RFR: JDK-8235585: Enable macOS codesigning for all libraries and executables
Erik Joelsson
erik.joelsson at oracle.com
Tue Dec 10 14:34:50 UTC 2019
Looks good.
/Erik
On 2019-12-10 03:44, René Schünemann wrote:
> Thank you Christoph.
>
> I have fixed the indentation in NativeCompilation.gmk and removed the
> "com.apple.security.cs.disable-executable-page-protection"
> entitlement.
>
> Updated webrev:
> http://cr.openjdk.java.net/~goetz/wr19/rene/8235585-mac_notarization/02/
>
> Rene
>
> On Tue, Dec 10, 2019 at 11:25 AM Langer, Christoph
> <christoph.langer at sap.com> wrote:
>> Hi René,
>>
>> thanks for doing this.
>>
>> I agree to Erik's findings, these should be addressed. Other than that, I have no further points.
>>
>> It would be good, if this little enhancement can be pushed before Thursday to make it into JDK14 without special approval.
>>
>> Best regards
>> Christoph
>>
>>
>>> -----Original Message-----
>>> From: build-dev <build-dev-bounces at openjdk.java.net> On Behalf Of René
>>> Schünemann
>>> Sent: Dienstag, 10. Dezember 2019 09:27
>>> To: Erik Joelsson <erik.joelsson at oracle.com>
>>> Cc: build-dev at openjdk.java.net
>>> Subject: Re: RFR: JDK-8235585: Enable macOS codesigning for all libraries and
>>> executables
>>>
>>> Hello Erik,
>>>
>>> thank you for your review.
>>>
>>> On Mon, Dec 9, 2019 at 5:48 PM Erik Joelsson <erik.joelsson at oracle.com>
>>> wrote:
>>>> Hello René,
>>>>
>>>> Nice to see an OpenJDK solution to this. (Our Oracle solution requires
>>>> too much corp specific customization to really benefit from code sharing
>>>> with a simple codesign based implementation)
>>>>
>>>> On 2019-12-09 08:06, René Schünemann wrote:
>>>>> Here is the webrev:
>>>>> http://cr.openjdk.java.net/~goetz/wr19/rene/8235585-
>>> mac_notarization/01/
>>>> Generally looks good.
>>>>
>>>> NativeCompilation.gmk, line 1132 looks weirdly indented. The line could
>>>> also benefit from being broken up. See [1] for guidance.
>>>>
>>> I agree. I will break it into two lines.
>>>
>>>>> On Mon, Dec 9, 2019 at 5:05 PM René Schünemann
>>>>> <rene.schuenemann at gmail.com> wrote:
>>>>>> Hi,
>>>>>>
>>>>>> for the macOS notarization process, all executables and libraries need
>>>>>> to be codesigned with hardened runtime (--options runtime) and
>>> secure
>>>>>> timestamp (--timestamp) enabled. Additionally for the OpenJDK certain
>>>>>> entitlements have to be set during codesigning:
>>>>>>
>>>>>> * com.apple.security.cs.allow-jit
>>>>>> * com.apple.security.cs.allow-unsigned-executable-memory
>>>>>> * com.apple.security.cs.disable-executable-page-protection
>>>> In our testing, we saw no need for disable-executable-page-protection.
>>>> Did you actually see missing this trigger any problems?
>>> I'm actually not quite sure. We have used this set internally for notarization.
>>> I will go back an do some additional testing with this specific
>>> entitlement removed.
>>>
>>>>>> * com.apple.security.cs.allow-dyld-environment-variables
>>>>>> * com.apple.security.cs.debugger
>>>>>>
>>>>>> With this change the macOS codesign tool is being run for all native
>>>>>> executables and libraries.
>>>>>>
>>>>>> Additionally this change introduces a new configure option:
>>>>>> --with-macosx-codesign-identity
>>>>>>
>>>>>> This options allows to specify a codesigning identity stored in the
>>>>>> macOS keychain.
>>>>>> When this option is not set it falls back to "openjdk_codesign".
>>>>>>
>>>>>> Thanks,
>>>>>> Rene
>>>> /Erik
>>>>
>>>> [1] http://openjdk.java.net/groups/build/doc/code-conventions.html
>>>>
>>> Rene
More information about the build-dev
mailing list