<!DOCTYPE html><html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
Daniel,<br>
<br>
I filed [1] CR to track the work on fixing the breaking change in
jpackage. <br>
I'm on the fence about how to fix it, though.<br>
Restoring the old behavior imposes security risk.<br>
Making jpackage fail if the "--mac-sign" option is specified without
options specifying signing identity makes it redundant.<br>
<br>
If you have a preference, please share.<br>
<br>
In situations when it is ambiguous which certificate to pick
jpackage will pick the first one and issues a warning. E.g.:<br>
---<br>
WARNING: Multiple certificates found matching [Developer ID
Application: jpackage.openjdk.java.net] using keychain
[jpackagerTest-duplicate.keychain], using first one<br>
---<br>
<br>
I agree with your suggestion that jpackage should exit with an error
in this situation instead of issuing a warning. I filed [2] to track
this change.<br>
<br>
[1] <a class="moz-txt-link-freetext" href="https://bugs.openjdk.org/browse/JDK-8371438">https://bugs.openjdk.org/browse/JDK-8371438</a><br>
[2] <a class="moz-txt-link-freetext" href="https://bugs.openjdk.org/browse/JDK-8371440">https://bugs.openjdk.org/browse/JDK-8371440</a><br>
<br>
- Alexey<br>
<br>
<div class="moz-cite-prefix">On 11/6/2025 5:51 AM, Daniel Peintner
wrote:<br>
</div>
<blockquote type="cite" cite="mid:CAAoP7T5RubQqdUGuH9M-sYZVMzA0j8mx2Kd2kHbVDeBzLMXhYg@mail.gmail.com">
<div dir="ltr">
<div>Alexey, all,</div>
<div><br>
</div>
<div>Thank you very much for your help.</div>
<div>I still have issues making it to work, and I shared logs
privately.</div>
<div><br>
</div>
<div>Anyhow, some general comments/suggestions.</div>
<div><br>
</div>
<div>You are right, with JDK21 it was enough to state
"--mac-sign"option, and it picked the (only/correct)
certificate (in my case).</div>
<div><br>
</div>
<div>As I understand, with JDK25 this is no longer the case. I
don't want to argue whether the *old* or *new* way is
preferred. However, it is a breaking change.</div>
<div>Hence, what I may suggest, though, is that it throw errors
if the expected information (<span><span>i.e.</span></span>,
"--mac-signing-key-user-name") is missing. Otherwise, a
developer doesn't know that there is a problem.</div>
<div><br>
</div>
<div>The same goes to situations when it is not unique which
certificate to pick. You pointed me to [1] which fixes the
problem that I can find the certificate with *partial*
information without the need to specify the full
--mac-signing-key-user-name.</div>
<div>In situations where there are more matches, I would argue
the process should fail again with an error message hinting
the problem (e.g., certificate not uniquely identifiable).
Looking at [2] I don't think this is the case.</div>
<div><br>
</div>
<div>Thank you very much for your continuous support!</div>
<div><br>
</div>
<div>-- Daniel</div>
<div><br>
</div>
<div>[1] <a href="https://bugs.openjdk.org/browse/JDK-8371094" moz-do-not-send="true" class="moz-txt-link-freetext">https://bugs.openjdk.org/browse/JDK-8371094</a></div>
<div>[2] <a href="https://urldefense.com/v3/__https://github.com/openjdk/jdk/commit/0555f6228c59c6739b8b824d64eb6c1545a5520a__;!!ACWV5N9M2RV99hQ!J9oKLyj9n-_FtPD_BoRVwSb7xOZS7pc5TH8lXgkpNrCsgfImgZSBnSHzMCb5uslFMX6y38jJLJpUjkaIrEAJOrozjxjNy2Y$" moz-do-not-send="true">https://github.com/openjdk/jdk/commit/0555f6228c59c6739b8b824d64eb6c1545a5520a</a></div>
<div><br>
</div>
<div><br>
</div>
<br>
<div class="gmail_quote gmail_quote_container">
<div dir="ltr" class="gmail_attr">On Wed, Nov 5, 2025 at
7:31 PM Alexey Semenyuk <<a href="mailto:alexey.semenyuk@oracle.com" moz-do-not-send="true" class="moz-txt-link-freetext">alexey.semenyuk@oracle.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div> Daniel,<br>
<br>
I've commented on the logs you shared privately. Adding
some thoughts to the mail list.<br>
<br>
jpackage configuration at [1] is missing
"--mac-signing-key-user-name" or
"--mac-app-image-sign-identity" option. I noted it the
private email as well.<br>
At first I assumed it was a mistake, but then I came
across an old thread about the very same jpackage issue at
[2] where you state that "--mac-sign" option is sufficient
to make jpackage find the signing identity. So this is
intentional.<br>
<br>
jdk25 jpackage will not look up for the signing identity
unless "--mac-signing-key-user-name" or
"--mac-app-image-sign-identity" option is specified. I'm
surprised it did in older releases.<br>
<br>
For the sake of backward compatibility we can restore this
behavior. But I think jpackage should exit with an error
if the "--mac-sign" option is specified, but neither
"--mac-signing-key-user-name" nor
"--mac-app-image-sign-identity" is. The old behavior, when
without these options jpackage picked the first available
certificate with the common name starting with "Developer
ID Application: " substring is not secure. It literally
tells jpackage to pick any certificate without any
filtering. If there is only one such certificate installed
and it gets replaced, you will not even notice that your
app is signed with a different certificate.<br>
<br>
I suggest you add "--mac-signing-key-user-name" or
"--mac-app-image-sign-identity" option to jpackage command
line at [1] to make it work.<br>
<br>
[1]
<a href="https://urldefense.com/v3/__https://github.com/danielpeintner/Java11Test/blob/fdefe61e7e99747d6a62ac4b0a778fb0151b22e4/build.gradle*L148-L151__;Iw!!ACWV5N9M2RV99hQ!J9oKLyj9n-_FtPD_BoRVwSb7xOZS7pc5TH8lXgkpNrCsgfImgZSBnSHzMCb5uslFMX6y38jJLJpUjkaIrEAJOrozs2mvjF8$" target="_blank" moz-do-not-send="true">https://github.com/danielpeintner/Java11Test/blob/fdefe61e7e99747d6a62ac4b0a778fb0151b22e4/build.gradle#L148-L151</a><br>
[2] <a href="https://mail.openjdk.org/pipermail/core-libs-dev/2021-August/080291.html" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">https://mail.openjdk.org/pipermail/core-libs-dev/2021-August/080291.html</a><br>
<br>
- Alexey<br>
<br>
<div>On 11/5/2025 4:16 AM, Daniel Peintner wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Hi Alexey,</div>
<div><br>
</div>
<div>Thank you for your reply.</div>
<div><br>
</div>
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>Does the warning message resembles the one at
[1]?<br>
</div>
</blockquote>
<div><br>
</div>
<div>Yes, exactly.</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div> I think your evaluation that the step 1
failed is correct. I'd suggest adding
"--verbose" option to the step 1 command line to
get more details.<br>
</div>
</blockquote>
<div><br>
</div>
<div>I updated a demo/test project to demonstrate
the problem. You can now also try it yourself.</div>
<div><a href="https://urldefense.com/v3/__https://github.com/danielpeintner/Java11Test/tree/non-modular__;!!ACWV5N9M2RV99hQ!K6rxxdg-Kc1tXxF2aG05XgBmFlQ6WrLwFdABc58RZ9tnrLuEhINot7FSZdRxXzo478rpGyBTtLQZjBrbwRl2YfJMJdEvoaQ$" target="_blank" moz-do-not-send="true">https://github.com/danielpeintner/Java11Test/tree/non-modular</a></div>
<div><br>
</div>
<div>There you can also find the 3 jpackage commands
I use</div>
<div><a href="https://urldefense.com/v3/__https://github.com/danielpeintner/Java11Test/blob/fdefe61e7e99747d6a62ac4b0a778fb0151b22e4/build.gradle*L148-L151__;Iw!!ACWV5N9M2RV99hQ!K6rxxdg-Kc1tXxF2aG05XgBmFlQ6WrLwFdABc58RZ9tnrLuEhINot7FSZdRxXzo478rpGyBTtLQZjBrbwRl2YfJMSE1bEoY$" target="_blank" moz-do-not-send="true">https://github.com/danielpeintner/Java11Test/blob/fdefe61e7e99747d6a62ac4b0a778fb0151b22e4/build.gradle#L148-L151</a></div>
<div><br>
</div>
<div>W.r.t. sharing the logs file. I will send them
to you *privately*. I quickly scanned them and I
would rather not have them on the reflector.</div>
<div><br>
</div>
<div>The weird thing is, that the difference seems
to happen in step 1. Anyhow, running these
commands the difference is also somehow in step 2
where</div>
<div>* JDK21 makes popping up a dialog which asks me
whether I want to allow access to my keys</div>
<div>* JDK25 does not need any interaction</div>
<div><br>
</div>
<div>I hope this helps to find the "difference".</div>
<div><br>
</div>
<div>Thanks,</div>
<div><br>
</div>
<div>-- Daniel</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div> <br>
[1] <a href="https://urldefense.com/v3/__https://github.com/openjdk/jdk/blob/4c6af03f81e068a98b8f4628b96682a54f3946da/src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/resources/MacResources_de.properties*L85__;Iw!!ACWV5N9M2RV99hQ!K6rxxdg-Kc1tXxF2aG05XgBmFlQ6WrLwFdABc58RZ9tnrLuEhINot7FSZdRxXzo478rpGyBTtLQZjBrbwRl2YfJMd-s2VkQ$" target="_blank" moz-do-not-send="true">https://github.com/openjdk/jdk/blob/4c6af03f81e068a98b8f4628b96682a54f3946da/src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/resources/MacResources_de.properties#L85</a><br>
<br>
- Alexey<br>
<br>
<div>On 11/4/2025 12:32 PM, Daniel Peintner
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div> Hi Alexey, all,</div>
<div><br>
</div>
<div>I nailed down the problem to the
following, which seems to differ between
JDK25 and JDK21.</div>
<div>Maybe this helps to reproduce the
issue.</div>
<div><br>
</div>
<div>jpackage is called 3 times in my
process</div>
<div>
<ol>
<li>/Library/Java/JavaVirtualMachines/jdk-21.jdk/Contents/Home/bin/jpackage
--type app-image --input
/Users/daniel/Documents/GitHub/myPROJECT/build/install/myPROJECT/lib
--main-jar myPROJECT-25.11.03.jar
--main-class
eu.my_company.myproject.Launcher
--dest
/Users/daniel/Documents/GitHub/myPROJECT/build/jpackage
--name myPROJECT --app-version
25.11.03 --runtime-image
/Users/daniel/Documents/GitHub/myPROJECT/build/jre
--java-options
--add-opens=javafx.base/com.sun.javafx.collections=ALL-UNNAMED
--java-options
--add-opens=javafx.base/com.sun.javafx.event=ALL-UNNAMED
--java-options
--add-opens=javafx.controls/com.sun.javafx.scene.control=ALL-UNNAMED
--java-options
--add-opens=javafx.controls/com.sun.javafx.scene.control.behavior=ALL-UNNAMED
--java-options
--add-opens=javafx.controls/javafx.scene.control.skin=ALL-UNNAMED
--java-options
--add-exports=java.management/javax.management=ALL-UNNAMED
--java-options
--add-opens=java.xml/com.sun.org.apache.xerces.internal.util=ALL-UNNAMED
--java-options
--add-opens=javafx.graphics/com.sun.glass.ui=ALL-UNNAMED
--icon
src/main/deploy/package/macosx/myPROJECT.icns
--mac-package-identifier
eu.my-company.myproject --mac-sign<br>
<br>
</li>
<li>/Library/Java/JavaVirtualMachines/jdk-21.jdk/Contents/Home/bin/jpackage
--type pkg --dest
/Users/daniel/Documents/GitHub/myPROJECT/build/jpackage
--name myPROJECT --app-version
25.11.03 --app-image
/Users/daniel/Documents/GitHub/myPROJECT/build/jpackage/myPROJECT.app
--file-associations
src/main/resources/associations.properties
--app-version 25.11.03 --vendor "My
Company" --copyright "My Company"
--mac-sign<br>
<br>
</li>
<li>/Library/Java/JavaVirtualMachines/jdk-21.jdk/Contents/Home/bin/jpackage
--type dmg --dest
/Users/daniel/Documents/GitHub/myPROJECT/build/jpackage
--name myPROJECT --app-version
25.11.03 --app-image
/Users/daniel/Documents/GitHub/myPROJECT/build/jpackage/myPROJECT.app
--file-associations
src/main/resources/associations.properties
--app-version 25.11.03 --vendor "My
Company" --copyright "My Company"
--mac-sign</li>
</ol>
<div><br>
</div>
<div>First it creates the app-image and
afterwards it creates pkg and dmg and
signs it.</div>
<div><br>
</div>
As you can see in the 3 commands, it uses
JDK21.<br>
Once I change "jdk-21.jdk" with
"jdk-25.jdk" it warns after step 2 already
with the following message in German<br>
<br>
Warnung: Nicht signiertes app-image wird
zum Erstellen von signiertem pkg
verwendet.</div>
<div>
<div><br>
</div>
<div>It translates to something like: it
tries to sign pkg and complains that the
app-image is not signed.</div>
<div>Hence, somehow step 1 failed already
but does not show any error/warning.</div>
<div><br>
</div>
<div>Please let me know whether the above
helps to reproduce the issue.</div>
<div><br>
</div>
<div>Thanks,</div>
<div><br>
</div>
<div>-- Daniel</div>
<div><br>
</div>
</div>
<div><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Tue,
Nov 4, 2025 at 4:01 PM Daniel Peintner
<<a href="mailto:daniel.peintner@gmail.com" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">daniel.peintner@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div>Hi Alexey,</div>
<div><br>
</div>
<div>Thank you for your reply.</div>
<div>I am using the badass runtime
plugin which calls jpackage under the
hood.</div>
<div><br>
</div>
<div>While trying to create an example
project, I noticed that there were
some changes </div>
<div>'--mac-package-identifier' needs to
go into imageOptions and
not installerOptions.</div>
<div>see <a href="https://urldefense.com/v3/__https://github.com/danielpeintner/Java11Test/commit/742fce0d9e2995554829b6f199f22f0b22a5d385__;!!ACWV5N9M2RV99hQ!PyybrFqsPzI4Zo0L-pavG2mZkHToVTLkE6V8ezQdZYV20QXukxrjgODsksKVmoxUVoJW9hQTe2Z1vC1xwikUQGK-K4xefEo$" target="_blank" moz-do-not-send="true">https://github.com/danielpeintner/Java11Test/commit/742fce0d9e2995554829b6f199f22f0b22a5d385</a></div>
<div><br>
</div>
<div>That fixed the problem with
jpackage. Anyhow, it still does not
work with JDK25 and macOS signing.</div>
<div>Using the JDK25 seems to need
additional options (compared to
JDK21).</div>
<div><br>
</div>
<div>With JDK25 and --mac-sign the
process no longer opens the KeyChain
access and asks for the credentials.
Hence, the image itself is no longer
signed which matches with what I see
on the debug console</div>
<div>"non signed app-image used to sign
dmg" ... freely translated into
English since I see the German version
only</div>
<div><br>
</div>
<div>Therefore, apple's notary service
says invalid with the logs like "The
binary is not signed with a valid
Developer ID certificate".</div>
<div><br>
</div>
<div>Using the *same* gradle file,
switching to JDK21 works without any
issues again.</div>
<div>I will try to investigate further.</div>
<div><br>
</div>
<div>Thanks,</div>
<div><br>
</div>
<div>-- Daniel</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On
Mon, Nov 3, 2025 at 7:30 PM Alexey
Semenyuk <<a href="mailto:alexey.semenyuk@oracle.com" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">alexey.semenyuk@oracle.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div> Hi Daniel,<br>
<br>
I can not reproduce the issue you
experience with jdk25.0.1:<br>
<br>
---<br>
$
~/jdk-25.0.1.jdk/Contents/Home/bin/jpackage
--input input --dest output --type
app-image --main-jar hello.jar
--main-class
com.my_domain.project.Hello
--mac-package-identifier
com.my-domain.project<br>
$ echo $?<br>
0<br>
---<br>
<br>
If I run the same command line
without `
--mac-package-identifier` option
it fails as expected:<br>
---<br>
$
~/jdk-25.0.1.jdk/Contents/Home/bin/jpackage
--input input --dest output --type
app-image --main-jar hello.jar
--main-class
com.my_domain.project.Hello<br>
Bundler Mac Application Image
skipped because of a configuration
problem: invalid mac bundle
identifier
[com.my_domain.project].<br>
Advice to fix: specify identifier
with "--mac-package-identifier".<br>
---<br>
<br>
The same failure for
`--mac-package-identifier
com.my_domain.project` (with the
underscore):<br>
---<br>
$
~/jdk-25.0.1.jdk/Contents/Home/bin/jpackage
--input input --dest output --type
app-image --main-jar hello.jar
--main-class
com.my_domain.project.Hello
--mac-package-identifier
com.my_domain.project<br>
Bundler Mac Application Image
skipped because of a configuration
problem: invalid mac bundle
identifier
[com.my_domain.project].<br>
Advice to fix: specify identifier
with "--mac-package-identifier".<br>
---<br>
<br>
Any chance you accidentally put
the string with the underscore
instead of the hyphen as a value
of the `--mac-package-identifier`
option on your command line?<br>
<br>
- Alexey<br>
<br>
<div>On 11/3/2025 11:43 AM, Daniel
Peintner wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi,<br>
<br>
I am about to switch a JavaFX
project from JDK21 to JDK25
and I noticed a problem when
running jpackage.<br>
<br>
My domain has a hyphen, like
in <a href="https://urldefense.com/v3/__http://www.my-domain.com__;!!ACWV5N9M2RV99hQ!PyybrFqsPzI4Zo0L-pavG2mZkHToVTLkE6V8ezQdZYV20QXukxrjgODsksKVmoxUVoJW9hQTe2Z1vC1xwikUQGK-KS5-g-8$" target="_blank" moz-do-not-send="true">www.my-domain.com</a><br>
Hence, my Java package reads
like this:
com.my_domain.project<br>
Note: hyphen becomes
underscore.<br>
<br>
Running vanilla jpackage in
JDK21 complained with<br>
Invalid Mac-Bundle-ID
[com.my_domain.project]<br>
<div>due to the *invalid*
underscore and suggests me
to use
"--mac-package-identifier"</div>
<div><br>
</div>
<div>Hence, I added
--mac-package-identifier
com.my-domain.project (with
the hyphen again)</div>
<div>All good so far.</div>
<div><br>
</div>
<div>Running the same code
with JDK25 with the above
settings shows the error
message again</div>
<div> Invalid Mac-Bundle-ID
[com.my_domain.project] </div>
<div><br>
</div>
<div>I can add any argument
to --mac-package-identifier</div>
<div>It seems it is simply not
taken into account.</div>
<div><br>
</div>
<div>I am using JDK 25.0.1</div>
<div><br>
</div>
<div>Is this a known issue
with JDK25 and jpackage?</div>
<div>Is there any other way to
make jpackage work?</div>
<div><br>
</div>
<div>Thanks,</div>
<div><br>
</div>
<div>-- Daniel</div>
<div><br>
</div>
<div><br>
</div>
</div>
</blockquote>
<br>
</div>
</blockquote>
</div>
</div>
</blockquote>
</div>
</blockquote>
<br>
</div>
</blockquote>
</div>
</div>
</blockquote>
<br>
</div>
</blockquote>
</div>
</div>
</blockquote>
<br>
</body>
</html>