RFR: JDK-8235585: Enable macOS codesigning for all libraries and executables
René Schünemann
rene.schuenemann at gmail.com
Tue Dec 10 08:26:42 UTC 2019
Hello Erik,
thank you for your review.
On Mon, Dec 9, 2019 at 5:48 PM Erik Joelsson <erik.joelsson at oracle.com> wrote:
>
> Hello René,
>
> Nice to see an OpenJDK solution to this. (Our Oracle solution requires
> too much corp specific customization to really benefit from code sharing
> with a simple codesign based implementation)
>
> On 2019-12-09 08:06, René Schünemann wrote:
> > Here is the webrev:
> > http://cr.openjdk.java.net/~goetz/wr19/rene/8235585-mac_notarization/01/
>
> Generally looks good.
>
> NativeCompilation.gmk, line 1132 looks weirdly indented. The line could
> also benefit from being broken up. See [1] for guidance.
>
I agree. I will break it into two lines.
> >
> > On Mon, Dec 9, 2019 at 5:05 PM René Schünemann
> > <rene.schuenemann at gmail.com> wrote:
> >> Hi,
> >>
> >> for the macOS notarization process, all executables and libraries need
> >> to be codesigned with hardened runtime (--options runtime) and secure
> >> timestamp (--timestamp) enabled. Additionally for the OpenJDK certain
> >> entitlements have to be set during codesigning:
> >>
> >> * com.apple.security.cs.allow-jit
> >> * com.apple.security.cs.allow-unsigned-executable-memory
> >> * com.apple.security.cs.disable-executable-page-protection
> In our testing, we saw no need for disable-executable-page-protection.
> Did you actually see missing this trigger any problems?
I'm actually not quite sure. We have used this set internally for notarization.
I will go back an do some additional testing with this specific
entitlement removed.
> >> * com.apple.security.cs.allow-dyld-environment-variables
> >> * com.apple.security.cs.debugger
> >>
> >> With this change the macOS codesign tool is being run for all native
> >> executables and libraries.
> >>
> >> Additionally this change introduces a new configure option:
> >> --with-macosx-codesign-identity
> >>
> >> This options allows to specify a codesigning identity stored in the
> >> macOS keychain.
> >> When this option is not set it falls back to "openjdk_codesign".
> >>
> >> Thanks,
> >> Rene
> /Erik
>
> [1] http://openjdk.java.net/groups/build/doc/code-conventions.html
>
Rene
More information about the build-dev
mailing list