RFR: 8311877: [macos] Add CLI options to provide signing identity directly to codesign and productbuild
Alexey Semenyuk
asemenyuk at openjdk.org
Tue Oct 17 14:02:28 UTC 2023
On Fri, 6 Oct 2023 22:15:00 GMT, Alexander Matveev <almatvee at openjdk.org> wrote:
> - Added `--mac-app-image-sign-identity` and `--mac-installer-sign-identity` CLI options to jpackage to provide signing identity directly to `codesign` and `productbuild` tools as per CSR [JDK-8316631](https://bugs.openjdk.org/browse/JDK-8316631).
> - If `codesign` or `productbuild` fails, then output of these tools will be printed to stdout to help user diagnose issues with signing using new options. Examples with sign identity set to "test" which does not exist on system:
>> Error: "codesign" failed with following output:
>> test: no identity found
>
>> Error: "productbuild" failed with following output:
>> productbuild: error: Cannot write product to "/Users/SOMEDIR/Test-1.0.pkg". (Could not find appropriate signing identity for “test”.)
> - Added error handling not to allow invalid combinations of signing options.
> - Updated signing tests to test new changes.
If I get it right from the code, if `--mac-app-image-sign-identity` or `--mac-installer-sign-identity` option is specified and `--mac-sign` is NOT, it is an error. What is the point in `--mac-sign` then? It looks redundant.
If we still want `--mac-sign` to have any meaning when `--mac-app-image-sign-identity` and `--mac-installer-sign-identity` are used let's make jpackage silently ignore any signing options if `--mac-sign` is not specified.
E.g.:
`jpackage --mac-app-image-sign-identity foo` - no error and no signing
`jpackage --mac-app-image-sign-identity foo --mac-sign` - no error, run signing
-------------
PR Comment: https://git.openjdk.org/jdk/pull/16085#issuecomment-1766410728
More information about the core-libs-dev
mailing list