RFR: JDK-8235585: Enable macOS codesigning for all libraries and executables
René Schünemann
rene.schuenemann at gmail.com
Mon Dec 9 16:05:10 UTC 2019
Hi,
for the macOS notarization process, all executables and libraries need
to be codesigned with hardened runtime (--options runtime) and secure
timestamp (--timestamp) enabled. Additionally for the OpenJDK certain
entitlements have to be set during codesigning:
* com.apple.security.cs.allow-jit
* com.apple.security.cs.allow-unsigned-executable-memory
* com.apple.security.cs.disable-executable-page-protection
* com.apple.security.cs.allow-dyld-environment-variables
* com.apple.security.cs.debugger
With this change the macOS codesign tool is being run for all native
executables and libraries.
Additionally this change introduces a new configure option:
--with-macosx-codesign-identity
This options allows to specify a codesigning identity stored in the
macOS keychain.
When this option is not set it falls back to "openjdk_codesign".
Thanks,
Rene
More information about the build-dev
mailing list