Corrupt Mac JDK Mission Control?

[cafuentes]

• Browser: Google Chrome is up to date Version 78.0.3904.70 (Official Build) (64-bit)

I have the latest MacOS (macOS Catalina Version 10.15). I downloaded JDK Mission Control (org.openjdk.jmc-macosx.cocoa.x86_64.tar.gz) from your download page (https://adoptopenjdk.net/jmc.html). After expanding the gz (through double click in Finder), I attempt to launch the app (JDK Mission Control.app) and I get the following popup message:

"JDK Mission Control.app" is damaged and can't be opened. You should move it to the Trash.

The only options given are cancel and "Move to Trash". I even tried right clicking and selecting "Open" while holding Alt key in case this was actually a security block imposed by Catalina but I got the same message.

Thanks for any help on this.

Carlos

[thegreystone]

Hm. It works when running JDK\ Mission\ Control.app/Contents/MacOS/jmc

[thegreystone]

Starting a locally built JMC app I just compiled by double clicking the app does work.

[cafuentes]

Sorry @thegreystone , this is probably a dumb question, but can I assume you were able to confirm/replicate my issue (when using the downloaded gz of the app) and are now trying investigate/correct it?

[thegreystone]

1. Yes, I can confirm that I can reproduce the issue.
2. It is not related to Catalina - I can reproduce this trying to open an Adopt OpenJDK built JMC on Mojave.
3. I can not reproduce this on a locally built JMC. For me, building and running on my machine by simply clicking the locally built app works.
4. Funnily enough, the Adopt OpenJDK built JMC seems to work when launched from the command line, as I described above. I.e. running JDK\ Mission\ Control.app/Contents/MacOS/jmc from the command line.

[cafuentes]

Good to hear It’s not just me. ... Actually as I was writing this I found the issue. The problem seems to be with .gz (or .tar.gz) files and the mac built in unarchive utility that expands the file on double click. It apparently changes/corrupts the files in some way. When I expand the file on the command line with: gunzip -c org.openjdk.jmc-macosx.cocoa.x86_64.tar.gz | tar xopf - The app runs fine. I can't recall ever seeing a .gz file to deliver apps and I wondered about that. I mostly see .zip and especially .dmg. Definitely this is Apple causing the issue so I'm not blaming you guys. Anyway here is more evidence of this problem (see the comments at the very end of page): https://bugs.eclipse.org/bugs/show_bug.cgi?id=398450

[thegreystone]

https://bugs.openjdk.java.net/browse/JMC-6131

[thegreystone]

gunzip -c org.openjdk.jmc-macosx.cocoa.x86_64.tar.gz | tar xopf -

I can confirm this works!

[thegreystone]

Funnily, it doesn't seem to be a problem for Zulu Mission Control for some reason. Liberica Mission Control deliver a zip for Mac OS X, so I am thinking perhaps they have the same problem, and simply do the gunzip dance, and then re-zip the contents. Perhaps we should do the same.

[thegreystone]

@reinhapa what do you think? Do the gunzip thing and re-zip?

[reinhapa]

The problem is caused by the Mac's quarantine attribute set to unsigned artifacts as the following command executed within a extracted JDK Mission Control.app folder reveals:

ls -l@  ~/Downloads/org.openjdk.jmc-macosx.cocoa.x86_64.tar.gz
-rw-r--r--@ 1 pr  staff  66955612  5 Nov 15:35 /Users/pr/Downloads/org.openjdk.jmc-macosx.cocoa.x86_64.tar.gz
    com.apple.lastuseddate#PS         16
    com.apple.metadata:kMDItemDownloadedDate          53
    com.apple.metadata:kMDItemWhereFroms         186
    com.apple.quarantine          57

And therefore after untar:

~/Downloads/JDK Mission Control.app  ls -l@ .                                                                                  ✓  10210  16:49:41
total 0
drwxr-xr-x@ 6 pr  staff  192  4 Nov 14:21 Contents
    com.apple.quarantine     21

This flag can be removed by issuing the following command within the base directory of the extracted application:

sudo xattr -r -d com.apple.quarantine JDK\ Mission\ Control.app

[thegreystone]

Excellent findings! So, the options then seem to be for Adopt to either sign the builds, or to do the gunzip dance, and instead zip the thing and release the zips.

[reinhapa]

A more simper "dance" is to isolate those special attributes from the tar process ty unpacking like so:

cat org.openjdk.jmc-macosx.cocoa.x86_64.tar.gz |tar xv -

This has the same effect, as by this method tar is receiving a byte stream, that has no notion of special file attributes.

You could also install it using curllike so:

curl https://ci.adoptopenjdk.net/view/JMC/job/jmc-latest/lastSuccessfulBuild/artifact/target/products/org.openjdk.jmc-macosx.cocoa.x86_64.tar.gz | tar xv -

[thegreystone]

It would be great if it just worked for the end user when double-clicking on the compressed archive though.

[aahlenst]

On has to sign and notarize every executable, otherwise there are going to be errors and silent failures galore on Catalina.

[thegreystone]

Ah. Signing would be preferred then.

[thegreystone]

IIRC @klaraward was involved in much of the work to sign the Oracle JMC builds. Of course, every signing service is different, and I am not sure how Adopt does this. That said, I believe we signed a few different things:

• The executable
• The individual eclipse/p2 bundles
• The archives

Klara, can you confirm?

[reinhapa]

As much as i understood so far this notarize step we need to create a .pkg for that and the notarization only works with Xcode using a Mac environment...

[thegreystone]

I'll update the website as a stop gap measure, by adding special mac unpacking instructions as proposed by @reinhapa:

cat org.openjdk.jmc-macosx.cocoa.x86_64.tar.gz |tar xv -

[klaraward]

Judging from what it looks like for JMC 6.0.0 on Mac (and what seems to match my memory), I believe we signed:

• The features and plugins jar for the update sites, verified with jarsigner
• The executable, verified withspctl
• The Mac app, verified with codesign

We did not sign the jars in the RCP app, and not the updatesite archives themselves.

[GETandSELECT]

Is there a workaround with xattr -r -d com.apple.quarantine on a macOS installed with homebrew? Can you paste full paths?

I try to start a java app and get

“adoptopenjdk-14.jdk” is damaged and can’t be opened.
Homebrew Cask downloaded this file on 19 March 2020 from adoptopenjdk.net.

I don't know where this files are located. thank you

[aahlenst]

@GETandSELECT Please see https://github.com/AdoptOpenJDK/homebrew-openjdk/issues/329 on why your JDK is considered to be damaged and what to do to fix it.

[jpgough]

+1 This is still an issue in 7.1.1

Fixed using: sudo xattr -r -d com.apple.quarantine JDK\ Mission\ Control.app as suggested above

[stooke]

Still an issue in 8.3 (aarch64) - same fix works on Ventura. I note that there are instructions about opening the tar.gz file for macOS but since they look so similar to "just expand the tar.gz" I think a one-liner explaining this issue should be added to the download page. Also, I encourage a pkg or dmg distribution instead.

[gdams]

I'm guessing the best approach here is to codesign and notarize the installer? @reinhapa I'd be happy to walk you through the steps

[reinhapa]

I'm guessing the best approach here is to codesign and notarize the installer? @reinhapa I'd be happy to walk you through the steps

That would be great. I will need to add that to the Eclipse CI and the Github build actions though..

[sdavids]

Could this be fixed for the 9.0.0 stable release please.