RFR: JDK-8235585: Enable macOS codesigning for all libraries and executables

Langer, Christoph christoph.langer at sap.com
Tue Dec 10 15:27:32 UTC 2019 

Hi René,

LGTM, too.

I'll sponsor it for you.

Cheers
Christoph

> -----Original Message-----
> From: Erik Joelsson <erik.joelsson at oracle.com>
> Sent: Dienstag, 10. Dezember 2019 15:35
> To: René Schünemann <rene.schuenemann at gmail.com>; Langer, Christoph
> <christoph.langer at sap.com>
> Cc: build-dev at openjdk.java.net
> Subject: Re: RFR: JDK-8235585: Enable macOS codesigning for all libraries and
> executables
> 
> Looks good.
> 
> /Erik
> 
> On 2019-12-10 03:44, René Schünemann wrote:
> > Thank you Christoph.
> >
> > I have fixed the indentation in NativeCompilation.gmk and removed the
> > "com.apple.security.cs.disable-executable-page-protection"
> > entitlement.
> >
> > Updated webrev:
> > http://cr.openjdk.java.net/~goetz/wr19/rene/8235585-
> mac_notarization/02/
> >
> > Rene
> >
> > On Tue, Dec 10, 2019 at 11:25 AM Langer, Christoph
> > <christoph.langer at sap.com> wrote:
> >> Hi René,
> >>
> >> thanks for doing this.
> >>
> >> I agree to Erik's findings, these should be addressed. Other than that, I
> have no further points.
> >>
> >> It would be good, if this little enhancement can be pushed before
> Thursday to make it into JDK14 without special approval.
> >>
> >> Best regards
> >> Christoph
> >>
> >>
> >>> -----Original Message-----
> >>> From: build-dev <build-dev-bounces at openjdk.java.net> On Behalf Of
> René
> >>> Schünemann
> >>> Sent: Dienstag, 10. Dezember 2019 09:27
> >>> To: Erik Joelsson <erik.joelsson at oracle.com>
> >>> Cc: build-dev at openjdk.java.net
> >>> Subject: Re: RFR: JDK-8235585: Enable macOS codesigning for all libraries
> and
> >>> executables
> >>>
> >>> Hello Erik,
> >>>
> >>> thank you for your review.
> >>>
> >>> On Mon, Dec 9, 2019 at 5:48 PM Erik Joelsson
> <erik.joelsson at oracle.com>
> >>> wrote:
> >>>> Hello René,
> >>>>
> >>>> Nice to see an OpenJDK solution to this. (Our Oracle solution requires
> >>>> too much corp specific customization to really benefit from code
> sharing
> >>>> with a simple codesign based implementation)
> >>>>
> >>>> On 2019-12-09 08:06, René Schünemann wrote:
> >>>>> Here is the webrev:
> >>>>> http://cr.openjdk.java.net/~goetz/wr19/rene/8235585-
> >>> mac_notarization/01/
> >>>> Generally looks good.
> >>>>
> >>>> NativeCompilation.gmk, line 1132 looks weirdly indented. The line
> could
> >>>> also benefit from being broken up. See [1] for guidance.
> >>>>
> >>> I agree. I will break it into two lines.
> >>>
> >>>>> On Mon, Dec 9, 2019 at 5:05 PM René Schünemann
> >>>>> <rene.schuenemann at gmail.com> wrote:
> >>>>>> Hi,
> >>>>>>
> >>>>>> for the macOS notarization process, all executables and libraries
> need
> >>>>>> to be codesigned with hardened runtime (--options runtime) and
> >>> secure
> >>>>>> timestamp (--timestamp) enabled. Additionally for the OpenJDK
> certain
> >>>>>> entitlements have to be set during codesigning:
> >>>>>>
> >>>>>> * com.apple.security.cs.allow-jit
> >>>>>> * com.apple.security.cs.allow-unsigned-executable-memory
> >>>>>> * com.apple.security.cs.disable-executable-page-protection
> >>>> In our testing, we saw no need for disable-executable-page-
> protection.
> >>>> Did you actually see missing this trigger any problems?
> >>> I'm actually not quite sure. We have used this set internally for
> notarization.
> >>> I will go back an do some additional testing with this specific
> >>> entitlement removed.
> >>>
> >>>>>> * com.apple.security.cs.allow-dyld-environment-variables
> >>>>>> * com.apple.security.cs.debugger
> >>>>>>
> >>>>>> With this change the macOS codesign tool is being run for all native
> >>>>>> executables and libraries.
> >>>>>>
> >>>>>> Additionally this change introduces a new configure option:
> >>>>>> --with-macosx-codesign-identity
> >>>>>>
> >>>>>> This options allows to specify a codesigning identity stored in the
> >>>>>> macOS keychain.
> >>>>>> When this option is not set it falls back to "openjdk_codesign".
> >>>>>>
> >>>>>> Thanks,
> >>>>>> Rene
> >>>> /Erik
> >>>>
> >>>> [1] http://openjdk.java.net/groups/build/doc/code-conventions.html
> >>>>
> >>> Rene

More information about the build-dev mailing list