Skip to content
This repository has been archived by the owner. It is now read-only.
Permalink
Browse files
8246706: [macos] Allow SigningPackageTest to be built with real certi…
…ficates

Reviewed-by: asemenyuk, almatvee
  • Loading branch information
Andy Herrick committed Jun 9, 2020
1 parent 976c469 commit b37d806d82467295173872094574fb5bf949c680
@@ -29,8 +29,14 @@
* Tests generation of app image with --mac-sign and related arguments. Test will
* generate app image and verify signature of main launcher and app bundle itself.
* This test requires that machine is configured with test certificate for
* "Developer ID Application: jpackage.openjdk.java.net" in jpackagerTest keychain with
* always allowed access to this keychain for user which runs test.
* "Developer ID Application: jpackage.openjdk.java.net" or alternately
* "Developer ID Application: " + name specified by system property:
* "jpackage.mac.signing.key.user.name"
* in the jpackagerTest keychain (or alternately the keychain specified with
* the system property "jpackage.mac.signing.keychain".
* If this certificate is self-signed, it must have be set to
* always allowe access to this keychain" for user which runs test.
* (If cert is real (not self signed), the do not set trust to allow.)
*/

/*
@@ -56,7 +62,7 @@ public static void main(String[] args) throws Exception {
JPackageCommand cmd = JPackageCommand.helloAppImage();
cmd.addArguments("--mac-sign", "--mac-signing-key-user-name",
SigningBase.DEV_NAME, "--mac-signing-keychain",
"jpackagerTest.keychain");
SigningBase.KEYCHAIN);
cmd.executeAndAssertHelloAppImageCreated();

Path launcherPath = cmd.appLauncherPath();
@@ -26,11 +26,18 @@
import jdk.jpackage.test.*;

/**
* Tests generation of dmg and pkg with --mac-sign and related arguments. Test will
* generate pkg and verifies its signature. It verifies that dmg is not signed, but app
* image inside dmg is signed. This test requires that machine is configured with test
* certificate for "Developer ID Installer: jpackage.openjdk.java.net" in jpackagerTest
* keychain with always allowed access to this keychain for user which runs test.
* Tests generation of dmg and pkg with --mac-sign and related arguments.
* Test will generate pkg and verifies its signature. It verifies that dmg
* is not signed, but app image inside dmg is signed. This test requires that
* the machine is configured with test certificate for
* "Developer ID Installer: jpackage.openjdk.java.net" in
* jpackagerTest keychain with
* always allowed access to this keychain for user which runs test.
* note:
* "jpackage.openjdk.java.net" can be over-ridden by systerm property
* "jpackage.mac.signing.key.user.name", and
* "jpackagerTest" can be over-ridden by system property
* "jpackage.mac.signing.keychain"
*/

/*
@@ -80,7 +87,7 @@ public static void main(String[] args) throws Exception {
.addInitializer(cmd -> {
cmd.addArguments("--mac-sign",
"--mac-signing-key-user-name", SigningBase.DEV_NAME,
"--mac-signing-keychain", "jpackagerTest.keychain");
"--mac-signing-keychain", SigningBase.KEYCHAIN);
})
.forTypes(PackageType.MAC_PKG)
.addBundleVerifier(SigningPackageTest::verifyPKG)
@@ -30,16 +30,22 @@

public class SigningBase {

public static String DEV_NAME = "jpackage.openjdk.java.net";
public static String APP_CERT
= "Developer ID Application: " + DEV_NAME;
public static String INSTALLER_CERT
= "Developer ID Installer: " + DEV_NAME;
public static String KEYCHAIN = "jpackagerTest.keychain";
public static String DEV_NAME;
public static String APP_CERT;
public static String INSTALLER_CERT;
public static String KEYCHAIN;
static {
String value = System.getProperty("jpackage.mac.signing.key.user.name");
DEV_NAME = (value == null) ? "jpackage.openjdk.java.net" : value;
APP_CERT = "Developer ID Application: " + DEV_NAME;
INSTALLER_CERT = "Developer ID Installer: " + DEV_NAME;
value = System.getProperty("jpackage.mac.signing.keychain");
KEYCHAIN = (value == null) ? "jpackagerTest.keychain" : value;
}

private static void checkString(List<String> result, String lookupString) {
TKit.assertTextStream(lookupString).predicate(
(line, what) -> line.trim().equals(what)).apply(result.stream());
(line, what) -> line.trim().contains(what)).apply(result.stream());
}

private static List<String> codesignResult(Path target, boolean signed) {
@@ -92,8 +98,6 @@ private static void verifySpctlResult(List<String> output, Path target,
if (exitCode == 0) {
lookupString = target.toString() + ": accepted";
checkString(output, lookupString);
lookupString = "source=" + DEV_NAME;
checkString(output, lookupString);
} else if (exitCode == 3) {
// allow failure purely for not being notarized
lookupString = target.toString() + ": rejected";
@@ -120,7 +124,7 @@ private static List<String> pkgutilResult(Path target) {

private static void verifyPkgutilResult(List<String> result) {
result.stream().forEachOrdered(TKit::trace);
String lookupString = "Status: signed by a certificate trusted for current user";
String lookupString = "Status: signed by";
checkString(result, lookupString);
lookupString = "1. " + INSTALLER_CERT;
checkString(result, lookupString);

0 comments on commit b37d806

Please sign in to comment.