macOS build success but codesign fail on macOS 10.13.5 or older

Erik Joelsson erik.joelsson at oracle.com
Thu Mar 12 19:58:28 UTC 2020 

Done: https://bugs.openjdk.java.net/browse/JDK-8240972


/Erik


On 2020-03-12 11:33, Junyuan Zheng wrote:
> Hi Erik,
>
> Yes, I do need a sponsor for pushing this. Do you mind sponsoring this?
>
> Thanks,
>
> Junyuan
>
> ________________________________________
> From: Erik Joelsson <erik.joelsson at oracle.com>
> Sent: Wednesday, March 11, 2020 5:51 AM
> To: Junyuan Zheng; Magnus Ihse Bursie; build-dev at openjdk.java.net
> Subject: Re: [EXTERNAL] Re: macOS build success but codesign fail on 
> macOS 10.13.5 or older
>
> I couldn't find your name in the census [1] so I assume you need a
> sponsor for pushing this?
>
> /Erik
>
> [1] 
> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fopenjdk.java.net%2Fcensus&data=02%7C01%7CJunyuan.Zheng%40microsoft.com%7Cdb1768ecaec14b9bd56108d7c5bafe42%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637195279227926938&sdata=Mqh%2Fy1mq5cGA06QXOKPxX2ow%2BhhOEs3NjYbk%2FhENnlc%3D&reserved=0 
> <https://urldefense.com/v3/__https://nam06.safelinks.protection.outlook.com/?url=http*3A*2F*2Fopenjdk.java.net*2Fcensus&data=02*7C01*7CJunyuan.Zheng*40microsoft.com*7Cdb1768ecaec14b9bd56108d7c5bafe42*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637195279227926938&sdata=Mqh*2Fy1mq5cGA06QXOKPxX2ow*2BhhOEs3NjYbk*2FhENnlc*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJQ!!GqivPVa7Brio!NLE-wF6qgSxR6JuF79wQ2TvqkUtgjFTg567esXvMJf7agorfaB2RwHXmCKyS2zHOKIw$>
>
> On 2020-03-10 16:47, Junyuan Zheng wrote:
> > Hi Erik, Magnus,
> >
> > Thank you for reviewing this. Please let me know what's the next step
> > and if you'd like me to help with backporting this change or anything.
> >
> > Thanks,
> >
> > Junyuan
> >
> >
> > From: Erik Joelsson <erik.joelsson at oracle.com>
> >
> > Sent: Friday, February 28, 2020 6:26 AM
> >
> > To: Magnus Ihse Bursie <magnus.ihse.bursie at oracle.com>; Junyuan 
> Zheng <Junyuan.Zheng at microsoft.com>; build-dev at openjdk.java.net 
> <build-dev at openjdk.java.net>
> >
> > Subject: [EXTERNAL] Re: macOS build success but codesign fail on 
> macOS 10.13.5 or older
> >
> >
> >
> >
> > On 2020-02-28 01:04, Magnus Ihse Bursie wrote:
> >
> >> On 2020-02-28 09:59, Magnus Ihse Bursie wrote:
> >>> On 2020-02-27 16:07, Erik Joelsson wrote:
> >>>> On 2020-02-27 06:16, Magnus Ihse Bursie wrote:
> >>>>> I don't think it should be a fatal error. If you have a codesign
> >>>>> binary on your path that does not support --option runtime, you
> >>>>> should still be able to build, but not sign. Change it to a
> >>>>> warning, and let the user continue without CODESIGN.
> >>>> My interpretation of this patch is that the new check is only
> >>>> performed if a valid --with-macosx-codesign-identity was provided,
> >>>> so the user has clearly requested signing to be performed. In that
> >>>> case I agree that it should error out.
> >>> I'm sorry Erik, but that is not open to "interpretation". Look at the
> >>> code:
> >>>      UTIL_PATH_PROGS(CODESIGN, codesign)
> >>>      if test "x$CODESIGN" != "x"; then
> >>>        # Check for user provided code signing identity.
> >>>        # If no identity was provided, fall back to "openjdk_codesign".
> >>>        AC_ARG_WITH([macosx-codesign-identity],
> >>> [AS_HELP_STRING([--with-macosx-codesign-identity],
> >>>          [specify the code signing identity])],
> >>> [MACOSX_CODESIGN_IDENTITY=$with_macosx_codesign_identity],
> >>>  [MACOSX_CODESIGN_IDENTITY=openjdk_codesign]
> >>>        )
> >>>        AC_SUBST(MACOSX_CODESIGN_IDENTITY)
> >>>        # Verify that the codesign certificate is present
> >>>        AC_MSG_CHECKING([if codesign certificate is present])
> >>>        $RM codesign-testfile
> >>>        $TOUCH codesign-testfile
> >>>        $CODESIGN -s "$MACOSX_CODESIGN_IDENTITY" codesign-testfile
> >>> 2>&AS_MESSAGE_LOG_FD >&AS_MESSAGE_LOG_FD || CODESIGN=
> >>>        $RM codesign-testfile
> >>>        if test "x$CODESIGN" = x; then
> >>>          AC_MSG_RESULT([no])
> >>>        else
> >>>          AC_MSG_RESULT([yes])
> >>>         # Verify that the codesign has --option runtime
> >>>         AC_MSG_CHECKING([if codesign has --option runtime])
> >>>         $RM codesign-testfile
> >>>         $TOUCH codesign-testfile
> >>>         $CODESIGN --option runtime -s "$MACOSX_CODESIGN_IDENTITY"
> >>> codesign-testfile 2>&AS_MESSAGE_LOG_FD >&AS_MESSAGE_LOG_FD || 
> CODESIGN=
> >>>         $RM codesign-testfile
> >>>         if test "x$CODESIGN" = x; then
> >>>           AC_MSG_ERROR([codesign does not have --option runtime. macOS
> >>> 10.13.6 and above is required.])
> >>>         else
> >>>           AC_MSG_RESULT([yes])
> >>>         fi
> >>>        fi
> >>>      fi
> >>> This means that if you have a binary named "codesign" on your path,
> >>> and it does not accept the '--option runtime' argument, configure
> >>> will fail.
> >> Sorry, my bad: configure will fail if you have codesign, and
> >> openjdk_codesign is a valid codesign identity, but --option runtime is
> >> not supported. This does indeed limit the impact of this patch.
> >> Nevertheless, I still think this is bad design. If the code would e.g.
> >> check that --with-macosx-codesign-identity was explicitly given on the
> >> command line, then it would be OK to fail.
> > I agree that an explicit check that --with-macosx-codesign-identity was
> >
> > set would make the code clearer. The point is that if you have a valid
> >
> > identity defined, but you are building on an older MacOS version so the
> >
> > --option runtime is not supported, the build will unconditionally fail
> >
> > at the first signing attempt anyway. This is the proper fail fast 
> mechanism.
> >
> >
> >
> > On a side note, there is also no point in supporting signing on older
> >
> > macs without the --option runtime because such signatures are basically
> >
> > useless today.
> >
> >
> >
> > /Erik
> >
> >
> >
> >> /Magnus
> >>> This is not acceptable.
> >>> However, I understand that there is a need to be able to *enforce*
> >>> signing. I'm actually currently working with a patch that will add
> >>> --enable-jdk-feature-codesign, and if that is enabled, configure will
> >>> fail unless a working codesign binary and certificate is present. It
> >>> will be easy to adapt this change as well. But in the meantime, the
> >>> AC_MSG_ERROR must be changed to a warning.
> >>> /Magnus
>

More information about the build-dev mailing list