Integrated: 8361224: [macos] MacSignTest.testMultipleCertificates failed
Alexander Matveev
almatvee at openjdk.org
Mon Jul 14 15:10:46 UTC 2025
On Fri, 11 Jul 2025 19:57:54 GMT, Alexander Matveev <almatvee at openjdk.org> wrote:
> Test updated to expect `jpackage` to PASS in case of `--mac-signing-key-user-name` and FAIL in case of `-mac-app-image-sign-identity`. See explanation below.
>
> Case 1: Only common name of certificate is used (PASS):
> jpackage --type dmg -i input -n Test --main-class components.DynamicTreeDemo --main-jar DynamicTreeDemo.jar --mac-sign --mac-signing-keychain jpackagerTest-duplicate.keychain --mac-signing-key-user-name jpackage.openjdk.java.net
> [10:02:37.545] WARNING: Multiple certificates found matching [Developer ID Application: jpackage.openjdk.java.net] using keychain [jpackagerTest-duplicate.keychain], using first one
>
> Actual codesign command in PASS case:
> /usr/bin/codesign -s CBDE500D7ED18E08F6DF852A5D23D8C7113EB30C -vvvv --timestamp --options runtime --prefix components. --keychain jpackagerTest-duplicate.keychain --force /var/folders/dr/65dj5x3j0296mqtsn9z27xc80000gn/T/jdk.jpackage3439321874841533317/image/Test.app
>
> CBDE500D7ED18E08F6DF852A5D23D8C7113EB30C is hash of certificate which exist in both jpackagerTest.keychain and jpackagerTest-duplicate.keychain. Based on man page documentation it is allowed. When hash is used codesign will not perform any search of certificates based on man page. So codesign will not fail which is expected.
>
> Case 2: Full name of certificate is used (FAIL):
> jpackage --type dmg -i input -n Test --main-class components.DynamicTreeDemo --main-jar DynamicTreeDemo.jar --mac-sign --mac-signing-keychain jpackagerTest-duplicate.keychain --mac-app-image-sign-identity "Developer ID Application: jpackage.openjdk.java.net"
> Error: "codesign" failed with following output:
> Developer ID Application: jpackage.openjdk.java.net: found in both /Users/alexander/Library/Keychains/jpackagerTest.keychain-db and /Users/alexander/Library/Keychains/jpackagerTest-duplicate.keychain-db (this is all right)
> Developer ID Application: jpackage.openjdk.java.net: ambiguous (matches "Developer ID Application: jpackage.openjdk.java.net" in /Users/alexander/Library/Keychains/jpackagerTest.keychain-db and "Developer ID Application: jpackage.openjdk.java.net" in /Users/alexander/Library/Keychains/jpackagerTest-duplicate.keychain-db)
>
> Actual codesign command in FAIL case:
> /usr/bin/codesign -s Developer ID Application: jpackage.openjdk.java.net -vvvv --timestamp --options runtime --prefix components. --keychain jpackagerTest-duplicate.keychain /var/folders/dr/65dj5x3j0296mqtsn9z27xc80000gn/T/jdk.jpackage12899615926124631029/image/Test.app/Contents/runtime/Contents/H...
This pull request has now been integrated.
Changeset: a10ee46e
Author: Alexander Matveev <almatvee at openjdk.org>
URL: https://git.openjdk.org/jdk/commit/a10ee46e6dd94a279e0821d431944bb096493664
Stats: 15 lines in 1 file changed: 6 ins; 0 del; 9 mod
8361224: [macos] MacSignTest.testMultipleCertificates failed
Reviewed-by: asemenyuk
-------------
PR: https://git.openjdk.org/jdk/pull/26275
More information about the core-libs-dev
mailing list