macOS build success but codesign fail on macOS 10.13.5 or older

Magnus Ihse Bursie magnus.ihse.bursie at oracle.com
Thu Feb 27 14:16:13 UTC 2020 

On 2020-02-26 18:30, Junyuan Zheng wrote:
> Hi all,
>
> A recent change in OpenJDK tip (https://hg.openjdk.java.net/jdk/jdk/rev/dcf88e5c8c07) contains a potential bug when try to sign the macOS binary on older macOS.
>
> The current macOS signing process will execute the following command in order:
> 1. Checking whether codesign certificate is present (https://hg.openjdk.java.net/jdk/jdk/rev/dcf88e5c8c07#l1.26)
> 2. Using codesign with `--options runtime` to sign the binary (https://hg.openjdk.java.net/jdk/jdk/rev/dcf88e5c8c07#l3.19)
>
> Notice in the first step, the codesign command is not using the `--options runtime` option. Because the `--options runtime` is only available in the Xcode 10 or later and requires the macOS to be 10.13.6 or later (https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/resolving_common_notarization_issues). So if a developer use old Xcode or macOS to sign the  binary the `configure` command will pass but they will hit an exception when the script try to sign the binary. And I want to propose a change to make sure this fail fast.
>
> Proposed changes:
>
> ```
> --- a/make/autoconf/basic_tools.m4
> +++ b/make/autoconf/basic_tools.m4
> @@ -397,10 +397,21 @@ AC_DEFUN_ONCE([BASIC_SETUP_COMPLEX_TOOLS],
>         $RM codesign-testfile
>         if test "x$CODESIGN" = x; then
>           AC_MSG_RESULT([no])
>         else
>           AC_MSG_RESULT([yes])
> +       # Verify that the codesign has --option runtime
> +       AC_MSG_CHECKING([if codesign has --option runtime])
> +       $RM codesign-testfile
> +       $TOUCH codesign-testfile
> +       $CODESIGN --option runtime -s "$MACOSX_CODESIGN_IDENTITY" codesign-testfile 2>&AS_MESSAGE_LOG_FD >&AS_MESSAGE_LOG_FD || CODESIGN=
> +       $RM codesign-testfile
> +       if test "x$CODESIGN" = x; then
> +         AC_MSG_ERROR([codesign does not have --option runtime. macOS 10.13.6 and above is required.])
> +       else
> +         AC_MSG_RESULT([yes])
> +       fi
>         fi
>       fi
>       UTIL_REQUIRE_PROGS(SETFILE, SetFile)
>     elif test "x$OPENJDK_TARGET_OS" = "xsolaris"; then
>       UTIL_REQUIRE_PROGS(ELFEDIT, elfedit)
> ```
>
> And a run on a macOS 10.12 with this change will see this output:
>
> ```
> checking for codesign... /usr/bin/codesign
> checking if codesign certificate is present... yes
> checking if codesign has --option runtime... configure: error: codesign does not have --option runtime. macOS 10.13 and above is required.
> configure exiting with result code 1
> ```
>
> Please let me what you think.
I don't think it should be a fatal error. If you have a codesign binary 
on your path that does not support --option runtime, you should still be 
able to build, but not sign. Change it to a warning, and let the user 
continue without CODESIGN.

/Magnus

>
> Thank you,
>
> Junyuan

More information about the build-dev mailing list