adoptium / jmc-build

Contains the Adoptium specific source code overrides and build pipeline script for the Java Mission Control project.
Apache License 2.0
23 stars 9 forks source link

Corrupt Mac JDK Mission Control? #41

Open cafuentes opened 5 years ago

cafuentes commented 5 years ago

I have the latest MacOS (macOS Catalina Version 10.15). I downloaded JDK Mission Control (org.openjdk.jmc-macosx.cocoa.x86_64.tar.gz) from your download page (https://adoptopenjdk.net/jmc.html). After expanding the gz (through double click in Finder), I attempt to launch the app (JDK Mission Control.app) and I get the following popup message:

"JDK Mission Control.app" is damaged and can't be opened. You should move it to the Trash.

The only options given are cancel and "Move to Trash". I even tried right clicking and selecting "Open" while holding Alt key in case this was actually a security block imposed by Catalina but I got the same message.

Thanks for any help on this.

Carlos

thegreystone commented 5 years ago

Hm. It works when running JDK\ Mission\ Control.app/Contents/MacOS/jmc

thegreystone commented 5 years ago

Starting a locally built JMC app I just compiled by double clicking the app does work.

cafuentes commented 5 years ago

Sorry @thegreystone , this is probably a dumb question, but can I assume you were able to confirm/replicate my issue (when using the downloaded gz of the app) and are now trying investigate/correct it?

thegreystone commented 5 years ago
  1. Yes, I can confirm that I can reproduce the issue.
  2. It is not related to Catalina - I can reproduce this trying to open an Adopt OpenJDK built JMC on Mojave.
  3. I can not reproduce this on a locally built JMC. For me, building and running on my machine by simply clicking the locally built app works.
  4. Funnily enough, the Adopt OpenJDK built JMC seems to work when launched from the command line, as I described above. I.e. running JDK\ Mission\ Control.app/Contents/MacOS/jmc from the command line.
cafuentes commented 5 years ago

Good to hear It’s not just me. ... Actually as I was writing this I found the issue. The problem seems to be with .gz (or .tar.gz) files and the mac built in unarchive utility that expands the file on double click. It apparently changes/corrupts the files in some way. When I expand the file on the command line with: gunzip -c org.openjdk.jmc-macosx.cocoa.x86_64.tar.gz | tar xopf - The app runs fine. I can't recall ever seeing a .gz file to deliver apps and I wondered about that. I mostly see .zip and especially .dmg. Definitely this is Apple causing the issue so I'm not blaming you guys. Anyway here is more evidence of this problem (see the comments at the very end of page): https://bugs.eclipse.org/bugs/show_bug.cgi?id=398450

thegreystone commented 5 years ago

https://bugs.openjdk.java.net/browse/JMC-6131

thegreystone commented 5 years ago

gunzip -c org.openjdk.jmc-macosx.cocoa.x86_64.tar.gz | tar xopf -

I can confirm this works!

thegreystone commented 5 years ago

Funnily, it doesn't seem to be a problem for Zulu Mission Control for some reason. Liberica Mission Control deliver a zip for Mac OS X, so I am thinking perhaps they have the same problem, and simply do the gunzip dance, and then re-zip the contents. Perhaps we should do the same.

thegreystone commented 5 years ago

@reinhapa what do you think? Do the gunzip thing and re-zip?

reinhapa commented 5 years ago

The problem is caused by the Mac's quarantine attribute set to unsigned artifacts as the following command executed within a extracted JDK Mission Control.app folder reveals:

ls -l@  ~/Downloads/org.openjdk.jmc-macosx.cocoa.x86_64.tar.gz
-rw-r--r--@ 1 pr  staff  66955612  5 Nov 15:35 /Users/pr/Downloads/org.openjdk.jmc-macosx.cocoa.x86_64.tar.gz
    com.apple.lastuseddate#PS         16
    com.apple.metadata:kMDItemDownloadedDate          53
    com.apple.metadata:kMDItemWhereFroms         186
    com.apple.quarantine          57

And therefore after untar:

~/Downloads/JDK Mission Control.app  ls -l@ .                                                                                  ✓  10210  16:49:41
total 0
drwxr-xr-x@ 6 pr  staff  192  4 Nov 14:21 Contents
    com.apple.quarantine     21

This flag can be removed by issuing the following command within the base directory of the extracted application:

sudo xattr -r -d com.apple.quarantine JDK\ Mission\ Control.app
thegreystone commented 5 years ago

Excellent findings! So, the options then seem to be for Adopt to either sign the builds, or to do the gunzip dance, and instead zip the thing and release the zips.

reinhapa commented 5 years ago

A more simper "dance" is to isolate those special attributes from the tar process ty unpacking like so:

cat org.openjdk.jmc-macosx.cocoa.x86_64.tar.gz |tar xv -

This has the same effect, as by this method tar is receiving a byte stream, that has no notion of special file attributes.

You could also install it using curllike so:

curl https://ci.adoptopenjdk.net/view/JMC/job/jmc-latest/lastSuccessfulBuild/artifact/target/products/org.openjdk.jmc-macosx.cocoa.x86_64.tar.gz | tar xv -
thegreystone commented 5 years ago

It would be great if it just worked for the end user when double-clicking on the compressed archive though.

aahlenst commented 5 years ago

On has to sign and notarize every executable, otherwise there are going to be errors and silent failures galore on Catalina.

thegreystone commented 5 years ago

Ah. Signing would be preferred then.

thegreystone commented 5 years ago

IIRC @klaraward was involved in much of the work to sign the Oracle JMC builds. Of course, every signing service is different, and I am not sure how Adopt does this. That said, I believe we signed a few different things:

Klara, can you confirm?

reinhapa commented 5 years ago

As much as i understood so far this notarize step we need to create a .pkg for that and the notarization only works with Xcode using a Mac environment...

thegreystone commented 5 years ago

I'll update the website as a stop gap measure, by adding special mac unpacking instructions as proposed by @reinhapa:

cat org.openjdk.jmc-macosx.cocoa.x86_64.tar.gz |tar xv -

klaraward commented 5 years ago

Judging from what it looks like for JMC 6.0.0 on Mac (and what seems to match my memory), I believe we signed:

We did not sign the jars in the RCP app, and not the updatesite archives themselves.

GETandSELECT commented 4 years ago

Is there a workaround with xattr -r -d com.apple.quarantine on a macOS installed with homebrew? Can you paste full paths?

I try to start a java app and get

“adoptopenjdk-14.jdk” is damaged and can’t be opened.
Homebrew Cask downloaded this file on 19 March 2020 from adoptopenjdk.net.

I don't know where this files are located. thank you

aahlenst commented 4 years ago

@GETandSELECT Please see https://github.com/AdoptOpenJDK/homebrew-openjdk/issues/329 on why your JDK is considered to be damaged and what to do to fix it.

jpgough commented 4 years ago

+1 This is still an issue in 7.1.1

Fixed using: sudo xattr -r -d com.apple.quarantine JDK\ Mission\ Control.app as suggested above

stooke commented 1 year ago

Still an issue in 8.3 (aarch64) - same fix works on Ventura. I note that there are instructions about opening the tar.gz file for macOS but since they look so similar to "just expand the tar.gz" I think a one-liner explaining this issue should be added to the download page. Also, I encourage a pkg or dmg distribution instead.

gdams commented 1 year ago

I'm guessing the best approach here is to codesign and notarize the installer? @reinhapa I'd be happy to walk you through the steps

reinhapa commented 1 year ago

I'm guessing the best approach here is to codesign and notarize the installer? @reinhapa I'd be happy to walk you through the steps

That would be great. I will need to add that to the Eclipse CI and the Github build actions though..

sdavids commented 3 months ago

Could this be fixed for the 9.0.0 stable release please.