RFR: 8371438: jpackage should handle the case when "--mac-sign" is specified without signing identity options

[Alexander Matveev]

On Sun, 18 Jan 2026 07:34:45 GMT, Alexey Semenyuk <asemenyuk at openjdk.org> wrote:

> Restore the logic of how jpackage handles cases when the "--mac-sign" option is specified without the "--mac-signing-key-user-name" or "--mac-app-image-sign-identity" option. 
> 
> Make it work as it did prior to the [JDK-8333664](https://bugs.openjdk.org/browse/JDK-8333664) patch, which caused jpackage to silently ignore the "--mac-sign" option and not sign the output bundle.
> 
> The restored behavior is as follows:
> 
> If the "--mac-sign" option is specified, jpackage will always attempt to sign the output bundle.
> 
> If none of the signing identity options ("--mac-signing-key-user-name", "--mac-app-image-sign-identity", or "--mac-installer-sign-identity") is specified, jpackage will look up for a signing identity (or signing identities in case of PKG bundling) in the keychain specified with the "--mac-signing-keychain", or in the default keychain of the current user if the "--mac-signing-keychain" option is not specified.
> 
> If the keychain contains exactly one signing certificate of a specific type (a certificate for signing an app image or a certificate for signing a PKG installer), jpackage will use it for signing. Otherwise, jpackage will exit with an error.
> 
> Added tests to cover the cases when the "--mac-sign" option is specified and the keychain has/doesn't have signing certificates.

Looks good.

-------------

Marked as reviewed by almatvee (Reviewer).

PR Review: https://git.openjdk.org/jdk/pull/29290#pullrequestreview-3858069316