Support for "Apple Development" and "Apple Distribution" certificates

[yannickpulver]

Fixes CMP-4272 macOS signing failing with modern Apple certificates and bare signing identities.

What changed

• Adds support for modern Apple certificate names:
  • Apple Development
  • Mac Development
  • Apple Distribution
  • Mac App Distribution
• Keeps compatibility with legacy certificate names still used by jpackage and existing keychains:
  • 3rd Party Mac Developer Application
  • 3rd Party Mac Developer Installer
  • Mac Developer
• Resolves bare signing identities against actual keychain certificates instead of assuming only Developer ID Application
• Fails with a clear error when multiple matching certificates are found
• Uses productsign for PKG signing when jpackage cannot sign newer distribution certificate types
• Fails early for invalid PKG signing combinations such as development certificates

Testing

• Added unit tests for certificate resolution and PKG signing compatibility
• Verified createDistributable with modern certificate resolution
• Verified packagePkg end-to-end with:
  • Apple Distribution
  • matching installer certificate (3rd Party Mac Developer Installer)
• Verified against a real Compose app in Gridline:
  • draft verification PR: yannickpulver/gridline#3
  • :composeApp:packageReleasePkg -PappStore=true succeeded and produced a signed .pkg
  • :composeApp:packageReleaseDmg succeeded and produced a .dmg containing a signed .app
• Public sample project:
  • compose-signing-test

Release Notes

Fixes - Desktop

• Improves macOS certificate resolution and PKG signing for modern Apple signing certificates

[kropp]

Hi @yannickpulver,
do you plan to continue working on this PR?

[yannickpulver]

Hi @kropp I tried last year but failed to validate it. I could try to give it another go, but if there's somebody internally working on that I'm happy to close it.