Hello Erik, thank you for your review.
On Mon, Dec 9, 2019 at 5:48 PM Erik Joelsson <erik.joels...@oracle.com> wrote: > > Hello René, > > Nice to see an OpenJDK solution to this. (Our Oracle solution requires > too much corp specific customization to really benefit from code sharing > with a simple codesign based implementation) > > On 2019-12-09 08:06, René Schünemann wrote: > > Here is the webrev: > > http://cr.openjdk.java.net/~goetz/wr19/rene/8235585-mac_notarization/01/ > > Generally looks good. > > NativeCompilation.gmk, line 1132 looks weirdly indented. The line could > also benefit from being broken up. See [1] for guidance. > I agree. I will break it into two lines. > > > > On Mon, Dec 9, 2019 at 5:05 PM René Schünemann > > <rene.schuenem...@gmail.com> wrote: > >> Hi, > >> > >> for the macOS notarization process, all executables and libraries need > >> to be codesigned with hardened runtime (--options runtime) and secure > >> timestamp (--timestamp) enabled. Additionally for the OpenJDK certain > >> entitlements have to be set during codesigning: > >> > >> * com.apple.security.cs.allow-jit > >> * com.apple.security.cs.allow-unsigned-executable-memory > >> * com.apple.security.cs.disable-executable-page-protection > In our testing, we saw no need for disable-executable-page-protection. > Did you actually see missing this trigger any problems? I'm actually not quite sure. We have used this set internally for notarization. I will go back an do some additional testing with this specific entitlement removed. > >> * com.apple.security.cs.allow-dyld-environment-variables > >> * com.apple.security.cs.debugger > >> > >> With this change the macOS codesign tool is being run for all native > >> executables and libraries. > >> > >> Additionally this change introduces a new configure option: > >> --with-macosx-codesign-identity > >> > >> This options allows to specify a codesigning identity stored in the > >> macOS keychain. > >> When this option is not set it falls back to "openjdk_codesign". > >> > >> Thanks, > >> Rene > /Erik > > [1] http://openjdk.java.net/groups/build/doc/code-conventions.html > Rene
