RFR: 8371438: jpackage should handle the case when "--mac-sign" is specified without signing identity options

Alexey Semenyuk asemenyuk at openjdk.org
Wed Feb 25 11:12:09 UTC 2026 

Restore the logic of how jpackage handles cases when the "--mac-sign" option is specified without the "--mac-signing-key-user-name" or "--mac-app-image-sign-identity" option. 

Make it work as it did prior to the [JDK-8333664](https://bugs.openjdk.org/browse/JDK-8333664) patch, which caused jpackage to silently ignore the "--mac-sign" option and not sign the output bundle.

The restored behavior is as follows:

If the "--mac-sign" option is specified, jpackage will always attempt to sign the output bundle.

If none of the signing identity options ("--mac-signing-key-user-name", "--mac-app-image-sign-identity", or "--mac-installer-sign-identity") is specified, jpackage will look up for a signing identity (or signing identities in case of PKG bundling) in the keychain specified with the "--mac-signing-keychain", or in the default keychain of the current user if the "--mac-signing-keychain" option is not specified.

If the keychain contains exactly one signing certificate of a specific type (a certificate for signing an app image or a certificate for signing a PKG installer), jpackage will use it for signing. Otherwise, jpackage will exit with an error.

Added tests to cover the cases when the "--mac-sign" option is specified and the keychain has/doesn't have signing certificates.

-------------

Commit messages:
 - Use jdk.test.lib.security.CertificateBuilder to create signing certificates instead of static sign-env.xml
 - ErrorTest: better coverage for signing without explicit signing identity on the command line
 - Support signing mocks. So far "/usr/bin/security" mock is supported.
 - test.mock: enhance CommandAction.Context; MockIllegalStateException: add null check to the ctor
 - MacSign: expose some API, support keychain mocks
 - Add negative tests; Fix bug in MacFromOptions.createMacApplicationInternal() uncovered with the negative tests
 - SigningAppImageTwoStepsTest: remove redundant test cases
 - MacHelper: Support testing of SHA1 digests with the "--mac-signing-key-user-name" option; reduce number of test cases in th tests derived from the SigningPackageTest test; SigningPackageTest: remove redundant test cases
 - SigningAppImageTwoStepsTest: add missing MacSign.withKeychain() call. Without the call, the test may randomly fail with cryptic "SigningAppImageTwoStepsTest/test.4fc29fd2/appimage-5/SigningAppImageTwoStepsTest.app/Contents/MacOS/testAL: errSecInternalComponent" error message if the keychain happens to be locked. "security unlock-keychain" command unlocks a keychain, but it gets automatically locked after some duration of time. To avoid interrupts, signing tests should call the "security unlock-keychain" command a keychain before running any signing operations using this keychain.
 - MacFromOptions: fix ServiceTest failure
 - ... and 1 more: https://git.openjdk.org/jdk/compare/6b576235...3744639e

Changes: https://git.openjdk.org/jdk/pull/29290/files
  Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=29290&range=00
  Issue: https://bugs.openjdk.org/browse/JDK-8371438
  Stats: 1429 lines in 20 files changed: 1295 ins; 35 del; 99 mod
  Patch: https://git.openjdk.org/jdk/pull/29290.diff
  Fetch: git fetch https://git.openjdk.org/jdk.git pull/29290/head:pull/29290

PR: https://git.openjdk.org/jdk/pull/29290

More information about the core-libs-dev mailing list