Re: [External] : Re: RFR: 8286850: [macos] Add support for signing user provided app image [v2]

2022-06-08 Thread Michael Hall



> On Jun 7, 2022, at 9:21 PM, Alexander Matveev  
> wrote:
> 
> Hi Michael,
> 
> Yes, this is correct. It is a three step process as you outlined it below.
> 

Alexander,

Could you post an example of the three invocations, without needing to include 
any post-processing, to 1) create app-image 2) sign 3) add to DMG
Or indicate any tests included, or that will be included, in the jdk source 
where something similar is done. 
There are not yet that I know of any documentation pages for the command? 

Thanks,
Mike



Re: [External] : Re: RFR: 8286850: [macos] Add support for signing user provided app image [v2]

2022-06-07 Thread Alexander Matveev
Hi Michael,

Yes, this is correct. It is a three step process as you outlined it below.

Thanks,
Alexander

On Jun 7, 2022, at 12:00 AM, Michael Hall 
mailto:mik3h...@gmail.com>> wrote:

Alexander,

I had an existing local GitHub repo for the jdk I updated that appeared to 
accept the parameters you indicated. It generated a jdk 19.

If you are saying I’m not getting the main branch or the update for some reason 
has dependencies I’m not getting I would have to determine how to correctly get 
these, or, I guess wait for a release that has all the necessary. Determining 
if this worked as expected before a release seemed like it would be a good idea.

Yes, the point of my original suggestion was to allow generating the 
application unsigned, then do post-processing - like modify the default 
Info.plist, and finally separately sign.

I thought your change provided the means to do this by first generating an 
unsigned image using —type app-image, then on a separate invocation indicate 
the app-image and sign and package it.

./build/*/images/jdk/bin/jpackage --type app-image --app-image

If I follow you now it isn’t a two step but a three step process.

1) Generate unsigned application and do post-processing.

2) Sign modified app-image

3) DMG or PKG the modified and signed app-image

Is this correct?

Thanks,
Mike



Re: RFR: 8286850: [macos] Add support for signing user provided app image [v2]

2022-06-07 Thread Michael Hall
Alexander,

I had an existing local GitHub repo for the jdk I updated that appeared to 
accept the parameters you indicated. It generated a jdk 19. 

If you are saying I’m not getting the main branch or the update for some reason 
has dependencies I’m not getting I would have to determine how to correctly get 
these, or, I guess wait for a release that has all the necessary. Determining 
if this worked as expected before a release seemed like it would be a good idea.

Yes, the point of my original suggestion was to allow generating the 
application unsigned, then do post-processing - like modify the default 
Info.plist, and finally separately sign.

I thought your change provided the means to do this by first generating an 
unsigned image using —type app-image, then on a separate invocation indicate 
the app-image and sign and package it. 

> ./build/*/images/jdk/bin/jpackage --type app-image --app-image

If I follow you now it isn’t a two step but a three step process.

1) Generate unsigned application and do post-processing.

2) Sign modified app-image

3) DMG or PKG the modified and signed app-image

Is this correct?

Thanks,
Mike

Re: RFR: 8286850: [macos] Add support for signing user provided app image [v2]

2022-06-06 Thread Alexander Matveev
Hi Michael,

See below.

On Jun 5, 2022, at 5:58 PM, Michael Hall 
mailto:mik3h...@gmail.com>> wrote:


./build/*/images/jdk/bin/jpackage --app-image 
~/HalfPipe/halfpipe_jpkg/outputdir/HalfPipe.app --mac-sign 
--mac-signing-key-user-name "Developer ID Application: Michael Hall 
(5X6BXQB3Q7)"
Bundler Mac DMG Package skipped because of a configuration problem: When using 
an external app image you must specify the app name.
Advice to fix: Set the app name via the -name CLI flag, the 
fx:application/@name ANT attribute, or via the 'appName' bundler argument.

./build/*/images/jdk/bin/jpackage --app-image 
~/HalfPipe/halfpipe_jpkg/outputdir/HalfPipe.app --mac-sign 
--mac-signing-key-user-name "Developer ID Application: Michael Hall 
(5X6BXQB3Q7)" --name HalfPipe
Warning: Using unsigned app-image to build signed dmg.

*** The app-image was actually a signed one. I’m not sure that matters. Also 
since this would normally be my intention should there be a warning? ***

codesign -v --verbose=4 ~/HalfPipe/halfpipe_jpkg/outputdir/HalfPipe.app
/Users/mjh/HalfPipe/halfpipe_jpkg/outputdir/HalfPipe.app: valid on disk
/Users/mjh/HalfPipe/halfpipe_jpkg/outputdir/HalfPipe.app: satisfies its 
Designated Requirement

*** Seems successful ***

Thanks again.


Possibly my mistake somehow but codesign seems to flag something if the 
application is actually unsigned.

${PACKAGER} \
--verbose \
   --add-modules java.desktop,java.prefs,java.se \
   --type app-image \
--input ./input \
--app-version 1.0  \
--name BlackJack\ Blastoff_Unsigned \
--main-jar bjb.jar \
--main-class org.bjb.BlackJackApp \
--java-options '-Xmx1024m -XX:+UseG1GC -XX:MaxGCPauseMillis=50  
-Dapple.laf.useScreenMenuBar=true 
-Dcom.apple.mrj.application.apple.menu.about.name=BlackjackBlastoff 
-Dapple.awt.application.name=Blackjack\ Blastoff’

[19:41:02.231] Creating app package: BlackJack Blastoff_Unsigned.app in 
/Users/mjh/Blackjack_Blastoff/bjb/bjb_jpkg
[19:41:05.516] Command [PID: -1]:
   jlink --output /Users/mjh/Blackjack_Blastoff/bjb/bjb_jpkg/BlackJack 
Blastoff_Unsigned.app/Contents/runtime/Contents/Home --module-path 
/Library/Java/JavaVirtualMachines/jdk-18.jdk/Contents/Home/jmods --add-modules 
java.desktop,java.prefs,java.se --strip-native-commands 
--strip-debug --no-man-pages --no-header-files
[19:41:05.517] Output:

[19:41:05.518] Returned: 0

[19:41:05.545] Using default package resource JavaApp.icns [icon] (add 
BlackJack Blastoff_Unsigned.icns to the resource-dir to customize).
[19:41:05.547] Preparing Info.plist: 
/Users/mjh/Blackjack_Blastoff/bjb/bjb_jpkg/BlackJack 
Blastoff_Unsigned.app/Contents/Info.plist.
[19:41:05.547] Using default package resource Info-lite.plist.template 
[Application Info.plist] (add Info.plist to the resource-dir to customize).
[19:41:05.550] Using default package resource Runtime-Info.plist.template [Java 
Runtime Info.plist] (add Runtime-Info.plist to the resource-dir to customize).
[19:41:05.551] Succeeded in building Mac Application Image package

./build/*/images/jdk/bin/jpackage --app-image 
~/Blackjack_Blastoff/bjb/bjb_jpkg/BlackJack\ Blastoff_Unsigned.app --mac-sign 
--mac-signing-key-user-name "Developer ID Application: Michael Hall 
(5X6BXQB3Q7)" --name BlackJack_Blastoff_Unsigned
Warning: Using unsigned app-image to build signed dmg.

open BlackJack_Blastoff_Unsigned-1.0.dmg

codesign -v --verbose=4 /Volumes/BlackJack_Blastoff_Unsigned/BlackJack\ 
Blastoff_Unsigned.app
/Volumes/BlackJack_Blastoff_Unsigned/BlackJack Blastoff_Unsigned.app: code has 
no resources but signature indicates they must be present
This is correct. You generated unsigned application image and then package it 
into DMG with signing enabled. In this case we will not sign app image. Only 
installer package will get signed and it applies only to PKG. DMG does not have 
any signing. This is was same behavior as before JDK-8286850.

You need to sign app image first:
./build/*/images/jdk/bin/jpackage --type app-image --app-image 
~/Blackjack_Blastoff/bjb/bjb_jpkg/BlackJack\ Blastoff_Unsigned.app --mac-sign 
--mac-signing-key-user-name "Developer ID Application: Michael Hall 
(5X6BXQB3Q7)" --name BlackJack_Blastoff_Unsigned

Then run command to generate DMG or PKG. Enable signing if you want PKG to be 
signed. No need to specify it for DMG if you generating DMG from predefined 
application image.

As for "code has no resources but signature indicates they must be present” I 
believe it is due to JDK-8277493 and it was fixed in JDK 19.


I am using the installed jdk18 to create the app-image. Would that need to be 
done with the same jdk with the changes applied?
Yes, if you need to sign app image after post processing it should be generated 
with JDK version which contains JDK-8286850 fix. Unless something will change 
jpackage from JDK 20 should able to sign app image generated by JDK 19, but JDK 
19 jpackage will not able to sign app image generated by JDK 18.

This is do to additional values are stored 

Re: RFR: 8286850: [macos] Add support for signing user provided app image [v2]

2022-06-06 Thread Alexander Matveev
Hi Michael,

Printing "Warning: Using unsigned app-image to build signed dmg.” with signed 
application should be fixed with JDK-8286850. Did you reproduce it on build 
containing JDK-8286850?

Thanks,
Alexander

> On Jun 5, 2022, at 3:06 PM, Michael Hall  wrote:
> 
> 
> 
>> On Jun 5, 2022, at 8:56 AM, Michael Hall  wrote:
>> 
>> 
>> Fwiw, I was going to take a look at this but my build failed.
>> 
>> === Output from failing command(s) repeated here ===
>> * For target support_native_java.desktop_liblcms_cmstypes.o:
>> /Users/mjh/Documents/GitHub/jdk/src/java.desktop/share/native/liblcms/cmstypes.c:3441:132:
>>  error: parameter 'SizeOfTag' set but not used 
>> [-Werror,-Wunused-but-set-parameter]
>> void *Type_ProfileSequenceId_Read(struct _cms_typehandler_struct* self, 
>> cmsIOHANDLER* io, cmsUInt32Number* nItems, cmsUInt32Number SizeOfTag)
>>  
>> ^
>> /Users/mjh/Documents/GitHub/jdk/src/java.desktop/share/native/liblcms/cmstypes.c:5137:125:
>>  error: parameter 'SizeOfTag' set but not used 
>> [-Werror,-Wunused-but-set-parameter]
>> void *Type_Dictionary_Read(struct _cms_typehandler_struct* self, 
>> cmsIOHANDLER* io, cmsUInt32Number* nItems, cmsUInt32Number SizeOfTag)
>>  
>>  ^
>> 2 errors generated.
>> 
>> 
>> OS/X 12.4
>> 
>> 2.4 GHz Quad-Core Intel Core i5
>> 
>> If I should post that somewhere else let me know.
>> 
> 
> Again fwiw, I commented out references to SizeOfTag in the two methods and 
> got a good build.
> 
> ./build/*/images/jdk/bin/jpackage --app-image 
> ~/HalfPipe/halfpipe_jpkg/outputdir/HalfPipe.app --mac-sign 
> --mac-signing-key-user-name "Developer ID Application: Michael Hall 
> (5X6BXQB3Q7)"
> Bundler Mac DMG Package skipped because of a configuration problem: When 
> using an external app image you must specify the app name. 
> Advice to fix: Set the app name via the -name CLI flag, the 
> fx:application/@name ANT attribute, or via the 'appName' bundler argument.
> 
> ./build/*/images/jdk/bin/jpackage --app-image 
> ~/HalfPipe/halfpipe_jpkg/outputdir/HalfPipe.app --mac-sign 
> --mac-signing-key-user-name "Developer ID Application: Michael Hall 
> (5X6BXQB3Q7)" --name HalfPipe
> Warning: Using unsigned app-image to build signed dmg.
> 
> *** The app-image was actually a signed one. I’m not sure that matters. Also 
> since this would normally be my intention should there be a warning? ***
> 
> codesign -v --verbose=4 ~/HalfPipe/halfpipe_jpkg/outputdir/HalfPipe.app
> /Users/mjh/HalfPipe/halfpipe_jpkg/outputdir/HalfPipe.app: valid on disk
> /Users/mjh/HalfPipe/halfpipe_jpkg/outputdir/HalfPipe.app: satisfies its 
> Designated Requirement
> 
> *** Seems successful ***
> 
> Thanks again.
> 



Re: RFR: 8286850: [macos] Add support for signing user provided app image [v2]

2022-06-05 Thread Michael Hall
> 
> ./build/*/images/jdk/bin/jpackage --app-image 
> ~/HalfPipe/halfpipe_jpkg/outputdir/HalfPipe.app --mac-sign 
> --mac-signing-key-user-name "Developer ID Application: Michael Hall 
> (5X6BXQB3Q7)"
> Bundler Mac DMG Package skipped because of a configuration problem: When 
> using an external app image you must specify the app name. 
> Advice to fix: Set the app name via the -name CLI flag, the 
> fx:application/@name ANT attribute, or via the 'appName' bundler argument.
> 
> ./build/*/images/jdk/bin/jpackage --app-image 
> ~/HalfPipe/halfpipe_jpkg/outputdir/HalfPipe.app --mac-sign 
> --mac-signing-key-user-name "Developer ID Application: Michael Hall 
> (5X6BXQB3Q7)" --name HalfPipe
> Warning: Using unsigned app-image to build signed dmg.
> 
> *** The app-image was actually a signed one. I’m not sure that matters. Also 
> since this would normally be my intention should there be a warning? ***
> 
> codesign -v --verbose=4 ~/HalfPipe/halfpipe_jpkg/outputdir/HalfPipe.app
> /Users/mjh/HalfPipe/halfpipe_jpkg/outputdir/HalfPipe.app: valid on disk
> /Users/mjh/HalfPipe/halfpipe_jpkg/outputdir/HalfPipe.app: satisfies its 
> Designated Requirement
> 
> *** Seems successful ***
> 
> Thanks again.
> 

Possibly my mistake somehow but codesign seems to flag something if the 
application is actually unsigned.

${PACKAGER} \
--verbose \
--add-modules java.desktop,java.prefs,java.se \
--type app-image \
--input ./input \
--app-version 1.0  \
--name BlackJack\ Blastoff_Unsigned \
--main-jar bjb.jar \
--main-class org.bjb.BlackJackApp \
--java-options '-Xmx1024m -XX:+UseG1GC -XX:MaxGCPauseMillis=50  
-Dapple.laf.useScreenMenuBar=true 
-Dcom.apple.mrj.application.apple.menu.about.name=BlackjackBlastoff 
-Dapple.awt.application.name=Blackjack\ Blastoff’ 

[19:41:02.231] Creating app package: BlackJack Blastoff_Unsigned.app in 
/Users/mjh/Blackjack_Blastoff/bjb/bjb_jpkg
[19:41:05.516] Command [PID: -1]:
jlink --output /Users/mjh/Blackjack_Blastoff/bjb/bjb_jpkg/BlackJack 
Blastoff_Unsigned.app/Contents/runtime/Contents/Home --module-path 
/Library/Java/JavaVirtualMachines/jdk-18.jdk/Contents/Home/jmods --add-modules 
java.desktop,java.prefs,java.se --strip-native-commands --strip-debug 
--no-man-pages --no-header-files
[19:41:05.517] Output:

[19:41:05.518] Returned: 0

[19:41:05.545] Using default package resource JavaApp.icns [icon] (add 
BlackJack Blastoff_Unsigned.icns to the resource-dir to customize).
[19:41:05.547] Preparing Info.plist: 
/Users/mjh/Blackjack_Blastoff/bjb/bjb_jpkg/BlackJack 
Blastoff_Unsigned.app/Contents/Info.plist.
[19:41:05.547] Using default package resource Info-lite.plist.template 
[Application Info.plist] (add Info.plist to the resource-dir to customize).
[19:41:05.550] Using default package resource Runtime-Info.plist.template [Java 
Runtime Info.plist] (add Runtime-Info.plist to the resource-dir to customize).
[19:41:05.551] Succeeded in building Mac Application Image package

./build/*/images/jdk/bin/jpackage --app-image 
~/Blackjack_Blastoff/bjb/bjb_jpkg/BlackJack\ Blastoff_Unsigned.app --mac-sign 
--mac-signing-key-user-name "Developer ID Application: Michael Hall 
(5X6BXQB3Q7)" --name BlackJack_Blastoff_Unsigned
Warning: Using unsigned app-image to build signed dmg.

 open BlackJack_Blastoff_Unsigned-1.0.dmg   
  
codesign -v --verbose=4 /Volumes/BlackJack_Blastoff_Unsigned/BlackJack\ 
Blastoff_Unsigned.app
/Volumes/BlackJack_Blastoff_Unsigned/BlackJack Blastoff_Unsigned.app: code has 
no resources but signature indicates they must be present

I am using the installed jdk18 to create the app-image. Would that need to be 
done with the same jdk with the changes applied? 

Re: RFR: 8286850: [macos] Add support for signing user provided app image [v2]

2022-06-05 Thread Michael Hall



> On Jun 5, 2022, at 8:56 AM, Michael Hall  wrote:
> 
> 
> Fwiw, I was going to take a look at this but my build failed.
> 
> === Output from failing command(s) repeated here ===
> * For target support_native_java.desktop_liblcms_cmstypes.o:
> /Users/mjh/Documents/GitHub/jdk/src/java.desktop/share/native/liblcms/cmstypes.c:3441:132:
>  error: parameter 'SizeOfTag' set but not used 
> [-Werror,-Wunused-but-set-parameter]
> void *Type_ProfileSequenceId_Read(struct _cms_typehandler_struct* self, 
> cmsIOHANDLER* io, cmsUInt32Number* nItems, cmsUInt32Number SizeOfTag)
>   
> ^
> /Users/mjh/Documents/GitHub/jdk/src/java.desktop/share/native/liblcms/cmstypes.c:5137:125:
>  error: parameter 'SizeOfTag' set but not used 
> [-Werror,-Wunused-but-set-parameter]
> void *Type_Dictionary_Read(struct _cms_typehandler_struct* self, 
> cmsIOHANDLER* io, cmsUInt32Number* nItems, cmsUInt32Number SizeOfTag)
>   
>  ^
> 2 errors generated.
> 
> 
> OS/X 12.4
> 
> 2.4 GHz Quad-Core Intel Core i5
> 
> If I should post that somewhere else let me know.
> 

Again fwiw, I commented out references to SizeOfTag in the two methods and got 
a good build.

./build/*/images/jdk/bin/jpackage --app-image 
~/HalfPipe/halfpipe_jpkg/outputdir/HalfPipe.app --mac-sign 
--mac-signing-key-user-name "Developer ID Application: Michael Hall 
(5X6BXQB3Q7)"
Bundler Mac DMG Package skipped because of a configuration problem: When using 
an external app image you must specify the app name. 
Advice to fix: Set the app name via the -name CLI flag, the 
fx:application/@name ANT attribute, or via the 'appName' bundler argument.

./build/*/images/jdk/bin/jpackage --app-image 
~/HalfPipe/halfpipe_jpkg/outputdir/HalfPipe.app --mac-sign 
--mac-signing-key-user-name "Developer ID Application: Michael Hall 
(5X6BXQB3Q7)" --name HalfPipe
Warning: Using unsigned app-image to build signed dmg.

*** The app-image was actually a signed one. I’m not sure that matters. Also 
since this would normally be my intention should there be a warning? ***

 codesign -v --verbose=4 ~/HalfPipe/halfpipe_jpkg/outputdir/HalfPipe.app
/Users/mjh/HalfPipe/halfpipe_jpkg/outputdir/HalfPipe.app: valid on disk
/Users/mjh/HalfPipe/halfpipe_jpkg/outputdir/HalfPipe.app: satisfies its 
Designated Requirement

*** Seems successful ***

Thanks again.



Re: RFR: 8286850: [macos] Add support for signing user provided app image [v2]

2022-06-05 Thread Michael Hall


Fwiw, I was going to take a look at this but my build failed.

=== Output from failing command(s) repeated here ===
* For target support_native_java.desktop_liblcms_cmstypes.o:
/Users/mjh/Documents/GitHub/jdk/src/java.desktop/share/native/liblcms/cmstypes.c:3441:132:
 error: parameter 'SizeOfTag' set but not used 
[-Werror,-Wunused-but-set-parameter]
void *Type_ProfileSequenceId_Read(struct _cms_typehandler_struct* self, 
cmsIOHANDLER* io, cmsUInt32Number* nItems, cmsUInt32Number SizeOfTag)

   ^
/Users/mjh/Documents/GitHub/jdk/src/java.desktop/share/native/liblcms/cmstypes.c:5137:125:
 error: parameter 'SizeOfTag' set but not used 
[-Werror,-Wunused-but-set-parameter]
void *Type_Dictionary_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* 
io, cmsUInt32Number* nItems, cmsUInt32Number SizeOfTag)

^
2 errors generated.


OS/X 12.4

2.4 GHz Quad-Core Intel Core i5

If I should post that somewhere else let me know.



Re: RFR: 8286850: [macos] Add support for signing user provided app image [v2]

2022-06-02 Thread Alexander Matveev
On Fri, 3 Jun 2022 01:56:01 GMT, Alexander Matveev  wrote:

>> - Added support for signing predefined application image.
>>  - Following command can be used to sign predefined application images: 
>> jpackage --type app-image --app-image Test.app --mac-sign [additional 
>> signing options]
>>  - Main class and if --mac-app-store was specified will be saved in 
>> .jpackage.xml. Both values are required for signing. Main class is to 
>> generate default identity and --mac-app-store to do correct signing for App 
>> Store.
>>  - Signing is done exactly same as when generating app bundle. Unsigned, 
>> signed or partially signed app images are supported. App image will be 
>> completely unsigned before signing.
>
> Alexander Matveev has updated the pull request incrementally with one 
> additional commit since the last revision:
> 
>   8286850: [macos] Add support for signing user provided app image [v2]

8286850: [macos] Add support for signing user provided app image [v2]
 - Fixed all comments from Alexey.
8286850: [macos] Add support for signing user provided app image [v3]
 - Fixed whitespace issues.

-

PR: https://git.openjdk.java.net/jdk/pull/8987


Re: RFR: 8286850: [macos] Add support for signing user provided app image [v2]

2022-06-02 Thread Alexander Matveev
> - Added support for signing predefined application image.
>  - Following command can be used to sign predefined application images: 
> jpackage --type app-image --app-image Test.app --mac-sign [additional signing 
> options]
>  - Main class and if --mac-app-store was specified will be saved in 
> .jpackage.xml. Both values are required for signing. Main class is to 
> generate default identity and --mac-app-store to do correct signing for App 
> Store.
>  - Signing is done exactly same as when generating app bundle. Unsigned, 
> signed or partially signed app images are supported. App image will be 
> completely unsigned before signing.

Alexander Matveev has updated the pull request incrementally with one 
additional commit since the last revision:

  8286850: [macos] Add support for signing user provided app image [v2]

-

Changes:
  - all: https://git.openjdk.java.net/jdk/pull/8987/files
  - new: https://git.openjdk.java.net/jdk/pull/8987/files/384738c1..65df10e9

Webrevs:
 - full: https://webrevs.openjdk.java.net/?repo=jdk=8987=01
 - incr: https://webrevs.openjdk.java.net/?repo=jdk=8987=00-01

  Stats: 37 lines in 3 files changed: 3 ins; 22 del; 12 mod
  Patch: https://git.openjdk.java.net/jdk/pull/8987.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/8987/head:pull/8987

PR: https://git.openjdk.java.net/jdk/pull/8987