Summary

Add --mac-app-image-sign-identity and --mac-installer-sign-identity CLI options to jpackage to provide signing identity directly to codesign and productbuild tools which are used to sign application images and installers generated by jpackage.

Problem

Currently jpackage supports following option to find certificates for signing: --mac-signing-key-user-name <team name>. jpackage will use <team name> to run security find-certificate <team name> to list all available certificates and then selects first one based on target type and --mac-app-store option. For app-image type jpackage will select "Developer ID Application: <name>" and for pkg type it will select "Developer ID Installer: <name>". If --mac-app-store is specified, then "3rd Party Mac Developer Application: <name>" and/or "3rd Party Mac Developer Installer: <name>" are selected. Apple provides additional types of certificates which can be used to sign application images: "Mac Developer: <name>", "Apple Development: <name>" and "Apple Distribution: <name>". Current signing CLI options available in jpackage are limited and cannot accommodate additional certificates and also limits users on how certificates are selected. For example "Developer ID Application: <name>" and "Developer ID Installer: <some_other_name>" cannot be used at same time. Once jpackage finds certificate it will pass full certificate name to --sign option of codesign and/or productbuild.

Solution

Add --mac-app-image-sign-identity and --mac-installer-sign-identity CLI options to jpackage to provide signing identity directly to codesign and productbuild tools which used to sign application images and installers generated by jpackage. Both codesign and productbuild have --sign identity and --sign identity-name options respectively and values of --mac-app-image-sign-identity and --mac-installer-sign-identity will be direct pass through to --sign option of codesign and/or productbuild. We will not do any validations of certificates in this case like we do with --mac-signing-key-user-name or we will not check if produced application image or installer got signed correctly. We will fail packaging if codesign and/or productbuild returns non-zero value in case of invalid signing identity.

Specification

Description of --mac-app-image-sign-identity option:

--mac-app-image-sign-identity <identity>
      Identity used to sign application image. This value will be passed directly to
      --sign option of "codesign" tool. This option cannot be combined with
      --mac-signing-key-user-name.

Description of --mac-installer-sign-identity option:

--mac-installer-sign-identity <identity>
      Identity used to sign "pkg" installer. This value will be passed directly to
      --sign option of "productbuild" tool. This option cannot be combined with
      --mac-signing-key-user-name.

Description of --mac-signing-key-user-name option will change to:

--mac-signing-key-user-name <team name>
      Team or user name portion of Apple signing identities. For direct control
      of the signing identity used to sign application images or installers use
      --mac-app-image-sign-identity and/or --mac-installer-sign-identity.
      This option cannot be combined with --mac-app-image-sign-identity
      or --mac-installer-sign-identity.

If "pkg" installer type is requested, but only --mac-app-image-sign-identity is specified, then installer will not be sign. If only --mac-installer-sign-identity is specified, then application image will not be sign, but installer will be sign. Warning will be provided in cases described above, in case if user forgot accidentally to specify both signing identities.