Is it safe to remove jdk/jmods of open-jdk for a sandboxed-with-JDK Eclipse RCP application

Question

mky OP

Created Jul ’22

Replies 3

Boosts 0

Participants 2

Hi,

I have a RCP based MacOS application that uses open-jdk 11.0.1 “2018-10-16” to build/run the application.

Currently I am trying to notarize our application. Apple has flagged various issues mainly with the JDK. While I’m attempting to fix all of them, it seems the issues flagged in the jdk/jmods directory can be difficult to resolve. Apple wants us to code sign all binaries (.dylib files) inside the jmod modules.

From what I understand, looking at various articles about JMOD, they don’t have much role to play during application runtime? (I could be mistaken here, since my sources are other stackoverflow answers) and they are mainly used to create other custom JRE’s using JLink.

Now I have done some testing without the jdk/jmods directory and up till now I didn’t encounter any issue. But I'd like to be completely certain.

So, since my application is a sandboxed-with-JDK Eclipse RCP application, is it safe to get rid of the jdk/jmods directory completely? If not, what does it depend on and what would be the ideal litmus tests to determine whether my application is completely safe from jdk/jmods removal.

Boost

Answer 1

DTS Engineer OP

Apple

Jul ’22

is it safe to get rid of the jdk/jmods directory completely?

I think you’d have more luck escalating this via the support channel for your third-party runtime.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

mky OP

Jul ’22

Hey @eskimo

I think you’d have more luck escalating this via the support channel for your third-party runtime.

We have taken it up to Oracle as well. Our app is embedded with a JDK.

So if we were to notarize a JDK, how'd one go about it. The binaries inside jdk/jmods are untouchable as far as I know. They can't be unpackaged, signed and packaged again. At best, everything inside jdk/bin and jdk/lib can be signed. This must have happened before as well, but I didn't really find anything concrete for it. The Apple docs for notarization prioritize X-code based information, but there's hardly anything for Java applications.

0

Answer 3

DTS Engineer OP

Apple

Jul ’22

The Apple docs for notarization prioritize Xcode based information

Yes.

but there's hardly anything for Java applications.

In this respect Java isn’t any different from any other third-party tool. We’re happy to describe what the notary service requires. How you achieve that with third-party tooling is between you and the tooling vendor.

As to what the notary service requires, that’s something that I’ve explained many times before so I’ve used your thread as an excuse to write it down. Check out Notarisation Fundamentals.

The binaries inside jdk/jmods are untouchable as far as I know.

I have no insight into that. Historically this stuff shipped in JAR files, and those are amenable to packing and unpacking.

I’ve seen a lot of Java developers successfully notarise apps, although I don’t keep track of the specific Java runtime they’re using.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0