build.gradle: re-sign Mac bundle ad-hoc after patchMacJpackage#7629
Open
Vest wants to merge 1 commit into
Open
build.gradle: re-sign Mac bundle ad-hoc after patchMacJpackage#7629Vest wants to merge 1 commit into
Vest wants to merge 1 commit into
Conversation
jpackage seals PcGen.app with an ad-hoc signature, but patchMacJpackage then rewrites Info.plist and drops MacDirLauncher into Contents/MacOS, invalidating the seal. The downloaded bundle ships with a broken signature, so 'spctl -a -vv PcGen.app' reports 'invalid resource directory (directory or signature have been modified)' even before quarantine enters the picture. Re-sealing ad-hoc at the end of patchMacJpackage makes the bundle internally consistent. Users still hit Gatekeeper on first launch because PCGen has no Developer ID, but stripping quarantine with 'xattr -dr com.apple.quarantine PcGen.app' is then sufficient — no 'codesign --force --deep' round-trip required on the user side. Proper notarization needs an Apple Developer ID + notarytool secrets in CI and is out of scope here.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Every release of
PcGen.appships with a broken signature on macOS. Runningspctl -a -vvon a freshly downloaded bundle reports:This happens before quarantine is even considered. Users see "PcGen.app is damaged and can't be opened" on first launch and have to recover with
codesign --force --deep --sign -or adittoround-trip. The fix doesn't stick because the next download has the same problem.Root cause
jpackageseals the bundle with an ad-hoc signature. The existingpatchMacJpackagetask then:Contents/Info.plistto pointCFBundleExecutableatMacDirLauncher.MacDirLauncherintoContents/MacOS/.Both modifications happen after the seal, invalidating it (
Sealed Resources rules=13no longer matches the on-disk contents). Re-running jpackage doesn't help — the patch runs after every build.Fix
Re-sign the bundle ad-hoc at the end of
patchMacJpackageso the seal matches the final on-disk layout. Onecodesign --force --deep --sign -in adoLastblock.Scope / what this does not do
xattr -dr com.apple.quarantine PcGen.app(one command, nosudo, nocodesign --force --deepon the user side). That's the minimum a non-notarized app can offer.Verification
./gradlew help --task patchMacJpackageparses cleanly.spctl -a -vvagainst a local build was not run (build is ~5-10 min); CI onmacos-latestwill exercise it.After the change, on a fresh build:
spctl -a -vv build/jpackage/PcGen.app # build/jpackage/PcGen.app: accepted (when xattr is clean)