Support for "Apple Development" and "Apple Distribution" certificates#5238
Open
yannickpulver wants to merge 15 commits intoJetBrains:masterfrom
Open
Support for "Apple Development" and "Apple Distribution" certificates#5238yannickpulver wants to merge 15 commits intoJetBrains:masterfrom
yannickpulver wants to merge 15 commits intoJetBrains:masterfrom
Conversation
yannickpulver
changed the title
Member
|
Hi @yannickpulver, |
Author
|
Hi @kropp I tried last year but failed to validate it. I could try to give it another go, but if there's somebody internally working on that I'm happy to close it. |
…nd Mac Development certificates for macOS signing jpackage only recognizes "Developer ID Application" and "3rd Party Mac Developer Application" certificate prefixes — it prepends these to the identity, breaking newer Apple certificate types. Skip jpackage signing for unsupported cert types and let the existing MacSigner handle it. Also fixes passing raw identity instead of fullDeveloperID to jpackage. Fixes CMP-4272, relates to CMP-7651
jpackage only signs PKGs with "Developer ID Installer" and "3rd Party Mac Developer Installer" prefixes. For newer certificate types (Apple Distribution, Mac App Distribution), sign the PKG post-creation using productsign. Tries both "3rd Party Mac Developer Installer" and "Mac Installer Distribution" as candidates since Apple still issues certs with the legacy name despite documenting the new one.
- Remove unused isDevelopmentCertificate enum param - Remove unsupported Mac Developer certificate kind - Deduplicate certificate alias extraction between MacSigner and AbstractJPackageTask - Simplify PKG signing to single-attempt instead of retry loop - Inline isExplicitlyPrefixed property
Replace MacSigningIdentityInput with minimal ParsedSigningIdentity, move installer cert mapping onto the enum, derive appSigningKinds from entries instead of maintaining a manual list.
…panion Consolidate identity parsing into the enum. Data classes become pure data with no companions or factory methods.
Use matches.distinct() instead of linkedSetOf workaround. Convert matchesCandidateIdentity from String extension to plain function.
Replace narrow IllegalStateException catch with finally block that restores the unsigned PKG when signing fails for any reason.
…for PKG Remove MacAppDistribution, MacDevelopment, MacInstallerDistribution — Apple portal labels that don't match actual certificate common names. Add MacDeveloper (real CN for "Mac Development" portal cert). Always use productsign for PKG signing instead of jpackage --mac-sign, which fails with pre-signed app images. This fixes PKG signing for all cert types.
Author
|
Hi @kropp this should now be ready for review. Tested it in multiple projects and seems to work in the desired way. |
Member
|
@yannickpulver thanks, I'll take a look next week |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes CMP-4272 macOS signing failing with modern Apple certificates and bare signing identities.
What changed
Developer ID Application/Developer ID Installer(outside-App-Store distribution)Apple Distribution(App Store distribution, current)Apple Development(development, current)3rd Party Mac Developer Application/3rd Party Mac Developer Installer(App Store, legacy)Mac Developer(development, legacy)"John Doe") against all app-signing certificate types in the keychain instead of assuming onlyDeveloper ID Applicationproductsignfor PKG signing instead of relying onjpackage --mac-sign, which fails with pre-signed app imagesmatch, which provisionsApple Distributionand3rd Party Mac Developer Installercertificates — previously the plugin only recognizedDeveloper ID Applicationand3rd Party Mac Developer Applicationand was therefore not finding the right certs.Certificate naming clarification
Apple's Developer portal UI labels don't always match the actual certificate common names (CN) stored in the keychain. This PR only includes certificate types whose CN prefix has been verified against real keychains:
3rd Party Mac Developer Application3rd Party Mac Developer InstallerMac DeveloperApple DistributionApple DevelopmentTesting
createDistributablewith:Apple DevelopmentMac DeveloperpackageReleaseDmgwith:Developer ID Application— signed via jpackagepackageReleasePkgwith:Apple Distribution→productsignwith3rd Party Mac Developer Installer3rd Party Mac Developer Application→productsignwith3rd Party Mac Developer InstallerpackageReleasePkgfails with clear error for:Apple Development(dev certs can't sign PKGs)Developer ID Applicationwithout matchingDeveloper ID Installercertcodesign -dvvvandpkgutil --check-signaturemacos buildPkglane withApple DistributionidentityRelease Notes
Fixes - Desktop
productsignfor reliable PKG signing, and supports modern Apple certificate names including those provisioned by Fastlanematch