My Apple developer certificate name has the form
Apple Development: Alan Snyder (XX00X0XXX0)
This name was created by Apple.
When I try to use this certificate with jpackage, it is not used.
For example:
$ java --version
openjdk 20.0.1 2023-04-18
OpenJDK Runtime Environment (build 20.0.1+9-29)
OpenJDK 64-Bit Server VM (build 20.0.1+9-29, mixed mode, sharing)
$ jpackage --type app-image --main-jar ... --mac-signing-key-user-name "Alan Snyder" --input ...
$ codesign -d -v *.app
Executable=...
Identifier=test
Format=app bundle with Mach-O thin (arm64)
CodeDirectory v=20400 size=1597 flags=0x2(adhoc) hashes=44+3 location=embedded
Signature=adhoc
Info.plist entries=16
TeamIdentifier=not set
Sealed Resources version=2 rules=13 files=304
Internal requirements count=0 size=12
I have no trouble using this certificate directly with codesign.
I can simply provide the alphanumeric key as the identity.
codesign has a simple and useful process for finding the actual certificate:
The identity is first considered as the full name of a keychain identity preference. If such a preference exists, it directly names the identity used. Otherwise, the identity is located by searching all keychains for a certificate whose subject common name (only) contains the identity string given. If there are multiple matches, the operation fails and no signing is performed; however, an exact match is preferred over a partial match. These comparisons are case sensitive. Multiple instances of the exactly same certificate in multiple keychains are tolerated as harmless.
I see no reason why jpackage should not simply pass the string I give it to codesign.
Apple Development: Alan Snyder (XX00X0XXX0)
This name was created by Apple.
When I try to use this certificate with jpackage, it is not used.
For example:
$ java --version
openjdk 20.0.1 2023-04-18
OpenJDK Runtime Environment (build 20.0.1+9-29)
OpenJDK 64-Bit Server VM (build 20.0.1+9-29, mixed mode, sharing)
$ jpackage --type app-image --main-jar ... --mac-signing-key-user-name "Alan Snyder" --input ...
$ codesign -d -v *.app
Executable=...
Identifier=test
Format=app bundle with Mach-O thin (arm64)
CodeDirectory v=20400 size=1597 flags=0x2(adhoc) hashes=44+3 location=embedded
Signature=adhoc
Info.plist entries=16
TeamIdentifier=not set
Sealed Resources version=2 rules=13 files=304
Internal requirements count=0 size=12
I have no trouble using this certificate directly with codesign.
I can simply provide the alphanumeric key as the identity.
codesign has a simple and useful process for finding the actual certificate:
The identity is first considered as the full name of a keychain identity preference. If such a preference exists, it directly names the identity used. Otherwise, the identity is located by searching all keychains for a certificate whose subject common name (only) contains the identity string given. If there are multiple matches, the operation fails and no signing is performed; however, an exact match is preferred over a partial match. These comparisons are case sensitive. Multiple instances of the exactly same certificate in multiple keychains are tolerated as harmless.
I see no reason why jpackage should not simply pass the string I give it to codesign.
- csr for
-
JDK-8316631 [macos] Add CLI options to provide signing identity directly to codesign and productbuild
-
- Closed
-
- relates to
-
JDK-8308042 [macOS] Developer ID Application Certificate not picked up by jpackage if it contains UNICODE characters
-
- Resolved
-
-
-
- Resolved
-
