Test updated to expect `jpackage` to PASS in case of
`--mac-signing-key-user-name` and FAIL in case of
`-mac-app-image-sign-identity`. See explanation below.
Case 1: Only common name of certificate is used (PASS):
jpackage --type dmg -i input -n Test --main-class components.DynamicTreeDemo
--main-jar DynamicTreeDemo.jar --mac-sign --mac-signing-keychain
jpackagerTest-duplicate.keychain --mac-signing-key-user-name
jpackage.openjdk.java.net
[10:02:37.545] WARNING: Multiple certificates found matching [Developer ID
Application: jpackage.openjdk.java.net] using keychain
[jpackagerTest-duplicate.keychain], using first one
Actual codesign command in PASS case:
/usr/bin/codesign -s CBDE500D7ED18E08F6DF852A5D23D8C7113EB30C -vvvv --timestamp
--options runtime --prefix components. --keychain
jpackagerTest-duplicate.keychain --force
/var/folders/dr/65dj5x3j0296mqtsn9z27xc80000gn/T/jdk.jpackage3439321874841533317/image/Test.app
CBDE500D7ED18E08F6DF852A5D23D8C7113EB30C is hash of certificate which exist in
both jpackagerTest.keychain and jpackagerTest-duplicate.keychain. Based on man
page documentation it is allowed. When hash is used codesign will not perform
any search of certificates based on man page. So codesign will not fail which
is expected.
Case 2: Full name of certificate is used (FAIL):
jpackage --type dmg -i input -n Test --main-class components.DynamicTreeDemo
--main-jar DynamicTreeDemo.jar --mac-sign --mac-signing-keychain
jpackagerTest-duplicate.keychain --mac-app-image-sign-identity "Developer ID
Application: jpackage.openjdk.java.net"
Error: "codesign" failed with following output:
Developer ID Application: jpackage.openjdk.java.net: found in both
/Users/alexander/Library/Keychains/jpackagerTest.keychain-db and
/Users/alexander/Library/Keychains/jpackagerTest-duplicate.keychain-db (this is
all right)
Developer ID Application: jpackage.openjdk.java.net: ambiguous (matches
"Developer ID Application: jpackage.openjdk.java.net" in
/Users/alexander/Library/Keychains/jpackagerTest.keychain-db and "Developer ID
Application: jpackage.openjdk.java.net" in
/Users/alexander/Library/Keychains/jpackagerTest-duplicate.keychain-db)
Actual codesign command in FAIL case:
/usr/bin/codesign -s Developer ID Application: jpackage.openjdk.java.net -vvvv
--timestamp --options runtime --prefix components. --keychain
jpackagerTest-duplicate.keychain
/var/folders/dr/65dj5x3j0296mqtsn9z27xc80000gn/T/jdk.jpackage12899615926124631029/image/Test.app/Contents/runtime/Contents/Home/lib/libnet.dylib
[11:20:45.113] Output:
Developer ID Application: jpackage.openjdk.java.net: found in both
/Users/alexander/Library/Keychains/jpackagerTest.keychain-db and
/Users/alexander/Library/Keychains/jpackagerTest-duplicate.keychain-db (this is
all right)
Developer ID Application: jpackage.openjdk.java.net: ambiguous (matches
"Developer ID Application: jpackage.openjdk.java.net" in
/Users/alexander/Library/Keychains/jpackagerTest.keychain-db and "Developer ID
Application: jpackage.openjdk.java.net" in
/Users/alexander/Library/Keychains/jpackagerTest-duplicate.keychain-db)
Full certificate name is being passed since --mac-app-image-sign-identity is
used which is pass through. In this case codesign will perform search and finds
duplicated certificate and fails, since it does not know which one to use.
Based on man page it is expected.
Suggested fix:
Case when --mac-signing-key-user-name is used. jpackage should PASS, since
jpackage performs certificate search and selects first one with warning by
design.
Case when --mac-app-image-sign-identity is used. jpackage should FAIL, since
codesign selects certificate based on --mac-app-image-sign-identity.
-------------
Commit messages:
- 8361224: [macos] MacSignTest.testMultipleCertificates failed
Changes: https://git.openjdk.org/jdk/pull/26275/files
Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=26275&range=00
Issue: https://bugs.openjdk.org/browse/JDK-8361224
Stats: 15 lines in 1 file changed: 6 ins; 0 del; 9 mod
Patch: https://git.openjdk.org/jdk/pull/26275.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/26275/head:pull/26275
PR: https://git.openjdk.org/jdk/pull/26275
