changeset 57398:dcf88e5c8c07

8235585: Enable macOS codesigning for all libraries and executables Reviewed-by: erikj, clanger Contributed-by: rene.schuenemann@gmail.com
author clanger
date Mon, 09 Dec 2019 16:14:16 +0100
parents 2d77b8cd4230
children 1a7175456d29
files make/autoconf/basics.m4 make/autoconf/spec.gmk.in make/common/NativeCompilation.gmk make/data/macosxsigning/entitlements.plist make/launcher/Launcher-jdk.hotspot.agent.gmk make/launcher/Launcher-jdk.jcmd.gmk make/launcher/LauncherCommon.gmk
diffstat 7 files changed, 44 insertions(+), 17 deletions(-) [+]
line wrap: on
line diff
--- a/make/autoconf/basics.m4	Wed Dec 11 12:03:39 2019 +0530
+++ b/make/autoconf/basics.m4	Mon Dec 09 16:14:16 2019 +0100
@@ -1287,12 +1287,23 @@
     BASIC_REQUIRE_PROGS(MIG, mig)
     BASIC_REQUIRE_PROGS(XATTR, xattr)
     BASIC_PATH_PROGS(CODESIGN, codesign)
+
     if test "x$CODESIGN" != "x"; then
-      # Verify that the openjdk_codesign certificate is present
-      AC_MSG_CHECKING([if openjdk_codesign certificate is present])
+      # Check for user provided code signing identity.
+      # If no identity was provided, fall back to "openjdk_codesign".
+      AC_ARG_WITH([macosx-codesign-identity], [AS_HELP_STRING([--with-macosx-codesign-identity],
+        [specify the code signing identity])],
+        [MACOSX_CODESIGN_IDENTITY=$with_macosx_codesign_identity],
+        [MACOSX_CODESIGN_IDENTITY=openjdk_codesign]
+      )
+
+      AC_SUBST(MACOSX_CODESIGN_IDENTITY)
+
+      # Verify that the codesign certificate is present
+      AC_MSG_CHECKING([if codesign certificate is present])
       $RM codesign-testfile
       $TOUCH codesign-testfile
-      $CODESIGN -s openjdk_codesign codesign-testfile 2>&AS_MESSAGE_LOG_FD >&AS_MESSAGE_LOG_FD || CODESIGN=
+      $CODESIGN -s "$MACOSX_CODESIGN_IDENTITY" codesign-testfile 2>&AS_MESSAGE_LOG_FD >&AS_MESSAGE_LOG_FD || CODESIGN=
       $RM codesign-testfile
       if test "x$CODESIGN" = x; then
         AC_MSG_RESULT([no])
--- a/make/autoconf/spec.gmk.in	Wed Dec 11 12:03:39 2019 +0530
+++ b/make/autoconf/spec.gmk.in	Mon Dec 09 16:14:16 2019 +0100
@@ -415,6 +415,9 @@
 # The highest allowed version of macosx
 MACOSX_VERSION_MAX=@MACOSX_VERSION_MAX@
 
+# The macosx code signing identity to use
+MACOSX_CODESIGN_IDENTITY=@MACOSX_CODESIGN_IDENTITY@
+
 # Toolchain type: gcc, clang, solstudio, lxc, microsoft...
 TOOLCHAIN_TYPE:=@TOOLCHAIN_TYPE@
 TOOLCHAIN_VERSION := @TOOLCHAIN_VERSION@
--- a/make/common/NativeCompilation.gmk	Wed Dec 11 12:03:39 2019 +0530
+++ b/make/common/NativeCompilation.gmk	Mon Dec 09 16:14:16 2019 +0100
@@ -1048,7 +1048,7 @@
 
     $1_VARDEPS := $$($1_LD) $$($1_SYSROOT_LDFLAGS) $$($1_LDFLAGS) $$($1_EXTRA_LDFLAGS) \
         $$(GLOBAL_LIBS) $$($1_LIBS) $$($1_EXTRA_LIBS) $$($1_MT) \
-        $$($1_CODESIGN) $$($1_CREATE_DEBUGINFO_CMDS) $$($1_MANIFEST_VERSION) \
+        $$($1_CREATE_DEBUGINFO_CMDS) $$($1_MANIFEST_VERSION) \
         $$($1_STRIP_CMD)
     $1_VARDEPS_FILE := $$(call DependOnVariable, $1_VARDEPS, \
         $$($1_OBJECT_DIR)/$$($1_NOSUFFIX).vardeps)
@@ -1129,9 +1129,8 @@
                 # This only works if the openjdk_codesign identity is present on the system. Let
                 # silently fail otherwise.
                 ifneq ($(CODESIGN), )
-                  ifneq ($$($1_CODESIGN), )
-		    $(CODESIGN) -s openjdk_codesign $$@
-                  endif
+		  $(CODESIGN) -s "$(MACOSX_CODESIGN_IDENTITY)" --timestamp --options runtime \
+		  --entitlements $(TOPDIR)/make/data/macosxsigning/entitlements.plist $$@
                 endif
   endif
 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/make/data/macosxsigning/entitlements.plist	Mon Dec 09 16:14:16 2019 +0100
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
+    <key>com.apple.security.cs.debugger</key>
+    <true/>
+</dict>
+</plist>
--- a/make/launcher/Launcher-jdk.hotspot.agent.gmk	Wed Dec 11 12:03:39 2019 +0530
+++ b/make/launcher/Launcher-jdk.hotspot.agent.gmk	Mon Dec 09 16:14:16 2019 +0100
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2019, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -27,5 +27,5 @@
 
 $(eval $(call SetupBuildLauncher, jhsdb, \
     MAIN_CLASS := sun.jvm.hotspot.SALauncher, \
-    MACOSX_SIGNED := true, \
+    MACOSX_PRIVILEGED := true, \
 ))
--- a/make/launcher/Launcher-jdk.jcmd.gmk	Wed Dec 11 12:03:39 2019 +0530
+++ b/make/launcher/Launcher-jdk.jcmd.gmk	Mon Dec 09 16:14:16 2019 +0100
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2011, 2018, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2019, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -30,7 +30,7 @@
     JAVA_ARGS := \
         -Dsun.jvm.hotspot.debugger.useProcDebugger \
         -Dsun.jvm.hotspot.debugger.useWindbgDebugger, \
-    MACOSX_SIGNED := true, \
+    MACOSX_PRIVILEGED := true, \
 ))
 
 $(eval $(call SetupBuildLauncher, jmap, \
@@ -38,7 +38,7 @@
     JAVA_ARGS := \
         -Dsun.jvm.hotspot.debugger.useProcDebugger \
         -Dsun.jvm.hotspot.debugger.useWindbgDebugger, \
-    MACOSX_SIGNED := true, \
+    MACOSX_PRIVILEGED := true, \
 ))
 
 $(eval $(call SetupBuildLauncher, jps, \
@@ -50,7 +50,7 @@
     JAVA_ARGS := \
         -Dsun.jvm.hotspot.debugger.useProcDebugger \
         -Dsun.jvm.hotspot.debugger.useWindbgDebugger, \
-    MACOSX_SIGNED := true, \
+    MACOSX_PRIVILEGED := true, \
 ))
 
 $(eval $(call SetupBuildLauncher, jstat, \
--- a/make/launcher/LauncherCommon.gmk	Wed Dec 11 12:03:39 2019 +0530
+++ b/make/launcher/LauncherCommon.gmk	Mon Dec 09 16:14:16 2019 +0100
@@ -74,7 +74,7 @@
 # CFLAGS   Additional CFLAGS
 # CFLAGS_windows   Additional CFLAGS_windows
 # EXTRA_RC_FLAGS   Additional EXTRA_RC_FLAGS
-# MACOSX_SIGNED   On macosx, sign this binary
+# MACOSX_PRIVILEGED   On macosx, allow to access other processes
 # OPTIMIZATION   Override default optimization level (LOW)
 # OUTPUT_DIR   Override default output directory
 # VERSION_INFO_RESOURCE   Override default Windows resource file
@@ -104,9 +104,8 @@
   $1_CFLAGS += -DJAVA_ARGS=$$($1_JAVA_ARGS_STR)
 
   ifeq ($(call isTargetOs, macosx), true)
-    ifeq ($$($1_MACOSX_SIGNED), true)
+    ifeq ($$($1_MACOSX_PRIVILEGED), true)
       $1_PLIST_FILE := Info-privileged.plist
-        $1_CODESIGN := true
     else
       $1_PLIST_FILE := Info-cmdline.plist
     endif
@@ -171,7 +170,6 @@
       EXTRA_RC_FLAGS := $$($1_EXTRA_RC_FLAGS), \
       MANIFEST := $(JAVA_MANIFEST), \
       MANIFEST_VERSION := $(VERSION_NUMBER_FOUR_POSITIONS), \
-      CODESIGN := $$($1_CODESIGN), \
   ))
 
   $1 += $$(BUILD_LAUNCHER_$1)