JDK-8311877 : [macos] Add CLI options to provide signing identity directly to codesign and productbuild
  • Type: Bug
  • Component: tools
  • Sub-Component: jpackage
  • Affected Version: 20
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2023-07-11
  • Updated: 2024-05-20
  • Resolved: 2023-10-24
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 22
22 b21Fixed
Related Reports
CSR :  
JDK-8316631 - [macos] Add CLI options to provide signing identity directly to codesign and productbuild
Relates :  
JDK-8308042 - [macOS] Developer ID Application Certificate not picked up by jpackage if it contains UNICODE characters
Relates :  
JDK-8332110 - jpackage tries to sign added files without the --mac-sign option
Description
My Apple developer certificate name has the form

Apple Development: Alan Snyder (XX00X0XXX0)

This name was created by Apple.

When I try to use this certificate with jpackage, it is not used.

For example:

$ java --version
openjdk 20.0.1 2023-04-18
OpenJDK Runtime Environment (build 20.0.1+9-29)
OpenJDK 64-Bit Server VM (build 20.0.1+9-29, mixed mode, sharing)
$ jpackage --type app-image --main-jar ...  --mac-signing-key-user-name "Alan Snyder" --input ...
$ codesign -d -v *.app
Executable=...
Identifier=test
Format=app bundle with Mach-O thin (arm64)
CodeDirectory v=20400 size=1597 flags=0x2(adhoc) hashes=44+3 location=embedded
Signature=adhoc
Info.plist entries=16
TeamIdentifier=not set
Sealed Resources version=2 rules=13 files=304
Internal requirements count=0 size=12

I have no trouble using this certificate directly with codesign.
I can simply provide the alphanumeric key as the identity.

codesign has a simple and useful process for finding the actual certificate:

The identity is first considered as the full name of a keychain identity preference. If such a preference exists, it directly names the identity used.  Otherwise, the identity is located by searching all keychains for a certificate whose subject common name (only) contains the identity string given. If there are multiple matches, the operation fails and no signing is performed; however, an exact match is preferred over a partial match. These comparisons are case sensitive. Multiple instances of the exactly same certificate in multiple keychains are tolerated as harmless.

I see no reason why jpackage should not simply pass the string I give it to codesign.
Comments
Changeset: f1dfdc1a Author: Alexander Matveev <almatvee@openjdk.org> Date: 2023-10-24 21:41:20 +0000 URL: https://git.openjdk.org/jdk/commit/f1dfdc1a79f3a16eae58d15d1945541a08f7e145
24-10-2023
A pull request was submitted for review. URL: https://git.openjdk.org/jdk/pull/16085 Date: 2023-10-06 22:15:00 +0000
06-10-2023
Title is updated to better reflect issue. To solve this issue we planning to add two additional CLI options "--mac-app-image-sign-identity" and "--mac-installer-sign-identity" which can be used instead of "--mac-signing-key-user-name" to provide signing identity directly to codesign and productbuild.
20-09-2023