RFR: 8361224: [macos] MacSignTest.testMultipleCertificates failed
Alexey Semenyuk
asemenyuk at openjdk.org
Fri Jul 11 20:50:38 UTC 2025
On Fri, 11 Jul 2025 19:57:54 GMT, Alexander Matveev <almatvee at openjdk.org> wrote:
> Test updated to expect `jpackage` to PASS in case of `--mac-signing-key-user-name` and FAIL in case of `-mac-app-image-sign-identity`. See explanation below.
>
> Case 1: Only common name of certificate is used (PASS):
> jpackage --type dmg -i input -n Test --main-class components.DynamicTreeDemo --main-jar DynamicTreeDemo.jar --mac-sign --mac-signing-keychain jpackagerTest-duplicate.keychain --mac-signing-key-user-name jpackage.openjdk.java.net
> [10:02:37.545] WARNING: Multiple certificates found matching [Developer ID Application: jpackage.openjdk.java.net] using keychain [jpackagerTest-duplicate.keychain], using first one
>
> Actual codesign command in PASS case:
> /usr/bin/codesign -s CBDE500D7ED18E08F6DF852A5D23D8C7113EB30C -vvvv --timestamp --options runtime --prefix components. --keychain jpackagerTest-duplicate.keychain --force /var/folders/dr/65dj5x3j0296mqtsn9z27xc80000gn/T/jdk.jpackage3439321874841533317/image/Test.app
>
> CBDE500D7ED18E08F6DF852A5D23D8C7113EB30C is hash of certificate which exist in both jpackagerTest.keychain and jpackagerTest-duplicate.keychain. Based on man page documentation it is allowed. When hash is used codesign will not perform any search of certificates based on man page. So codesign will not fail which is expected.
>
> Case 2: Full name of certificate is used (FAIL):
> jpackage --type dmg -i input -n Test --main-class components.DynamicTreeDemo --main-jar DynamicTreeDemo.jar --mac-sign --mac-signing-keychain jpackagerTest-duplicate.keychain --mac-app-image-sign-identity "Developer ID Application: jpackage.openjdk.java.net"
> Error: "codesign" failed with following output:
> Developer ID Application: jpackage.openjdk.java.net: found in both /Users/alexander/Library/Keychains/jpackagerTest.keychain-db and /Users/alexander/Library/Keychains/jpackagerTest-duplicate.keychain-db (this is all right)
> Developer ID Application: jpackage.openjdk.java.net: ambiguous (matches "Developer ID Application: jpackage.openjdk.java.net" in /Users/alexander/Library/Keychains/jpackagerTest.keychain-db and "Developer ID Application: jpackage.openjdk.java.net" in /Users/alexander/Library/Keychains/jpackagerTest-duplicate.keychain-db)
>
> Actual codesign command in FAIL case:
> /usr/bin/codesign -s Developer ID Application: jpackage.openjdk.java.net -vvvv --timestamp --options runtime --prefix components. --keychain jpackagerTest-duplicate.keychain /var/folders/dr/65dj5x3j0296mqtsn9z27xc80000gn/T/jdk.jpackage12899615926124631029/image/Test.app/Contents/runtime/Contents/H...
Marked as reviewed by asemenyuk (Reviewer).
-------------
PR Review: https://git.openjdk.org/jdk/pull/26275#pullrequestreview-3011936856
More information about the core-libs-dev
mailing list