RFR: JDK-8235585: Enable macOS codesigning for all libraries and executables
René Schünemann
rene.schuenemann at gmail.com
Mon Dec 9 16:06:00 UTC 2019
Here is the webrev:
http://cr.openjdk.java.net/~goetz/wr19/rene/8235585-mac_notarization/01/
On Mon, Dec 9, 2019 at 5:05 PM René Schünemann
<rene.schuenemann at gmail.com> wrote:
>
> Hi,
>
> for the macOS notarization process, all executables and libraries need
> to be codesigned with hardened runtime (--options runtime) and secure
> timestamp (--timestamp) enabled. Additionally for the OpenJDK certain
> entitlements have to be set during codesigning:
>
> * com.apple.security.cs.allow-jit
> * com.apple.security.cs.allow-unsigned-executable-memory
> * com.apple.security.cs.disable-executable-page-protection
> * com.apple.security.cs.allow-dyld-environment-variables
> * com.apple.security.cs.debugger
>
> With this change the macOS codesign tool is being run for all native
> executables and libraries.
>
> Additionally this change introduces a new configure option:
> --with-macosx-codesign-identity
>
> This options allows to specify a codesigning identity stored in the
> macOS keychain.
> When this option is not set it falls back to "openjdk_codesign".
>
> Thanks,
> Rene
More information about the build-dev
mailing list