alexeysemenyukoracle
diff --git a/‎src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/AppImageSigningConfigBuilder.java
Lines changed: 87 additions & 0 deletions b/‎src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/AppImageSigningConfigBuilder.java
Lines changed: 87 additions & 0 deletions
diff --git a/‎src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/CodesignConfig.java
Lines changed: 33 additions & 7 deletions b/‎src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/CodesignConfig.java
Lines changed: 33 additions & 7 deletions
diff --git a/‎src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacApplicationBuilder.java
Lines changed: 4 additions & 4 deletions b/‎src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacApplicationBuilder.java
Lines changed: 4 additions & 4 deletions
diff --git a/‎src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacCertificateUtils.java
Lines changed: 20 additions & 6 deletions b/‎src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacCertificateUtils.java
Lines changed: 20 additions & 6 deletions
diff --git a/‎src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacFromParams.java
Lines changed: 27 additions & 28 deletions b/‎src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacFromParams.java
Lines changed: 27 additions & 28 deletions
@@ -0,0 +1,87 @@
+/*
+ * Copyright (c) 2025, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+package jdk.jpackage.internal;
+
+import java.nio.file.Path;
+import java.util.Objects;
+import java.util.Optional;
+import jdk.jpackage.internal.model.AppImageSigningConfig;
+import jdk.jpackage.internal.model.ConfigException;
+import jdk.jpackage.internal.model.LauncherStartupInfo;
+
+final class AppImageSigningConfigBuilder {
+
+    AppImageSigningConfigBuilder(SigningIdentityBuilder signingIdentityBuilder) {
+        this.signingIdentityBuilder = Objects.requireNonNull(signingIdentityBuilder);
+    }
+
+    AppImageSigningConfigBuilder entitlements(Path v) {
+        entitlements = v;
+        return this;
+    }
+
+    AppImageSigningConfigBuilder entitlementsResourceName(String v) {
+        entitlementsResourceName = v;
+        return this;
+    }
+
+    AppImageSigningConfigBuilder signingIdentifierPrefix(LauncherStartupInfo mainLauncherStartupInfo) {
+        final var pkgName = mainLauncherStartupInfo.packageName();
+        if (!pkgName.isEmpty()) {
+            signingIdentifierPrefix(pkgName + ".");
+        } else {
+            signingIdentifierPrefix(mainLauncherStartupInfo.simpleClassName() + ".");
+        }
+        return this;
+    }
+
+    AppImageSigningConfigBuilder signingIdentifierPrefix(String v) {
+        signingIdentifierPrefix = v;
+        return this;
+    }
+
+    Optional<AppImageSigningConfig> create() throws ConfigException {
+        final var identityCfg = signingIdentityBuilder.create();
+        if (identityCfg.isEmpty()) {
+            return Optional.empty();
+        } else {
+            final var validatedEntitlements = validatedEntitlements();
+            return identityCfg.map(cfg -> {
+                return new AppImageSigningConfig.Stub(cfg.identity(), signingIdentifierPrefix,
+                        validatedEntitlements, cfg.keychain().map(Keychain::name),
+                        Optional.ofNullable(entitlementsResourceName).orElse("sandbox.plist"));
+            });
+        }
+    }
+
+    private Optional<Path> validatedEntitlements() throws ConfigException {
+        return Optional.ofNullable(entitlements);
+    }
+
+    private SigningIdentityBuilder signingIdentityBuilder;
+    private Path entitlements;
+    private String entitlementsResourceName;
+    private String signingIdentifierPrefix;
+}
@@ -27,22 +27,40 @@
 import java.nio.file.Path;
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Objects;
 import java.util.Optional;
-import jdk.jpackage.internal.model.SigningConfig;
+import jdk.jpackage.internal.model.AppImageSigningConfig;
 import jdk.jpackage.internal.model.SigningIdentity;
 import jdk.jpackage.internal.util.PathUtils;
 
 
-record CodesignConfig(Optional<SigningIdentity> identity,
+record CodesignConfig(Optional<SigningIdentity> identity, Optional<String> identifierPrefix,
         Optional<Path> entitlements, Optional<Keychain> keychain) {
 
+    CodesignConfig {
+        Objects.requireNonNull(identity);
+        Objects.requireNonNull(identifierPrefix);
+        Objects.requireNonNull(entitlements);
+        Objects.requireNonNull(keychain);
+
+        if (identity.isPresent() != identifierPrefix.isPresent()) {
+            throw new IllegalArgumentException("Signing identity and identifier prefix mismatch");
+        }
+
+        identifierPrefix.ifPresent(v -> {
+            if (!v.endsWith(".")) {
+                throw new IllegalArgumentException("Invalid identifier prefix");
+            }
+        });
+    }
+
     static final class Builder {
 
         private Builder() {
         }
 
         CodesignConfig create() {
-            return new CodesignConfig(Optional.ofNullable(identity),
+            return new CodesignConfig(Optional.ofNullable(identity), Optional.ofNullable(identifierPrefix),
                     Optional.ofNullable(entitlements), Optional.ofNullable(keychain));
         }
 
@@ -56,6 +74,11 @@ Builder identity(SigningIdentity v) {
             return this;
         }
 
+        Builder identifierPrefix(String v) {
+            identifierPrefix = v;
+            return this;
+        }
+
         Builder keychain(String v) {
             return keychain(new Keychain(v));
         }
@@ -65,19 +88,22 @@ Builder keychain(Keychain v) {
             return this;
         }
 
-        Builder from(SigningConfig v) {
-            return identity(v.identity().orElse(null))
+        Builder from(AppImageSigningConfig v) {
+            return identity(v.identity())
+                    .identifierPrefix(v.identifierPrefix())
                     .entitlements(v.entitlements().orElse(null))
                     .keychain(v.keychain().orElse(null));
         }
 
         Builder from(CodesignConfig v) {
             return identity(v.identity().orElse(null))
+                    .identifierPrefix(v.identifierPrefix().orElse(null))
                     .entitlements(v.entitlements().orElse(null))
                     .keychain(v.keychain().orElse(null));
         }
 
         private SigningIdentity identity;
+        private String identifierPrefix;
         private Path entitlements;
         private Keychain keychain;
     }
@@ -91,8 +117,8 @@ List<String> toCodesignArgs() {
 
         if (identity.isPresent()) {
             args.addAll(List.of("--timestamp", "--options", "runtime"));
-            identity.flatMap(SigningIdentity::prefix).ifPresent(identifierPrefix -> {
-                args.addAll(List.of("--prefix", identifierPrefix));
+            identifierPrefix.ifPresent(v -> {
+                args.addAll(List.of("--prefix", v));
             });
             keychain.map(Keychain::asCliArg).ifPresent(k -> args.addAll(List.of("--keychain", k)));
             entitlements.map(PathUtils::normalizedAbsolutePathString).ifPresent(e -> args.addAll(List.of("--entitlements", e)));
 
@@ -34,7 +34,7 @@
 import jdk.jpackage.internal.model.Launcher;
 import jdk.jpackage.internal.model.MacApplication;
 import jdk.jpackage.internal.model.MacApplicationMixin;
-import jdk.jpackage.internal.model.SigningConfig;
+import jdk.jpackage.internal.model.AppImageSigningConfig;
 
 final class MacApplicationBuilder {
 
@@ -83,7 +83,7 @@ MacApplicationBuilder externalInfoPlistFile(Path v) {
         return this;
     }
 
-    MacApplicationBuilder signingBuilder(SigningConfigBuilder v) {
+    MacApplicationBuilder signingBuilder(AppImageSigningConfigBuilder v) {
         signingBuilder = v;
         return this;
     }
@@ -154,7 +154,7 @@ private MacApplicationBuilder createCopyForExternalInfoPlistFile() throws Config
         }
     }
 
-    private Optional<SigningConfig> createSigningConfig() throws ConfigException {
+    private Optional<AppImageSigningConfig> createSigningConfig() throws ConfigException {
         if (signingBuilder != null) {
             return signingBuilder.create();
         } else {
@@ -224,7 +224,7 @@ private record Defaults(String category) {
     private String category;
     private boolean appStore;
     private Path externalInfoPlistFile;
-    private SigningConfigBuilder signingBuilder;
+    private AppImageSigningConfigBuilder signingBuilder;
 
     private final Application app;
 
 
@@ -25,12 +25,13 @@
 
 package jdk.jpackage.internal;
 
-import static jdk.jpackage.internal.util.CollectionUtils.toCollectionUBW;
 import static jdk.jpackage.internal.util.function.ThrowingSupplier.toSupplier;
 
+import java.io.BufferedInputStream;
 import java.io.ByteArrayInputStream;
 import java.nio.charset.StandardCharsets;
 import java.security.MessageDigest;
+import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
@@ -51,7 +52,7 @@ public static Collection<X509Certificate> findCertificates(Optional<Keychain> ke
         args.add("-p"); // PEM format
         keychain.map(Keychain::asCliArg).ifPresent(args::add);
 
-        return toCollectionUBW(toSupplier(() -> {
+        return toSupplier(() -> {
             final var output = Executor.of(args.toArray(String[]::new))
                     .setQuiet(true).saveOutput(true).executeExpectSuccess()
                     .getOutput();
@@ -61,11 +62,24 @@ public static Collection<X509Certificate> findCertificates(Optional<Keychain> ke
                             MacCertificateUtils::append,
                             MacCertificateUtils::append).toString().getBytes(StandardCharsets.US_ASCII);
 
-            try (var in = new ByteArrayInputStream(pemCertificatesBuffer)) {
-                final var cf = CertificateFactory.getInstance("X.509");
-                return cf.generateCertificates(in);
+            final var cf = CertificateFactory.getInstance("X.509");
+
+            Collection<X509Certificate> certs = new ArrayList<>();
+
+            try (var in = new BufferedInputStream(new ByteArrayInputStream(pemCertificatesBuffer))) {
+                while (in.available() > 0) {
+                    final X509Certificate cert;
+                    try {
+                        cert = (X509Certificate)cf.generateCertificate(in);
+                    } catch (CertificateException ex) {
+                        // Not a valid X505 certificate, silently ignore.
+                        continue;
+                    }
+                    certs.add(cert);
+                }
             }
-        }).get());
+            return certs;
+        }).get();
     }
 
     record CertificateHash(byte[] value) {
 
@@ -56,7 +56,7 @@
 import java.util.Optional;
 import java.util.function.Predicate;
 import jdk.jpackage.internal.ApplicationBuilder.MainLauncherStartupInfo;
-import jdk.jpackage.internal.SigningConfigBuilder.StandardCertificateSelector;
+import jdk.jpackage.internal.SigningIdentityBuilder.StandardCertificateSelector;
 import jdk.jpackage.internal.model.Application;
 import jdk.jpackage.internal.model.ApplicationLaunchers;
 import jdk.jpackage.internal.model.ConfigException;
@@ -130,25 +130,29 @@ private static MacApplication createMacApplication(
         appBuilder.appStore(appStore);
 
         if (sign) {
-            final var signingBuilder = createSigningConfigBuilder(params, app);
-            if (appStore) {
-                signingBuilder.entitlementsResourceName("entitlements.plist");
-            }
-
-            ENTITLEMENTS.copyInto(params, signingBuilder::entitlements);
-            APP_IMAGE_SIGN_IDENTITY.copyInto(params, signingBuilder::signingIdentity);
-
+            final var signingIdentityBuilder = createSigningIdentityBuilder(params, app);
+            APP_IMAGE_SIGN_IDENTITY.copyInto(params, signingIdentityBuilder::signingIdentity);
             SIGNING_KEY_USER.findIn(params).ifPresent(userName -> {
-                final StandardCertificateSelector filter;
+                final StandardCertificateSelector domain;
                 if (appStore) {
-                    filter = StandardCertificateSelector.APP_STORE_APP_IMAGE;
+                    domain = StandardCertificateSelector.APP_STORE_APP_IMAGE;
                 } else {
-                    filter = StandardCertificateSelector.APP_IMAGE;
+                    domain = StandardCertificateSelector.APP_IMAGE;
                 }
 
-                signingBuilder.addCertificateSelectors(StandardCertificateSelector.create(userName, filter));
+                signingIdentityBuilder.certificateSelector(StandardCertificateSelector.create(userName, domain));
             });
 
+            final var signingBuilder = new AppImageSigningConfigBuilder(signingIdentityBuilder);
+            if (appStore) {
+                signingBuilder.entitlementsResourceName("entitlements.plist");
+            }
+
+            app.mainLauncher().flatMap(Launcher::startupInfo).ifPresent(signingBuilder::signingIdentifierPrefix);
+            SIGN_IDENTIFIER_PREFIX.copyInto(params, signingBuilder::signingIdentifierPrefix);
+
+            ENTITLEMENTS.copyInto(params, signingBuilder::entitlements);
+
             appBuilder.signingBuilder(signingBuilder);
         }
 
@@ -195,32 +199,27 @@ private static MacPkgPackage createMacPkgPackage(
         final boolean appStore = APP_STORE.findIn(params).orElse(false);
 
         if (sign) {
-            final var signingBuilder = createSigningConfigBuilder(params, app);
-            INSTALLER_SIGN_IDENTITY.copyInto(params, signingBuilder::signingIdentity);
-
+            final var signingIdentityBuilder = createSigningIdentityBuilder(params, app);
+            INSTALLER_SIGN_IDENTITY.copyInto(params, signingIdentityBuilder::signingIdentity);
             SIGNING_KEY_USER.findIn(params).ifPresent(userName -> {
-                final List<StandardCertificateSelector> filters;
+                final StandardCertificateSelector domain;
                 if (appStore) {
-                    filters = List.of(StandardCertificateSelector.APP_STORE_PKG_INSTALLER);
+                    domain = StandardCertificateSelector.APP_STORE_PKG_INSTALLER;
                 } else {
-                    filters = List.of(StandardCertificateSelector.PKG_INSTALLER);
+                    domain = StandardCertificateSelector.PKG_INSTALLER;
                 }
 
-                for (final var filter : filters) {
-                    signingBuilder.addCertificateSelectors(StandardCertificateSelector.create(userName, filter));
-                }
+                signingIdentityBuilder.certificateSelector(StandardCertificateSelector.create(userName, domain));
             });
 
-            pkgBuilder.signingBuilder(signingBuilder);
+            pkgBuilder.signingBuilder(signingIdentityBuilder);
         }
 
         return pkgBuilder.create();
     }
 
-    private static SigningConfigBuilder createSigningConfigBuilder(Map<String, ? super Object> params, Application app) {
-        final var builder = new SigningConfigBuilder();
-        app.mainLauncher().flatMap(Launcher::startupInfo).ifPresent(builder::signingIdentityPrefix);
-        BUNDLE_ID_SIGNING_PREFIX.copyInto(params, builder::signingIdentityPrefix);
+    private static SigningIdentityBuilder createSigningIdentityBuilder(Map<String, ? super Object> params, Application app) {
+        final var builder = new SigningIdentityBuilder();
         SIGNING_KEYCHAIN.copyInto(params, builder::keychain);
         return builder;
     }
@@ -264,7 +263,7 @@ private static MacFileAssociation createMacFa(FileAssociation fa, Map<String, ?
     static final BundlerParamInfo<String> MAC_CF_BUNDLE_IDENTIFIER = createStringBundlerParam(
             Arguments.CLIOptions.MAC_BUNDLE_IDENTIFIER.getId());
 
-    static final BundlerParamInfo<String> BUNDLE_ID_SIGNING_PREFIX = createStringBundlerParam(
+    static final BundlerParamInfo<String> SIGN_IDENTIFIER_PREFIX = createStringBundlerParam(
             Arguments.CLIOptions.MAC_BUNDLE_SIGNING_PREFIX.getId());
 
     static final BundlerParamInfo<String> APP_IMAGE_SIGN_IDENTITY = createStringBundlerParam(