RFR: 8311877: [macos] Add CLI options to provide signing identity directly to codesign and productbuild [v3]

Fri Oct 20 20:53:37 UTC 2023

> On Oct 20, 2023, at 3:42 PM, Alexander Matveev <almatvee at openjdk.org> wrote:
> 
> On Fri, 20 Oct 2023 04:23:22 GMT, Alexander Matveev <almatvee at openjdk.org <mailto:almatvee at openjdk.org>> wrote:
> 
>>> - Added `--mac-app-image-sign-identity` and `--mac-installer-sign-identity` CLI options to jpackage to provide signing identity directly to `codesign` and `productbuild` tools as per CSR [JDK-8316631](https://bugs.openjdk.org/browse/JDK-8316631).
>>> - If `codesign` or `productbuild` fails, then output of these tools will be printed to stdout to help user diagnose issues with signing using new options. Examples with sign identity set to "test" which does not exist on system:
>>>> Error: "codesign" failed with following output:
>>>> test: no identity found
>>> 
>>>> Error: "productbuild" failed with following output:
>>>> productbuild: error: Cannot write product to "/Users/SOMEDIR/Test-1.0.pkg". (Could not find appropriate signing identity for “test”.)
>>> - Added error handling not to allow invalid combinations of signing options.
>>> - Updated signing tests to test new changes.
>> 
>> Alexander Matveev has updated the pull request incrementally with one additional commit since the last revision:
>> 
>>  8311877: [macos] Add CLI options to provide signing identity directly to codesign and productbuild [v2]
> 
> Michael filed https://bugs.openjdk.org/browse/JDK-8318063 for codesign verification, so I would prefer to move discussion under this JBS issue on this topic.
> 
> For now I do not know if we need to add it. From my experience I never found case when codesign did not fail during signing, but signature verification failed. So, for now I think it is redundant and we will never get to signature verification step if something wrong since codesign will fail during signing. Only case I see is when we did not run codesign at all, but it means our entire signing is broken.
> 
> Michael, do you have any examples when you was able to sign application bundle via jpackage or manually, but codesign verification gave error?
> 
> -------------
> 
> PR Comment: https://git.openjdk.org/jdk/pull/16085#issuecomment-1773366403

It might not be broken for you, although verification I wouldn’t think would do any harm. I did have one occasion where I thought jpackage signing was broken because verification failed. However it turned out this was because I was using Unix cp or mv on the application which didn’t work correctly. I changed to using macOS ditto and it worked fine. I think I saw you use something else different to copy the app but don’t remember what. 

This though would be an example where the user can do something that breaks signing, after the fact though, so not a perfect example. A verify at the end of jpackage would have told me that the problem wasn’t with jpackage. 

I think I had one or two other problems with signing on older versions but it has now been stable in my use for sometime. I could try to dig up the incidents if wanted. All fixed at this time as far as I know.

When I read the comments here it said something about being unable to guarantee it was correctly signed. I thought codesign verify would tell you that.

Mike

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/core-libs-dev/attachments/20231020/813888a4/attachment-0001.htm>