Hi Erik, Christoph, thank you!
Rene On Tue, Dec 10, 2019 at 4:27 PM Langer, Christoph <christoph.lan...@sap.com> wrote: > > Hi René, > > LGTM, too. > > I'll sponsor it for you. > > Cheers > Christoph > > > -----Original Message----- > > From: Erik Joelsson <erik.joels...@oracle.com> > > Sent: Dienstag, 10. Dezember 2019 15:35 > > To: René Schünemann <rene.schuenem...@gmail.com>; Langer, Christoph > > <christoph.lan...@sap.com> > > Cc: build-dev@openjdk.java.net > > Subject: Re: RFR: JDK-8235585: Enable macOS codesigning for all libraries > > and > > executables > > > > Looks good. > > > > /Erik > > > > On 2019-12-10 03:44, René Schünemann wrote: > > > Thank you Christoph. > > > > > > I have fixed the indentation in NativeCompilation.gmk and removed the > > > "com.apple.security.cs.disable-executable-page-protection" > > > entitlement. > > > > > > Updated webrev: > > > http://cr.openjdk.java.net/~goetz/wr19/rene/8235585- > > mac_notarization/02/ > > > > > > Rene > > > > > > On Tue, Dec 10, 2019 at 11:25 AM Langer, Christoph > > > <christoph.lan...@sap.com> wrote: > > >> Hi René, > > >> > > >> thanks for doing this. > > >> > > >> I agree to Erik's findings, these should be addressed. Other than that, I > > have no further points. > > >> > > >> It would be good, if this little enhancement can be pushed before > > Thursday to make it into JDK14 without special approval. > > >> > > >> Best regards > > >> Christoph > > >> > > >> > > >>> -----Original Message----- > > >>> From: build-dev <build-dev-boun...@openjdk.java.net> On Behalf Of > > René > > >>> Schünemann > > >>> Sent: Dienstag, 10. Dezember 2019 09:27 > > >>> To: Erik Joelsson <erik.joels...@oracle.com> > > >>> Cc: build-dev@openjdk.java.net > > >>> Subject: Re: RFR: JDK-8235585: Enable macOS codesigning for all > > >>> libraries > > and > > >>> executables > > >>> > > >>> Hello Erik, > > >>> > > >>> thank you for your review. > > >>> > > >>> On Mon, Dec 9, 2019 at 5:48 PM Erik Joelsson > > <erik.joels...@oracle.com> > > >>> wrote: > > >>>> Hello René, > > >>>> > > >>>> Nice to see an OpenJDK solution to this. (Our Oracle solution requires > > >>>> too much corp specific customization to really benefit from code > > sharing > > >>>> with a simple codesign based implementation) > > >>>> > > >>>> On 2019-12-09 08:06, René Schünemann wrote: > > >>>>> Here is the webrev: > > >>>>> http://cr.openjdk.java.net/~goetz/wr19/rene/8235585- > > >>> mac_notarization/01/ > > >>>> Generally looks good. > > >>>> > > >>>> NativeCompilation.gmk, line 1132 looks weirdly indented. The line > > could > > >>>> also benefit from being broken up. See [1] for guidance. > > >>>> > > >>> I agree. I will break it into two lines. > > >>> > > >>>>> On Mon, Dec 9, 2019 at 5:05 PM René Schünemann > > >>>>> <rene.schuenem...@gmail.com> wrote: > > >>>>>> Hi, > > >>>>>> > > >>>>>> for the macOS notarization process, all executables and libraries > > need > > >>>>>> to be codesigned with hardened runtime (--options runtime) and > > >>> secure > > >>>>>> timestamp (--timestamp) enabled. Additionally for the OpenJDK > > certain > > >>>>>> entitlements have to be set during codesigning: > > >>>>>> > > >>>>>> * com.apple.security.cs.allow-jit > > >>>>>> * com.apple.security.cs.allow-unsigned-executable-memory > > >>>>>> * com.apple.security.cs.disable-executable-page-protection > > >>>> In our testing, we saw no need for disable-executable-page- > > protection. > > >>>> Did you actually see missing this trigger any problems? > > >>> I'm actually not quite sure. We have used this set internally for > > notarization. > > >>> I will go back an do some additional testing with this specific > > >>> entitlement removed. > > >>> > > >>>>>> * com.apple.security.cs.allow-dyld-environment-variables > > >>>>>> * com.apple.security.cs.debugger > > >>>>>> > > >>>>>> With this change the macOS codesign tool is being run for all native > > >>>>>> executables and libraries. > > >>>>>> > > >>>>>> Additionally this change introduces a new configure option: > > >>>>>> --with-macosx-codesign-identity > > >>>>>> > > >>>>>> This options allows to specify a codesigning identity stored in the > > >>>>>> macOS keychain. > > >>>>>> When this option is not set it falls back to "openjdk_codesign". > > >>>>>> > > >>>>>> Thanks, > > >>>>>> Rene > > >>>> /Erik > > >>>> > > >>>> [1] http://openjdk.java.net/groups/build/doc/code-conventions.html > > >>>> > > >>> Rene
