RFR: JDK-8235585: Enable macOS codesigning for all libraries and executables

Erik Joelsson erik.joelsson at oracle.com
Mon Dec 9 16:48:27 UTC 2019


Hello René,

Nice to see an OpenJDK solution to this. (Our Oracle solution requires 
too much corp specific customization to really benefit from code sharing 
with a simple codesign based implementation)

On 2019-12-09 08:06, René Schünemann wrote:
> Here is the webrev:
> http://cr.openjdk.java.net/~goetz/wr19/rene/8235585-mac_notarization/01/

Generally looks good.

NativeCompilation.gmk, line 1132 looks weirdly indented. The line could 
also benefit from being broken up. See [1] for guidance.

>
> On Mon, Dec 9, 2019 at 5:05 PM René Schünemann
> <rene.schuenemann at gmail.com> wrote:
>> Hi,
>>
>> for the macOS notarization process, all executables and libraries need
>> to be codesigned with hardened runtime (--options runtime) and secure
>> timestamp (--timestamp) enabled. Additionally for the OpenJDK certain
>> entitlements have to be set during codesigning:
>>
>> * com.apple.security.cs.allow-jit
>> * com.apple.security.cs.allow-unsigned-executable-memory
>> * com.apple.security.cs.disable-executable-page-protection
In our testing, we saw no need for disable-executable-page-protection. 
Did you actually see missing this trigger any problems?
>> * com.apple.security.cs.allow-dyld-environment-variables
>> * com.apple.security.cs.debugger
>>
>> With this change the macOS codesign tool is being run for all native
>> executables and libraries.
>>
>> Additionally this change introduces a new configure option:
>> --with-macosx-codesign-identity
>>
>> This options allows to specify a codesigning identity stored in the
>> macOS keychain.
>> When this option is not set it falls back to "openjdk_codesign".
>>
>> Thanks,
>> Rene
/Erik

[1] http://openjdk.java.net/groups/build/doc/code-conventions.html




More information about the build-dev mailing list