jpackage bugs

Michael Hall mik3hall at
Sat Apr 17 14:37:13 UTC 2021

> On Apr 17, 2021, at 9:14 AM, Michael Hall <mik3hall at> wrote:
>> only executables and libraries are signed - this tool running across the whole app will find unsigned files, that would be expected.
> Hmm. ok. Is the jdk separately signed? Would something in copying it change a date or something that would cause the verify to fail on the jdk signature thinking something has changed rather than what you sign for the app?
> ls -l
> total 8
> ...
> drwxr-xr-x  3 mjh  staff   96 Apr 16 19:29 _CodeSignature

OK I think this may be it. For my testing I sort of force the DMG build back to the —install-dir one.

open -Wg HalfPipe-1.0.dmg
cp -r /Volumes/HalfPipe/ outputdir/
diskutil eject HalfPipe
open outputdir/

codesign -v outputdir/
outputdir/ a sealed resource is missing or invalid

If instead I do the proper drag and drop install to the Applications directory.
codesign -v /Applications/

No error. So apparently ‘cp’ is not a good idea on a signed application. At least not on a signed java one. 

This one can probably be closed permanently.

More information about the core-libs-dev mailing list