JDK-8308042 : [macOS] Developer ID Application Certificate not picked up by jpackage if it contains UNICODE characters
  • Type: Bug
  • Component: tools
  • Sub-Component: jpackage
  • Affected Version: 20
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS: os_x
  • CPU: x86_64
  • Submitted: 2023-05-07
  • Updated: 2023-10-03
  • Resolved: 2023-08-23
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 21 JDK 22
21.0.1Fixed 22 b12Fixed
Related Reports
Blocks :  
JDK-8313904 - [macos] All signing tests which verifies unsigned app images are failing
Duplicate :  
JDK-8310931 - [macos] jpackage is not recognizing Mac OS certificate with accentuation (pt-BR)
Relates :  
JDK-8311877 - [macos] Add CLI options to provide signing identity directly to codesign and productbuild
Description
ADDITIONAL SYSTEM INFORMATION :
OSX Ventura 13.3.1

A DESCRIPTION OF THE PROBLEM :
I use jpackage to create a signed pkg installer. The name of our Developer ID Application Certificate contains special characters and is not found by jpackage. The signature step stops with error message "The 'Developer ID Application: ' did not match the name of my certificate."

The reason for this is that the structure of the certificates "alis" property is different. In our case the alis property contains a hex representation of its name:
"alis"<blob>=0x446576656C6F706572204944204170706C69636174696F6E3A20475A494D202[..]  "Developer ID Application: GZIM - Gesellschaft zur F\303\266rderung der Impfmedizin mbH (Team-ID)"

JPackage parses the alis property with this regex: "\"alis\"<blob>=\"([^\"]+)\" and therefore missing this certificate.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Run jpackage with an Developer ID Application Certificate containing special characters:

jpackage --input target/ \
  --name JPackageDemoApp \
  --main-jar JPackageDemoApp.jar \
  --main-class de.gzim.Starter \
  --type pkg \
--mac-sign \
--mac-package-signing-prefix de.gzim \
--mac-signing-key-user-name "GZIM - Gesellschaft zur Förderung der Impfmedizin mbH [TEAM-ID]" \


EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Successful generation of signed pkg installer.
ACTUAL -
The signature step stops with error message "The 'Developer ID Application: ' did not match the name of my certificate."

CUSTOMER SUBMITTED WORKAROUND :
There is no workaround, since we cannot change the company name and the certificate is generated by Apple,
Comments
Fix Request Without this code jpackage will not able to find and use certificates for signing which contains UNICODE characters. Patch applies cleanly and relatively low risk. New approach to find certificates was added which works with ASCII and UNICODE characters, but we will fallback to this newly added approach only if original fails. This should avoid any potential regressions.
23-08-2023
A pull request was submitted for review. URL: https://git.openjdk.org/jdk21u/pull/95 Date: 2023-08-23 23:31:48 +0000
23-08-2023
Changeset: 57a322da Author: Alexander Matveev <almatvee@openjdk.org> Date: 2023-08-23 20:22:12 +0000 URL: https://git.openjdk.org/jdk/commit/57a322da9bf6aac98e834516728fb6da1c18e7aa
23-08-2023
A pull request was submitted for review. URL: https://git.openjdk.org/jdk/pull/15394 Date: 2023-08-22 21:59:50 +0000
22-08-2023