Most .pkg signing tests pass

alexeysemenyukoracle · alexeysemenyukoracle · commit f9e3dd3b7297 · 2025-03-26T18:08:38.000-04:00
diff --git a/src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacApplicationBuilder.java b/src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacApplicationBuilder.java
@@ -156,7 +156,7 @@ private MacApplicationBuilder createCopyForExternalInfoPlistFile() throws Config
 
     private Optional<SigningConfig> createSigningConfig() throws ConfigException {
         if (signingBuilder != null) {
-            return Optional.of(signingBuilder.create());
+            return signingBuilder.create();
         } else {
             return Optional.empty();
         }
diff --git a/src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacFromParams.java b/src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacFromParams.java
@@ -55,18 +55,19 @@
 import java.util.Map;
 import java.util.Optional;
 import java.util.function.Predicate;
+import jdk.jpackage.internal.ApplicationBuilder.MainLauncherStartupInfo;
 import jdk.jpackage.internal.SigningConfigBuilder.StandardCertificateSelector;
+import jdk.jpackage.internal.model.Application;
+import jdk.jpackage.internal.model.ApplicationLaunchers;
 import jdk.jpackage.internal.model.ConfigException;
 import jdk.jpackage.internal.model.FileAssociation;
-import jdk.jpackage.internal.model.ApplicationLaunchers;
 import jdk.jpackage.internal.model.Launcher;
 import jdk.jpackage.internal.model.MacApplication;
 import jdk.jpackage.internal.model.MacDmgPackage;
 import jdk.jpackage.internal.model.MacFileAssociation;
 import jdk.jpackage.internal.model.MacLauncher;
 import jdk.jpackage.internal.model.MacPkgPackage;
 import jdk.jpackage.internal.model.RuntimeLayout;
-import static jdk.jpackage.internal.ApplicationBuilder.MainLauncherStartupInfo;
 
 
 final class MacFromParams {
@@ -128,16 +129,24 @@ private static MacApplication createMacApplication(
         appBuilder.appStore(appStore);
 
         if (sign) {
-            final var signingBuilder = new SigningConfigBuilder();
-            app.mainLauncher().flatMap(Launcher::startupInfo).ifPresent(signingBuilder::signingIdentityPrefix);
-            BUNDLE_ID_SIGNING_PREFIX.copyInto(params, signingBuilder::signingIdentityPrefix);
-            SIGNING_KEYCHAIN.copyInto(params, signingBuilder::keychain);
+            final var signingBuilder = createSigningConfigBuilder(params, app);
+            if (appStore) {
+                signingBuilder.entitlementsResourceName("entitlements.plist");
+            }
+
             ENTITLEMENTS.copyInto(params, signingBuilder::entitlements);
             APP_IMAGE_SIGN_IDENTITY.copyInto(params, signingBuilder::signingIdentity);
 
-            final var filter = appStore ? StandardCertificateSelector.APP_STORE_APP_IMAGE : StandardCertificateSelector.APP_IMAGE;
+            SIGNING_KEY_USER.findIn(params).ifPresent(userName -> {
+                final StandardCertificateSelector filter;
+                if (appStore) {
+                    filter = StandardCertificateSelector.APP_STORE_APP_IMAGE;
+                } else {
+                    filter = StandardCertificateSelector.APP_IMAGE;
+                }
 
-            signingBuilder.addCertificateSelectors(StandardCertificateSelector.create(SIGNING_KEY_USER.findIn(params), filter));
+                signingBuilder.addCertificateSelectors(StandardCertificateSelector.create(userName, filter));
+            });
 
             appBuilder.signingBuilder(signingBuilder);
         }
@@ -168,9 +177,40 @@ private static MacPkgPackage createMacPkgPackage(
 
         final var pkgBuilder = new MacPkgPackageBuilder(superPkgBuilder);
 
+        final boolean sign = SIGN_BUNDLE.findIn(params).orElse(false);
+        final boolean appStore = APP_STORE.findIn(params).orElse(false);
+
+        if (sign) {
+            final var signingBuilder = createSigningConfigBuilder(params, app);
+            INSTALLER_SIGN_IDENTITY.copyInto(params, signingBuilder::signingIdentity);
+
+            SIGNING_KEY_USER.findIn(params).ifPresent(userName -> {
+                final List<StandardCertificateSelector> filters;
+                if (appStore) {
+                    filters = List.of(StandardCertificateSelector.APP_STORE_PKG_INSTALLER);
+                } else {
+                    filters = List.of(StandardCertificateSelector.PKG_INSTALLER);
+                }
+
+                for (final var filter : filters) {
+                    signingBuilder.addCertificateSelectors(StandardCertificateSelector.create(userName, filter));
+                }
+            });
+
+            pkgBuilder.signingBuilder(signingBuilder);
+        }
+
         return pkgBuilder.create();
     }
 
+    private static SigningConfigBuilder createSigningConfigBuilder(Map<String, ? super Object> params, Application app) {
+        final var builder = new SigningConfigBuilder();
+        app.mainLauncher().flatMap(Launcher::startupInfo).ifPresent(builder::signingIdentityPrefix);
+        BUNDLE_ID_SIGNING_PREFIX.copyInto(params, builder::signingIdentityPrefix);
+        SIGNING_KEYCHAIN.copyInto(params, builder::keychain);
+        return builder;
+    }
+
     private static MacFileAssociation createMacFa(FileAssociation fa, Map<String, ? super Object> params) {
 
         final var builder = new MacFileAssociationBuilder();
@@ -216,6 +256,9 @@ private static MacFileAssociation createMacFa(FileAssociation fa, Map<String, ?
     static final BundlerParamInfo<String> APP_IMAGE_SIGN_IDENTITY = createStringBundlerParam(
             Arguments.CLIOptions.MAC_APP_IMAGE_SIGN_IDENTITY.getId());
 
+    static final BundlerParamInfo<String> INSTALLER_SIGN_IDENTITY = createStringBundlerParam(
+            Arguments.CLIOptions.MAC_INSTALLER_SIGN_IDENTITY.getId());
+
     private static final BundlerParamInfo<String> PACKAGE_TYPE = createStringBundlerParam(
             Arguments.CLIOptions.PACKAGE_TYPE.getId());
 
diff --git a/src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacPkgPackageBuilder.java b/src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/MacPkgPackageBuilder.java
@@ -50,7 +50,7 @@ MacPkgPackage create() throws ConfigException {
 
     private Optional<SigningConfig> createSigningConfig() throws ConfigException {
         if (signingBuilder != null) {
-            return Optional.of(signingBuilder.create());
+            return signingBuilder.create();
         } else {
             return Optional.empty();
         }
diff --git a/src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/SigningConfigBuilder.java b/src/jdk.jpackage/macosx/classes/jdk/jpackage/internal/SigningConfigBuilder.java
@@ -87,9 +87,19 @@ SigningConfigBuilder entitlements(Path v) {
         return this;
     }
 
-    SigningConfig create() throws ConfigException {
-        return new SigningConfig.Stub(validatedSigningIdentity(), validatedEntitlements(),
-                validatedKeychain().map(Keychain::name), "sandbox.plist");
+    SigningConfigBuilder entitlementsResourceName(String v) {
+        entitlementsResourceName = v;
+        return this;
+    }
+
+    Optional<SigningConfig> create() throws ConfigException {
+        if (signingIdentity == null && certificateSelectors.isEmpty()) {
+            return Optional.empty();
+        } else {
+            return Optional.of(new SigningConfig.Stub(validatedSigningIdentity(), validatedEntitlements(),
+                    validatedKeychain().map(Keychain::name),
+                    Optional.ofNullable(entitlementsResourceName).orElse("sandbox.plist")));
+        }
     }
 
     private Optional<Path> validatedEntitlements() throws ConfigException {
@@ -239,12 +249,12 @@ enum StandardCertificateSelector {
             this.prefixes = List.of(prefixes);
         }
 
-        static List<CertificateSelector> create(Optional<String> certificateName, StandardCertificateSelector defaultSelector) {
-            return certificateName.flatMap(StandardCertificatePrefix::findStandardCertificatePrefix).map(prefix -> {
-                return new CertificateSelector(prefix.value(), certificateName.orElseThrow().substring(prefix.value().length()));
+        static List<CertificateSelector> create(String certificateName, StandardCertificateSelector defaultSelector) {
+            return StandardCertificatePrefix.findStandardCertificatePrefix(certificateName).map(prefix -> {
+                return new CertificateSelector(prefix.value(), certificateName.substring(prefix.value().length()));
             }).map(List::of).orElseGet(() -> {
                 return defaultSelector.prefixes.stream().map(prefix -> {
-                    return new CertificateSelector(prefix.value(), certificateName.orElse(""));
+                    return new CertificateSelector(prefix.value(), certificateName);
                 }).toList();
             });
         }
@@ -257,4 +267,5 @@ static List<CertificateSelector> create(Optional<String> certificateName, Standa
     private List<CertificateSelector> certificateSelectors = new ArrayList<>();
     private String keychain;
     private Path entitlements;
+    private String entitlementsResourceName;
 }

Original file line number	Diff line number	Diff line change
`@@ -156,7 +156,7 @@ private MacApplicationBuilder createCopyForExternalInfoPlistFile() throws Config`
`156`	`156`
`157`	`157`	`private Optional<SigningConfig> createSigningConfig() throws ConfigException {`
`158`	`158`	`if (signingBuilder != null) {`
`159`		`- return Optional.of(signingBuilder.create());`
	`159`	`+ return signingBuilder.create();`
`160`	`160`	`} else {`
`161`	`161`	`return Optional.empty();`
`162`	`162`	`}`
Original file line number	Diff line number	Diff line change
`@@ -50,7 +50,7 @@ MacPkgPackage create() throws ConfigException {`
`50`	`50`
`51`	`51`	`private Optional<SigningConfig> createSigningConfig() throws ConfigException {`
`52`	`52`	`if (signingBuilder != null) {`
`53`		`- return Optional.of(signingBuilder.create());`
	`53`	`+ return signingBuilder.create();`
`54`	`54`	`} else {`
`55`	`55`	`return Optional.empty();`
`56`	`56`	`}`