RFR: 8298343: "Could not confirm if TargetJDK is hardened." warning for SA tests on macosx-aarch64-debug
Chris Plummer
cjplummer at openjdk.org
Fri Dec 9 22:26:53 UTC 2022
In the log for most SA tests on macos-aarch64-debug, you will see something like:
STDOUT: Executable=/System/Volumes/Data/mesos/work_dir/jib-master/install/2022-12-07-2219530.chris.plummer.jdk/macosx-aarch64-debug.jdk/jdk-20/fastdebug/bin/java
...
STDOUT: CodeDirectory v=20400 size=758 flags=0x2(adhoc) hashes=13+7 location=embedded
STDOUT: Signature=adhoc
...
Could not confirm if TargetJDK is hardened. Assuming not hardened.
The message at the end shouldn't be happening. The problem is in `Platform.isHardenedOSX()`, which is searching for "flags=0x20002(adhoc,linker-signed)", but instead we are seeing "flags=0x2(adhoc)". This is due to [JDK-8293550](https://bugs.openjdk.org/browse/JDK-8293550), which is now explicitly adding adhoc signing. Previously we just allowed the linker to just do the default adhoc signing, which is why you would also see the "linker-signed" flag. Since we explicitly do adhoc signing now, "linker-signed" is missing.
The fix is to just allow either form. Since it is possible to build without the explicit adhoc signing, we still need to support the old form that includes "linker-signed".
There seems to be no adverse affects from this bug, other than seeing the above message, since the conclusion that the JDK is not hardened is the correct one.
-------------
Commit messages:
- Allow adhoc signing that is not linker signed.
Changes: https://git.openjdk.org/jdk/pull/11619/files
Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=11619&range=00
Issue: https://bugs.openjdk.org/browse/JDK-8298343
Stats: 4 lines in 1 file changed: 4 ins; 0 del; 0 mod
Patch: https://git.openjdk.org/jdk/pull/11619.diff
Fetch: git fetch https://git.openjdk.org/jdk pull/11619/head:pull/11619
PR: https://git.openjdk.org/jdk/pull/11619
More information about the serviceability-dev
mailing list