8351073: [macos] jpackage produces invalid Java runtime DMG bundles

[sashamatveev]

Re-submission of #25314 after merge conflict was resolved. Old PR will be closed.

All comments are addressed from old PR. Merge conflict was significant, so it is like new fix.

Fixed jpackage to produce valid Java runtimes based on description below:

Definitions:

• JDK bundle defined as bundle which contains "Contents/Home", "Contents/MacOS/libjli.dylib" and "Contents/Info.plist".
• Signed JDK bundle contains all files as JDK bundle + "Contents/_CodeSignature".
• JDK image defined as content of "Contents/Home".
• Signed JDK image does not exist, since it cannot be signed as bundle.

jpackage output based on input:

1. "--runtime-image" points to unsigned JDK bundle and --mac-sign is not provided:

• jpackage will copy all files as is from provided path and run ad-hoc codesign.

2. "--runtime-image" points to unsigned JDK bundle and --mac-sign is provided:

• jpackage will copy all files as is from provided path and run codesign with appropriate certificate based on same logic as we do for application image.

3. "--runtime-image" points to signed JDK bundle and --mac-sign is not provided:

• jpackage will copy all files as is from provided path including "Contents/_CodeSignature" to preserve signing.

4. "--runtime-image" points to signed JDK bundle and --mac-sign is provided:

• jpackage will copy all files as is from provided path including "Contents/_CodeSignature" and will re-sign bundle with appropriate certificate.

5. "--runtime-image" points to JDK image and --mac-sign is not provided:

• jpackage will check for libjli.dylib presence in "lib" folder.
• Create JDK bundle by putting all files from provided path to "Contents/Home", libjli.dylib from "lib" to "Contents/MacOS/libjli.dylib" and create default "Contents/Info.plist" similar to what we do for runtime in application image.
• Ad-hoc signing will done.

6. "--runtime-image" points to JDK image and --mac-sign is provided:

• 2 first steps from 5 and certificate signing will be done.

Additional changes:

• The bundle's top directory name will have the ".jdk" suffix.

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• Commit message must refer to an issue

Issue

• JDK-8351073: [macos] jpackage produces invalid Java runtime DMG bundles (Bug - P4)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/26173/head:pull/26173
$ git checkout pull/26173

Update a local copy of the PR:
$ git checkout pull/26173
$ git pull https://git.openjdk.org/jdk.git pull/26173/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 26173

View PR using the GUI difftool:
$ git pr show -t 26173

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/26173.diff

Using Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back almatvee! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

❗ This change is not yet ready to be integrated.
See the Progress checklist in the description for automated requirements.

[openjdk]

@sashamatveev The following label will be automatically applied to this pull request:

• core-libs

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

[mlbridge]

Webrevs

• 01: Full - Incremental (72a1e3a9)
• 00: Full (d880fcf7)

[mlbridge]

Mailing list message from Michael Hall on core-libs-dev:

What is the .jdk extension preceded by?

A normal system jdk is like jdk-23.jdk

Maybe something like jpkg-23.jdk to indicate the source of the jre image is jpakcage? Also ensuring it doesn?t conflict with a normally distributed one.

On Jul 7, 2025, at 5:23?PM, Alexander Matveev <almatvee at openjdk.org> wrote:

Additional changes:
- The bundle's top directory name will have the ".jdk" suffix.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/core-libs-dev/attachments/20250707/6114d1a6/attachment-0001.htm>

[sashamatveev]

What is the .jdk extension preceded by?
{NAME}-{VERSION}.jdk, where {NAME} is value of --name and {VERSION} is value of --version.

[alexeysemenyukoracle]

Why is this change? It looks wrong. The layout of the output bundle should have the "Contents" folder. This is how it was before the change.

[alexeysemenyukoracle]

What is "the source directory of this application"?
Why is the method that returns a path to the source directory called runtimeImage()?

[alexeysemenyukoracle]

I guess the directory referenced from the --runtime-image option will not be signed if it is a JDK image, not a JDK bundle. So, this switch turns off verification in cases when it should be done.

My interpretation of the PR description is that if the -runtime-image option references a JDK bundle, its contents will be copied, and the copy will be signed optionally. This makes this switch redundant.

[alexeysemenyukoracle]

1. Can be simplified:

throw new ConfigException(
                    I18N.format("message.runtime-image-invalid", runtimeImage),
                    I18N.getString("message.runtime-image-invalid.advice"));

2. This validation should be a part of MacPackageBuilder.create().

[alexeysemenyukoracle]

So if jpackage doesn't know if the given path is a JDK image or a JDK bundle, it will proceed with packaging anyway. This doesn't look right. In general, most, if not all, of the existing constructions like:

} catch (Exception ex) {
    Log.verbose(ex);
    ...
}

are wrong. Let's not add new ones.

[alexeysemenyukoracle]

This method is private on purpose. It should not be used outside of the MacApplicationBuilder class. If you need to get the valid bundle identifier, create MacApplication instance and call MacApplication.bundleIdentifier() on it.

[alexeysemenyukoracle]

Default interface methods should operate on values returned by other interface methods. These new functions involve filesystem operations. They probably don't belong to the interface.

[alexeysemenyukoracle]

systerm -> system

[alexeysemenyukoracle]

Can this test ever return false?

[alexeysemenyukoracle]

Why noit use FileUtils.copyRecursive()?

[alexeysemenyukoracle]

JDKBundleCertIndex -> jdkBundleCertIndex?

[alexeysemenyukoracle]

.forTypes(PackageType.MAC) is redundant. The test will only be executed on macOS

[alexeysemenyukoracle]

The name of the function is misleading. It doesn't get the runtime image. It creates it.

It returns a path to a JDK bundle or a JDK image depending on its arguments. So the "RuntimeImagePath" part of its name is also misleading.

[alexeysemenyukoracle]

Why do you need a dummyCMD? You can configure a normal JPackageCommand command:

var cmd = new JPackageCommand().useToolProvider(true).dumpOutput(true).addArguments(...);

[alexeysemenyukoracle]

Why do we need an absolute path in error messages? Wouldn't it make more sense to have the value of --runtime-image parameter as is in error messages?

[alexeysemenyukoracle]

The name "invalid-jdk-bundle" fits better in dash-case naming scheme for path names in jpackage tests.

[alexeysemenyukoracle]

I'm surprised there is no standard way to override this default value. Is it not important?

[alexeysemenyukoracle]

What is the origin of this file?

[alexeysemenyukoracle]

I don't understand why individual signing functions are needed for the runtime and application bundles. They look identical to me.

[alexeysemenyukoracle]

This function is almost a duplicate of writeRuntimeInfoPlist(). They can be merged together with branching:

if (app.asApplicationLayout().isPresent()) {
    // This is application bundle
} else {
    // This is runtime bundle
}