Looks good.
/Erik
On 2019-12-10 03:44, René Schünemann wrote:
Thank you Christoph.
I have fixed the indentation in NativeCompilation.gmk and removed the
"com.apple.security.cs.disable-executable-page-protection"
entitlement.
Updated webrev:
http://cr.openjdk.java.net/~goetz/wr19/rene/8235585-mac_notarization/02/
Rene
On Tue, Dec 10, 2019 at 11:25 AM Langer, Christoph
<christoph.lan...@sap.com> wrote:
Hi René,
thanks for doing this.
I agree to Erik's findings, these should be addressed. Other than that, I have
no further points.
It would be good, if this little enhancement can be pushed before Thursday to
make it into JDK14 without special approval.
Best regards
Christoph
-----Original Message-----
From: build-dev <build-dev-boun...@openjdk.java.net> On Behalf Of René
Schünemann
Sent: Dienstag, 10. Dezember 2019 09:27
To: Erik Joelsson <erik.joels...@oracle.com>
Cc: build-dev@openjdk.java.net
Subject: Re: RFR: JDK-8235585: Enable macOS codesigning for all libraries and
executables
Hello Erik,
thank you for your review.
On Mon, Dec 9, 2019 at 5:48 PM Erik Joelsson <erik.joels...@oracle.com>
wrote:
Hello René,
Nice to see an OpenJDK solution to this. (Our Oracle solution requires
too much corp specific customization to really benefit from code sharing
with a simple codesign based implementation)
On 2019-12-09 08:06, René Schünemann wrote:
Here is the webrev:
http://cr.openjdk.java.net/~goetz/wr19/rene/8235585-
mac_notarization/01/
Generally looks good.
NativeCompilation.gmk, line 1132 looks weirdly indented. The line could
also benefit from being broken up. See [1] for guidance.
I agree. I will break it into two lines.
On Mon, Dec 9, 2019 at 5:05 PM René Schünemann
<rene.schuenem...@gmail.com> wrote:
Hi,
for the macOS notarization process, all executables and libraries need
to be codesigned with hardened runtime (--options runtime) and
secure
timestamp (--timestamp) enabled. Additionally for the OpenJDK certain
entitlements have to be set during codesigning:
* com.apple.security.cs.allow-jit
* com.apple.security.cs.allow-unsigned-executable-memory
* com.apple.security.cs.disable-executable-page-protection
In our testing, we saw no need for disable-executable-page-protection.
Did you actually see missing this trigger any problems?
I'm actually not quite sure. We have used this set internally for notarization.
I will go back an do some additional testing with this specific
entitlement removed.
* com.apple.security.cs.allow-dyld-environment-variables
* com.apple.security.cs.debugger
With this change the macOS codesign tool is being run for all native
executables and libraries.
Additionally this change introduces a new configure option:
--with-macosx-codesign-identity
This options allows to specify a codesigning identity stored in the
macOS keychain.
When this option is not set it falls back to "openjdk_codesign".
Thanks,
Rene
/Erik
[1] http://openjdk.java.net/groups/build/doc/code-conventions.html
Rene
