RFR: 8352176: Automate setting up environment for mac signing tests
Alexey Semenyuk
asemenyuk at openjdk.org
Wed Mar 19 00:14:47 UTC 2025
Automate setting up an environment for mac signing tests: create keychain(s), self-signing certificates, and register them in the system.
To set up the environment, run `make test-only TEST=test/jdk/tools/jpackage/macosx/base/SigningBase.java JTREG=JAVA_OPTIONS=-Djpackage.test.SignEnv=setup` command.
The above command will create "jpackagerTest.keychain" keychain, one private RSA key, and four self-signed certificates using this key:
| Certificate common name (CN) | Usage |
|----------------------------------|-----|
| Developer ID Application: jpackage.openjdk.java.net|Code sign|
| Developer ID Installer: jpackage.openjdk.java.net|.pkg sign|
| Developer ID Application: jpackage.openjdk.java.net (ö)|Code sign|
| Developer ID Installer: jpackage.openjdk.java.net (ö)|.pkg sign|
Certificates will be added to the list of trusted certificates using a sequence of `security add-trusted-cert...` commands (one command per certificate). This step will require user interaction to enter the user account password as many times as the number of created certificates (four). A user will be presented with the "Trust certificate" dialog describing which certificate is about to be added to the list of trusted certificates before the dialog prompting the user password pops up:
<img width="440" alt="trust-cert-prompt" src="https://github.com/user-attachments/assets/a67d0966-2dea-4bc6-93a6-f52dad599898" />
When the user presses the "OK" button on the "Trust certificate" dialog, the dialog prompting the user password will pop up:
<img width="800" alt="trust-cert-prompt-2" src="https://github.com/user-attachments/assets/1d1f022d-54ac-4a7e-8d0a-9bfe65c76b49" />
Suppose the user presses the "Cancel" button on the "Trust certificate" dialog. In that case, the dialog prompting the user password will NOT pop up, and the whole sequence of adding certificates to the list of trusted certificates will abort.
If the user presses the "Cancel" button on the dialog prompting the user password, it will be dismissed, and the user will start over with the same "Trust certificate" dialog.
Every "Trust certificate" dialog has a one-minute timeout. If the dialog is automatically dismissed because of the timeout expiration, adding certificates to the list of trusted certificates will abort.
To tear down the environment, run `make test-only TEST=test/jdk/tools/jpackage/macosx/base/SigningBase.java JTREG=JAVA_OPTIONS=-Djpackage.test.SignEnv=teardown` command. This command will unlink and delete "jpackagerTest.keychain" keychain. It will not call `security remove-trusted-cert...`.
Setting up the environment multiple times without explicitly tearing it down is safe.
This automation doesn't configure the system to install .pkg bundles produced by jpackage tests. It only allows running signed app launchers and installing signed .dmg bundles.
-------------
Commit messages:
- Remove MacSignTest.java
- Applied bin/blessed-modifier-order.sh
- Can use jtreg to set up and tear down signing environment for jpackage signing tests.
- Remove trailing whitespace
- Minor
- Better UI for adding trusted certificates
- Automate signing env setup for the existing mac sign tests
- Encapsulated signing environment setup/teardown in MacSign.
- Finalized sign setup code. MacSignTest.testAppImage() pass.
- Minor and documented experience of setting up sign test environment on macOS Sequoia
- ... and 1 more: https://git.openjdk.org/jdk/compare/8e530633...f4d55824
Changes: https://git.openjdk.org/jdk/pull/24087/files
Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=24087&range=00
Issue: https://bugs.openjdk.org/browse/JDK-8352176
Stats: 904 lines in 4 files changed: 900 ins; 2 del; 2 mod
Patch: https://git.openjdk.org/jdk/pull/24087.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/24087/head:pull/24087
PR: https://git.openjdk.org/jdk/pull/24087
More information about the core-libs-dev
mailing list