RFR: 8298343: "Could not confirm if TargetJDK is hardened." warning for SA tests on macosx-aarch64-debug
Kevin Walls
kevinw at openjdk.org
Mon Dec 12 10:51:45 UTC 2022
On Fri, 9 Dec 2022 22:16:44 GMT, Chris Plummer <cjplummer at openjdk.org> wrote:
> In the log for most SA tests on macos-aarch64-debug, you will see something like:
>
>
> STDOUT: Executable=/System/Volumes/Data/mesos/work_dir/jib-master/install/2022-12-07-2219530.chris.plummer.jdk/macosx-aarch64-debug.jdk/jdk-20/fastdebug/bin/java
> ...
> STDOUT: CodeDirectory v=20400 size=758 flags=0x2(adhoc) hashes=13+7 location=embedded
> STDOUT: Signature=adhoc
> ...
> Could not confirm if TargetJDK is hardened. Assuming not hardened.
>
>
> The message at the end shouldn't be happening. The problem is in `Platform.isHardenedOSX()`, which is searching for "flags=0x20002(adhoc,linker-signed)", but instead we are seeing "flags=0x2(adhoc)". This is due to [JDK-8293550](https://bugs.openjdk.org/browse/JDK-8293550), which is now explicitly adding adhoc signing. Previously we just allowed the linker to just do the default adhoc signing, which is why you would also see the "linker-signed" flag. Since we explicitly do adhoc signing now, "linker-signed" is missing.
>
> The fix is to just allow either form. Since it is possible to build without the explicit adhoc signing, we still need to support the old form that includes "linker-signed".
>
> There seems to be no adverse affects from this bug, other than seeing the above message, since the conclusion that the JDK is not hardened is the correct one.
Marked as reviewed by kevinw (Committer).
-------------
PR: https://git.openjdk.org/jdk/pull/11619
More information about the serviceability-dev
mailing list