString() + "/Contents/_CodeSignature/CodeResources");
+                pb = new ProcessBuilder(args);
+                IOUtils.exec(pb, VERBOSE.fetchFrom(params));
             } catch (IOException e) {
                 toThrow.set(e);
             }
@@ -346,7 +326,6 @@
         List<String> args = new ArrayList<>();
         args.addAll(Arrays.asList("codesign",
                 "-s", signingIdentity, // sign with this key
-                "--deep", // sign deeply, including plugins
                 "-vvvv")); // super verbose output
         if (entitlementsFile != null) {
             args.add("--entitlements");
--- a/modules/fxpackager/src/test/java/com/oracle/tools/packager/mac/MacAppBundlerTest.java	Wed Feb 18 13:18:47 2015 -0700
+++ b/modules/fxpackager/src/test/java/com/oracle/tools/packager/mac/MacAppBundlerTest.java	Thu Feb 19 14:36:09 2015 -0700
@@ -476,6 +476,9 @@
         System.err.println("Bundle at - " + output);
         assertNotNull(output);
         assertTrue(output.exists());
+        if (signingKeysPresent) {
+            validateSignatures(output);
+        }
     }
 
     /**