Windows CDS archive non-reproducible due to jpackageapplauncher #1181
Comments
|
Tested creating a jpackage application, and as expected, can confirm the MSI bundle, the MSI contents and the installed app package showed no signs of any "signing" remnants when created from a Temurin that had "signed" jpackageapplauncher files. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Up til now we have been excluding the Windows CDS archive from reproducible comparison, because it was not identical.
We have discovered the reason is due to the signing of the jdk.jpackage/classes/jdk/jpackage/internal/resources/jpackageapplauncher.
This executable template is used by the "jpackage" command to build user bespoke application runtime executables. The jpackage app bundle builder takes this template resource and updates it by "re-branding" it user specific "icons" and resource text. The process of re-branding removes any existing Signature from the resource, so any signing is pointless : https://github.com/openjdk/jdk/blob/c5c4efdaa1d04b1441fd96712b71cdb43e5d86df/src/jdk.jpackage/windows/classes/jdk/jpackage/internal/WindowsAppImageBuilder.java#L140
This can be verified by running a jpackage test, and examing the user package for any signatures...??
The text was updated successfully, but these errors were encountered: