8235585: Enable macOS codesigning for all libraries and executables

Reviewed-by: erikj, clanger Contributed-by: rene.schuenemann@gmail.com
AdoptOpenJDK · Dec 9, 2019 · b3250ad · b3250ad
1 parent 80677ed
commit b3250ad
Show file tree

Hide file tree

Showing 7 changed files with 44 additions and 17 deletions.
diff --git a/make/autoconf/basics.m4 b/make/autoconf/basics.m4
@@ -1212,12 +1212,23 @@ AC_DEFUN_ONCE([BASIC_SETUP_COMPLEX_TOOLS],
     BASIC_REQUIRE_PROGS(MIG, mig)
     BASIC_REQUIRE_PROGS(XATTR, xattr)
     BASIC_PATH_PROGS(CODESIGN, codesign)
+
     if test "x$CODESIGN" != "x"; then
-      # Verify that the openjdk_codesign certificate is present
-      AC_MSG_CHECKING([if openjdk_codesign certificate is present])
+      # Check for user provided code signing identity.
+      # If no identity was provided, fall back to "openjdk_codesign".
+      AC_ARG_WITH([macosx-codesign-identity], [AS_HELP_STRING([--with-macosx-codesign-identity],
+        [specify the code signing identity])],
+        [MACOSX_CODESIGN_IDENTITY=$with_macosx_codesign_identity],
+        [MACOSX_CODESIGN_IDENTITY=openjdk_codesign]
+      )
+
+      AC_SUBST(MACOSX_CODESIGN_IDENTITY)
+
+      # Verify that the codesign certificate is present
+      AC_MSG_CHECKING([if codesign certificate is present])
       $RM codesign-testfile
       $TOUCH codesign-testfile
-      $CODESIGN -s openjdk_codesign codesign-testfile 2>&AS_MESSAGE_LOG_FD >&AS_MESSAGE_LOG_FD || CODESIGN=
+      $CODESIGN -s "$MACOSX_CODESIGN_IDENTITY" codesign-testfile 2>&AS_MESSAGE_LOG_FD >&AS_MESSAGE_LOG_FD || CODESIGN=
       $RM codesign-testfile
       if test "x$CODESIGN" = x; then
         AC_MSG_RESULT([no])

diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in
@@ -387,6 +387,9 @@ MACOSX_VERSION_MIN=@MACOSX_VERSION_MIN@
 # The highest allowed version of macosx
 MACOSX_VERSION_MAX=@MACOSX_VERSION_MAX@
 
+# The macosx code signing identity to use
+MACOSX_CODESIGN_IDENTITY=@MACOSX_CODESIGN_IDENTITY@
+
 # Toolchain type: gcc, clang, solstudio, lxc, microsoft...
 TOOLCHAIN_TYPE:=@TOOLCHAIN_TYPE@
 TOOLCHAIN_VERSION := @TOOLCHAIN_VERSION@

diff --git a/make/common/NativeCompilation.gmk b/make/common/NativeCompilation.gmk
@@ -936,7 +936,7 @@ define SetupNativeCompilationBody
 
     $1_VARDEPS := $$($1_LD) $$($1_SYSROOT_LDFLAGS) $$($1_LDFLAGS) $$($1_EXTRA_LDFLAGS) \
         $$(GLOBAL_LIBS) $$($1_LIBS) $$($1_EXTRA_LIBS) $$($1_MT) \
-        $$($1_CODESIGN) $$($1_CREATE_DEBUGINFO_CMDS) $$($1_MANIFEST_VERSION) \
+        $$($1_CREATE_DEBUGINFO_CMDS) $$($1_MANIFEST_VERSION) \
         $$($1_STRIP_CMD)
     $1_VARDEPS_FILE := $$(call DependOnVariable, $1_VARDEPS, \
         $$($1_OBJECT_DIR)/$$($1_NOSUFFIX).vardeps)
@@ -1015,9 +1015,8 @@ define SetupNativeCompilationBody
                 # This only works if the openjdk_codesign identity is present on the system. Let
                 # silently fail otherwise.
                 ifneq ($(CODESIGN), )
-                  ifneq ($$($1_CODESIGN), )
-		    $(CODESIGN) -s openjdk_codesign $$@
-                  endif
+		  $(CODESIGN) -s "$(MACOSX_CODESIGN_IDENTITY)" --timestamp --options runtime \
+		  --entitlements $(TOPDIR)/make/data/macosxsigning/entitlements.plist $$@
                 endif
   endif
 endef

diff --git a/make/data/macosxsigning/entitlements.plist b/make/data/macosxsigning/entitlements.plist
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
+    <key>com.apple.security.cs.debugger</key>
+    <true/>
+</dict>
+</plist>
diff --git a/make/launcher/Launcher-jdk.hotspot.agent.gmk b/make/launcher/Launcher-jdk.hotspot.agent.gmk
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2019, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -27,5 +27,5 @@ include LauncherCommon.gmk
 
 $(eval $(call SetupBuildLauncher, jhsdb, \
     MAIN_CLASS := sun.jvm.hotspot.SALauncher, \
-    MACOSX_SIGNED := true, \
+    MACOSX_PRIVILEGED := true, \
 ))
diff --git a/make/launcher/Launcher-jdk.jcmd.gmk b/make/launcher/Launcher-jdk.jcmd.gmk
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2011, 2018, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2019, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -30,15 +30,15 @@ $(eval $(call SetupBuildLauncher, jinfo, \
     JAVA_ARGS := \
         -Dsun.jvm.hotspot.debugger.useProcDebugger \
         -Dsun.jvm.hotspot.debugger.useWindbgDebugger, \
-    MACOSX_SIGNED := true, \
+    MACOSX_PRIVILEGED := true, \
 ))
 
 $(eval $(call SetupBuildLauncher, jmap, \
     MAIN_CLASS := sun.tools.jmap.JMap, \
     JAVA_ARGS := \
         -Dsun.jvm.hotspot.debugger.useProcDebugger \
         -Dsun.jvm.hotspot.debugger.useWindbgDebugger, \
-    MACOSX_SIGNED := true, \
+    MACOSX_PRIVILEGED := true, \
 ))
 
 $(eval $(call SetupBuildLauncher, jps, \
@@ -50,7 +50,7 @@ $(eval $(call SetupBuildLauncher, jstack, \
     JAVA_ARGS := \
         -Dsun.jvm.hotspot.debugger.useProcDebugger \
         -Dsun.jvm.hotspot.debugger.useWindbgDebugger, \
-    MACOSX_SIGNED := true, \
+    MACOSX_PRIVILEGED := true, \
 ))
 
 $(eval $(call SetupBuildLauncher, jstat, \

diff --git a/make/launcher/LauncherCommon.gmk b/make/launcher/LauncherCommon.gmk
@@ -86,7 +86,7 @@ JAVA_MANIFEST := $(TOPDIR)/src/java.base/windows/native/launcher/java.manifest
 # LIBS_windows   Additional LIBS_windows
 # LDFLAGS_solaris Additional LDFLAGS_solaris
 # RC_FLAGS   Additional RC_FLAGS
-# MACOSX_SIGNED   On macosx, sign this binary
+# MACOSX_PRIVILEGED   On macosx, allow to access other processes
 # OPTIMIZATION   Override default optimization level (LOW)
 # OUTPUT_DIR   Override default output directory
 # VERSION_INFO_RESOURCE   Override default Windows resource file
@@ -117,9 +117,8 @@ define SetupBuildLauncherBody
 
   $1_LIBS :=
   ifeq ($(OPENJDK_TARGET_OS), macosx)
-    ifeq ($$($1_MACOSX_SIGNED), true)
+    ifeq ($$($1_MACOSX_PRIVILEGED), true)
       $1_PLIST_FILE := Info-privileged.plist
-        $1_CODESIGN := true
     else
       $1_PLIST_FILE := Info-cmdline.plist
     endif
@@ -190,7 +189,6 @@ define SetupBuildLauncherBody
       EXTRA_RC_FLAGS := $$($1_EXTRA_RC_FLAGS), \
       MANIFEST := $(JAVA_MANIFEST), \
       MANIFEST_VERSION := $(VERSION_NUMBER_FOUR_POSITIONS), \
-      CODESIGN := $$($1_CODESIGN), \
   ))
 
   $1 += $$(BUILD_LAUNCHER_$1)