Summary
-------
Add `--mac-app-image-sign-identity` and `--mac-installer-sign-identity` CLI options to jpackage to provide signing identity directly to `codesign` and `productbuild` tools which are used to sign application images and installers generated by jpackage.
Problem
-------
Currently jpackage supports following option to find certificates for signing: `--mac-signing-key-user-name <team name>`. jpackage will use `<team name>` to run `security find-certificate <team name>` to list all available certificates and then selects first one based on target type and `--mac-app-store` option. For `app-image` type jpackage will select `"Developer ID Application: <name>"` and for `pkg` type it will select `"Developer ID Installer: <name>"`. If `--mac-app-store` is specified, then `"3rd Party Mac Developer Application: <name>"` and/or `"3rd Party Mac Developer Installer: <name>"` are selected. Apple provides additional types of certificates which can be used to sign application images: `"Mac Developer: <name>"`, `"Apple Development: <name>"` and `"Apple Distribution: <name>"`. Current signing CLI options available in jpackage are limited and cannot accommodate additional certificates and also limits users on how certificates are selected. For example `"Developer ID Application: <name>"` and `"Developer ID Installer: <some_other_name>"` cannot be used at same time. Once jpackage finds certificate it will pass full certificate name to `--sign` option of `codesign` and/or `productbuild`.
Solution
--------
Add `--mac-app-image-sign-identity` and `--mac-installer-sign-identity` CLI options to jpackage to provide signing identity directly to `codesign` and `productbuild` tools which used to sign application images and installers generated by jpackage. Both `codesign` and `productbuild` have `--sign identity` and `--sign identity-name` options respectively and values of `--mac-app-image-sign-identity` and `--mac-installer-sign-identity` will be direct pass through to `--sign` option of `codesign` and/or `productbuild`. We will not do any validations of certificates in this case like we do with `--mac-signing-key-user-name` or we will not check if produced application image or installer got signed correctly. We will fail packaging if `codesign` and/or `productbuild` returns non-zero value in case of invalid signing identity.
Specification
-------------
Description of `--mac-app-image-sign-identity` option:
--mac-app-image-sign-identity <identity>
Identity used to sign application image. This value will be passed directly to
--sign option of "codesign" tool. This option cannot be combined with
--mac-signing-key-user-name.
Description of `--mac-installer-sign-identity` option:
--mac-installer-sign-identity <identity>
Identity used to sign "pkg" installer. This value will be passed directly to
--sign option of "productbuild" tool. This option cannot be combined with
--mac-signing-key-user-name.
Description of `--mac-signing-key-user-name` option will change to:
--mac-signing-key-user-name <team name>
Team or user name portion of Apple signing identities. For direct control
of the signing identity used to sign application images or installers use
--mac-app-image-sign-identity and/or --mac-installer-sign-identity.
This option cannot be combined with --mac-app-image-sign-identity
or --mac-installer-sign-identity.
If "pkg" installer type is requested, but only `--mac-app-image-sign-identity` is specified, then installer will not be sign. If only `--mac-installer-sign-identity` is specified, then application image will not be sign, but installer will be sign. Warning will be provided in cases described above, in case if user forgot accidentally to specify both signing identities.