RFR: JDK-8235585: Enable macOS codesigning for all libraries and executables
René Schünemann
rene.schuenemann at gmail.com
Tue Dec 10 11:44:42 UTC 2019
Thank you Christoph.
I have fixed the indentation in NativeCompilation.gmk and removed the
"com.apple.security.cs.disable-executable-page-protection"
entitlement.
Updated webrev:
http://cr.openjdk.java.net/~goetz/wr19/rene/8235585-mac_notarization/02/
Rene
On Tue, Dec 10, 2019 at 11:25 AM Langer, Christoph
<christoph.langer at sap.com> wrote:
>
> Hi René,
>
> thanks for doing this.
>
> I agree to Erik's findings, these should be addressed. Other than that, I have no further points.
>
> It would be good, if this little enhancement can be pushed before Thursday to make it into JDK14 without special approval.
>
> Best regards
> Christoph
>
>
> > -----Original Message-----
> > From: build-dev <build-dev-bounces at openjdk.java.net> On Behalf Of René
> > Schünemann
> > Sent: Dienstag, 10. Dezember 2019 09:27
> > To: Erik Joelsson <erik.joelsson at oracle.com>
> > Cc: build-dev at openjdk.java.net
> > Subject: Re: RFR: JDK-8235585: Enable macOS codesigning for all libraries and
> > executables
> >
> > Hello Erik,
> >
> > thank you for your review.
> >
> > On Mon, Dec 9, 2019 at 5:48 PM Erik Joelsson <erik.joelsson at oracle.com>
> > wrote:
> > >
> > > Hello René,
> > >
> > > Nice to see an OpenJDK solution to this. (Our Oracle solution requires
> > > too much corp specific customization to really benefit from code sharing
> > > with a simple codesign based implementation)
> > >
> > > On 2019-12-09 08:06, René Schünemann wrote:
> > > > Here is the webrev:
> > > > http://cr.openjdk.java.net/~goetz/wr19/rene/8235585-
> > mac_notarization/01/
> > >
> > > Generally looks good.
> > >
> > > NativeCompilation.gmk, line 1132 looks weirdly indented. The line could
> > > also benefit from being broken up. See [1] for guidance.
> > >
> >
> > I agree. I will break it into two lines.
> >
> > > >
> > > > On Mon, Dec 9, 2019 at 5:05 PM René Schünemann
> > > > <rene.schuenemann at gmail.com> wrote:
> > > >> Hi,
> > > >>
> > > >> for the macOS notarization process, all executables and libraries need
> > > >> to be codesigned with hardened runtime (--options runtime) and
> > secure
> > > >> timestamp (--timestamp) enabled. Additionally for the OpenJDK certain
> > > >> entitlements have to be set during codesigning:
> > > >>
> > > >> * com.apple.security.cs.allow-jit
> > > >> * com.apple.security.cs.allow-unsigned-executable-memory
> > > >> * com.apple.security.cs.disable-executable-page-protection
> > > In our testing, we saw no need for disable-executable-page-protection.
> > > Did you actually see missing this trigger any problems?
> >
> > I'm actually not quite sure. We have used this set internally for notarization.
> > I will go back an do some additional testing with this specific
> > entitlement removed.
> >
> > > >> * com.apple.security.cs.allow-dyld-environment-variables
> > > >> * com.apple.security.cs.debugger
> > > >>
> > > >> With this change the macOS codesign tool is being run for all native
> > > >> executables and libraries.
> > > >>
> > > >> Additionally this change introduces a new configure option:
> > > >> --with-macosx-codesign-identity
> > > >>
> > > >> This options allows to specify a codesigning identity stored in the
> > > >> macOS keychain.
> > > >> When this option is not set it falls back to "openjdk_codesign".
> > > >>
> > > >> Thanks,
> > > >> Rene
> > > /Erik
> > >
> > > [1] http://openjdk.java.net/groups/build/doc/code-conventions.html
> > >
> >
> > Rene
More information about the build-dev
mailing list