On Fri, 20 Oct 2023 04:23:22 GMT, Alexander Matveev <almat...@openjdk.org> wrote:
>> - Added `--mac-app-image-sign-identity` and `--mac-installer-sign-identity` >> CLI options to jpackage to provide signing identity directly to `codesign` >> and `productbuild` tools as per CSR >> [JDK-8316631](https://bugs.openjdk.org/browse/JDK-8316631). >> - If `codesign` or `productbuild` fails, then output of these tools will be >> printed to stdout to help user diagnose issues with signing using new >> options. Examples with sign identity set to "test" which does not exist on >> system: >>> Error: "codesign" failed with following output: >>> test: no identity found >> >>> Error: "productbuild" failed with following output: >>> productbuild: error: Cannot write product to "/Users/SOMEDIR/Test-1.0.pkg". >>> (Could not find appropriate signing identity for “test”.) >> - Added error handling not to allow invalid combinations of signing options. >> - Updated signing tests to test new changes. > > Alexander Matveev has updated the pull request incrementally with one > additional commit since the last revision: > > 8311877: [macos] Add CLI options to provide signing identity directly to > codesign and productbuild [v2] Michael filed https://bugs.openjdk.org/browse/JDK-8318063 for codesign verification, so I would prefer to move discussion under this JBS issue on this topic. For now I do not know if we need to add it. From my experience I never found case when codesign did not fail during signing, but signature verification failed. So, for now I think it is redundant and we will never get to signature verification step if something wrong since codesign will fail during signing. Only case I see is when we did not run codesign at all, but it means our entire signing is broken. Michael, do you have any examples when you was able to sign application bundle via jpackage or manually, but codesign verification gave error? ------------- PR Comment: https://git.openjdk.org/jdk/pull/16085#issuecomment-1773366403
