macOS build success but codesign fail on macOS 10.13.5 or older

Fri Feb 28 08:59:03 UTC 2020

On 2020-02-27 16:07, Erik Joelsson wrote:
> On 2020-02-27 06:16, Magnus Ihse Bursie wrote:
>> I don't think it should be a fatal error. If you have a codesign 
>> binary on your path that does not support --option runtime, you 
>> should still be able to build, but not sign. Change it to a warning, 
>> and let the user continue without CODESIGN.
>>
> My interpretation of this patch is that the new check is only 
> performed if a valid --with-macosx-codesign-identity was provided, so 
> the user has clearly requested signing to be performed. In that case I 
> agree that it should error out.

I'm sorry Erik, but that is not open to "interpretation". Look at the code:

     UTIL_PATH_PROGS(CODESIGN, codesign)

     if test "x$CODESIGN" != "x"; then
       # Check for user provided code signing identity.
       # If no identity was provided, fall back to "openjdk_codesign".
       AC_ARG_WITH([macosx-codesign-identity], 
[AS_HELP_STRING([--with-macosx-codesign-identity],
         [specify the code signing identity])],
         [MACOSX_CODESIGN_IDENTITY=$with_macosx_codesign_identity],
         [MACOSX_CODESIGN_IDENTITY=openjdk_codesign]
       )

       AC_SUBST(MACOSX_CODESIGN_IDENTITY)

       # Verify that the codesign certificate is present
       AC_MSG_CHECKING([if codesign certificate is present])
       $RM codesign-testfile
       $TOUCH codesign-testfile
       $CODESIGN -s "$MACOSX_CODESIGN_IDENTITY" codesign-testfile 
2>&AS_MESSAGE_LOG_FD >&AS_MESSAGE_LOG_FD || CODESIGN=
       $RM codesign-testfile
       if test "x$CODESIGN" = x; then
         AC_MSG_RESULT([no])
       else
         AC_MSG_RESULT([yes])
        # Verify that the codesign has --option runtime
        AC_MSG_CHECKING([if codesign has --option runtime])
        $RM codesign-testfile
        $TOUCH codesign-testfile
        $CODESIGN --option runtime -s "$MACOSX_CODESIGN_IDENTITY" 
codesign-testfile 2>&AS_MESSAGE_LOG_FD >&AS_MESSAGE_LOG_FD || CODESIGN=
        $RM codesign-testfile
        if test "x$CODESIGN" = x; then
          AC_MSG_ERROR([codesign does not have --option runtime. macOS 
10.13.6 and above is required.])
        else
          AC_MSG_RESULT([yes])
        fi
       fi
     fi

This means that if you have a binary named "codesign" on your path, and 
it does not accept the '--option runtime' argument, configure will fail.

This is not acceptable.

However, I understand that there is a need to be able to *enforce* 
signing. I'm actually currently working with a patch that will add 
--enable-jdk-feature-codesign, and if that is enabled, configure will 
fail unless a working codesign binary and certificate is present. It 
will be easy to adapt this change as well. But in the meantime, the 
AC_MSG_ERROR must be changed to a warning.

/Magnus