8361224: [macos] MacSignTest.testMultipleCertificates failed #26275
Conversation
|
👋 Welcome back almatvee! A progress list of the required criteria for merging this PR into |
|
@sashamatveev This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be: You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 12 new commits pushed to the
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details. ➡️ To integrate this PR with the above commit message to the |
|
@sashamatveev The following label will be automatically applied to this pull request:
When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command. |
Test updated to expect
jpackageto PASS in case of--mac-signing-key-user-nameand FAIL in case of-mac-app-image-sign-identity. See explanation below.Case 1: Only common name of certificate is used (PASS):
jpackage --type dmg -i input -n Test --main-class components.DynamicTreeDemo --main-jar DynamicTreeDemo.jar --mac-sign --mac-signing-keychain jpackagerTest-duplicate.keychain --mac-signing-key-user-name jpackage.openjdk.java.net
[10:02:37.545] WARNING: Multiple certificates found matching [Developer ID Application: jpackage.openjdk.java.net] using keychain [jpackagerTest-duplicate.keychain], using first one
Actual codesign command in PASS case:
/usr/bin/codesign -s CBDE500D7ED18E08F6DF852A5D23D8C7113EB30C -vvvv --timestamp --options runtime --prefix components. --keychain jpackagerTest-duplicate.keychain --force /var/folders/dr/65dj5x3j0296mqtsn9z27xc80000gn/T/jdk.jpackage3439321874841533317/image/Test.app
CBDE500D7ED18E08F6DF852A5D23D8C7113EB30C is hash of certificate which exist in both jpackagerTest.keychain and jpackagerTest-duplicate.keychain. Based on man page documentation it is allowed. When hash is used codesign will not perform any search of certificates based on man page. So codesign will not fail which is expected.
Case 2: Full name of certificate is used (FAIL):
jpackage --type dmg -i input -n Test --main-class components.DynamicTreeDemo --main-jar DynamicTreeDemo.jar --mac-sign --mac-signing-keychain jpackagerTest-duplicate.keychain --mac-app-image-sign-identity "Developer ID Application: jpackage.openjdk.java.net"
Error: "codesign" failed with following output:
Developer ID Application: jpackage.openjdk.java.net: found in both /Users/alexander/Library/Keychains/jpackagerTest.keychain-db and /Users/alexander/Library/Keychains/jpackagerTest-duplicate.keychain-db (this is all right)
Developer ID Application: jpackage.openjdk.java.net: ambiguous (matches "Developer ID Application: jpackage.openjdk.java.net" in /Users/alexander/Library/Keychains/jpackagerTest.keychain-db and "Developer ID Application: jpackage.openjdk.java.net" in /Users/alexander/Library/Keychains/jpackagerTest-duplicate.keychain-db)
Actual codesign command in FAIL case:
/usr/bin/codesign -s Developer ID Application: jpackage.openjdk.java.net -vvvv --timestamp --options runtime --prefix components. --keychain jpackagerTest-duplicate.keychain /var/folders/dr/65dj5x3j0296mqtsn9z27xc80000gn/T/jdk.jpackage12899615926124631029/image/Test.app/Contents/runtime/Contents/Home/lib/libnet.dylib
[11:20:45.113] Output:
Developer ID Application: jpackage.openjdk.java.net: found in both /Users/alexander/Library/Keychains/jpackagerTest.keychain-db and /Users/alexander/Library/Keychains/jpackagerTest-duplicate.keychain-db (this is all right)
Developer ID Application: jpackage.openjdk.java.net: ambiguous (matches "Developer ID Application: jpackage.openjdk.java.net" in /Users/alexander/Library/Keychains/jpackagerTest.keychain-db and "Developer ID Application: jpackage.openjdk.java.net" in /Users/alexander/Library/Keychains/jpackagerTest-duplicate.keychain-db)
Full certificate name is being passed since --mac-app-image-sign-identity is used which is pass through. In this case codesign will perform search and finds duplicated certificate and fails, since it does not know which one to use. Based on man page it is expected.
Suggested fix:
Case when --mac-signing-key-user-name is used. jpackage should PASS, since jpackage performs certificate search and selects first one with warning by design.
Case when --mac-app-image-sign-identity is used. jpackage should FAIL, since codesign selects certificate based on --mac-app-image-sign-identity.
Progress
Issue
Reviewers
Reviewing
Using
gitCheckout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/26275/head:pull/26275$ git checkout pull/26275Update a local copy of the PR:
$ git checkout pull/26275$ git pull https://git.openjdk.org/jdk.git pull/26275/headUsing Skara CLI tools
Checkout this PR locally:
$ git pr checkout 26275View PR using the GUI difftool:
$ git pr show -t 26275Using diff file
Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/26275.diff
Using Webrev
Link to Webrev Comment