Thank you Christoph. I have fixed the indentation in NativeCompilation.gmk and removed the "com.apple.security.cs.disable-executable-page-protection" entitlement.
Updated webrev: http://cr.openjdk.java.net/~goetz/wr19/rene/8235585-mac_notarization/02/ Rene On Tue, Dec 10, 2019 at 11:25 AM Langer, Christoph <christoph.lan...@sap.com> wrote: > > Hi René, > > thanks for doing this. > > I agree to Erik's findings, these should be addressed. Other than that, I > have no further points. > > It would be good, if this little enhancement can be pushed before Thursday to > make it into JDK14 without special approval. > > Best regards > Christoph > > > > -----Original Message----- > > From: build-dev <build-dev-boun...@openjdk.java.net> On Behalf Of René > > Schünemann > > Sent: Dienstag, 10. Dezember 2019 09:27 > > To: Erik Joelsson <erik.joels...@oracle.com> > > Cc: build-dev@openjdk.java.net > > Subject: Re: RFR: JDK-8235585: Enable macOS codesigning for all libraries > > and > > executables > > > > Hello Erik, > > > > thank you for your review. > > > > On Mon, Dec 9, 2019 at 5:48 PM Erik Joelsson <erik.joels...@oracle.com> > > wrote: > > > > > > Hello René, > > > > > > Nice to see an OpenJDK solution to this. (Our Oracle solution requires > > > too much corp specific customization to really benefit from code sharing > > > with a simple codesign based implementation) > > > > > > On 2019-12-09 08:06, René Schünemann wrote: > > > > Here is the webrev: > > > > http://cr.openjdk.java.net/~goetz/wr19/rene/8235585- > > mac_notarization/01/ > > > > > > Generally looks good. > > > > > > NativeCompilation.gmk, line 1132 looks weirdly indented. The line could > > > also benefit from being broken up. See [1] for guidance. > > > > > > > I agree. I will break it into two lines. > > > > > > > > > > On Mon, Dec 9, 2019 at 5:05 PM René Schünemann > > > > <rene.schuenem...@gmail.com> wrote: > > > >> Hi, > > > >> > > > >> for the macOS notarization process, all executables and libraries need > > > >> to be codesigned with hardened runtime (--options runtime) and > > secure > > > >> timestamp (--timestamp) enabled. Additionally for the OpenJDK certain > > > >> entitlements have to be set during codesigning: > > > >> > > > >> * com.apple.security.cs.allow-jit > > > >> * com.apple.security.cs.allow-unsigned-executable-memory > > > >> * com.apple.security.cs.disable-executable-page-protection > > > In our testing, we saw no need for disable-executable-page-protection. > > > Did you actually see missing this trigger any problems? > > > > I'm actually not quite sure. We have used this set internally for > > notarization. > > I will go back an do some additional testing with this specific > > entitlement removed. > > > > > >> * com.apple.security.cs.allow-dyld-environment-variables > > > >> * com.apple.security.cs.debugger > > > >> > > > >> With this change the macOS codesign tool is being run for all native > > > >> executables and libraries. > > > >> > > > >> Additionally this change introduces a new configure option: > > > >> --with-macosx-codesign-identity > > > >> > > > >> This options allows to specify a codesigning identity stored in the > > > >> macOS keychain. > > > >> When this option is not set it falls back to "openjdk_codesign". > > > >> > > > >> Thanks, > > > >> Rene > > > /Erik > > > > > > [1] http://openjdk.java.net/groups/build/doc/code-conventions.html > > > > > > > Rene
