8293550: Optionally add get-task-allow entitlement to macos binaries

Backport-of: f42caefe2e7658bfb5ab8ef938b134bdb6746ff1

Author: Ben Taylor

doc/building.html

@@ -70,6 +70,9 @@ <h1 class="title">Building the JDK</h1>
 <li><a href="#make-control-variables">Make Control Variables</a></li>
 </ul></li>
 <li><a href="#running-tests">Running Tests</a></li>
+<li><a href="#signing">Signing</a><ul>
+<li><a href="#macos-1">macOS</a></li>
+</ul></li>
 <li><a href="#cross-compiling">Cross-compiling</a><ul>
 <li><a href="#cross-compiling-the-easy-way-with-openjdk-devkits">Cross compiling the easy way with OpenJDK devkits</a></li>
 <li><a href="#boot-jdk-and-build-jdk">Boot JDK and Build JDK</a></li>
@@ -515,6 +518,12 @@ <h2 id="running-tests">Running Tests</h2>
 <p>To execute the most basic tests (tier 1), use:</p>
 <pre><code>make run-test-tier1</code></pre>
 <p>For more details on how to run tests, please see <strong>Testing the JDK</strong> (<a href="testing.html">html</a>, <a href="testing.md">markdown</a>).</p>
+<h2 id="signing">Signing</h2>
+<h3 id="macos-1">macOS</h3>
+<p>Modern versions of macOS require applications to be signed and notarizied before distribution. See Apple's documentation for more background on what this means and how it works. To help support this, the JDK build can be configured to automatically sign all native binaries, and the JDK bundle, with all the options needed for successful notarization, as well as all the entitlements required by the JDK. To enable <code>hardened</code> signing, use configure parameter <code>--with-macosx-codesign=hardened</code> and configure the signing identity you wish to use with <code>--with-macosx-codesign-identity=&lt;identity&gt;</code>. The identity refers to a signing identity from Apple that needs to be preinstalled on the build host.</p>
+<p>When not signing for distribution with the hardened option, the JDK build will still attempt to perform <code>adhoc</code> signing to add the special entitlement <code>com.apple.security.get-task-allow</code> to each binary. This entitlement is required to be able to dump core files from a process. Note that adding this entitlement makes the build invalid for notarization, so it is only added when signing in <code>debug</code> mode. To explicitly enable this kind of adhoc signing, use configure parameter <code>--with-macosx-codesign=debug</code>. It will be enabled by default in most cases.</p>
+<p>It's also possible to completely disable any explicit codesign operations done by the JDK build using the configure parameter <code>--without-macosx-codesign</code>. The exact behavior then depends on the architecture. For macOS on x64, it (at least at the time of this writing) results in completely unsigned binaries that should still work fine for development and debugging purposes. On aarch64, the Xcode linker will apply a default &quot;adhoc&quot; signing, without any entitlements. Such a build does not allow dumping core files.</p>
+<p>The default mode &quot;auto&quot; will try for <code>hardened</code> signing if the debug level is <code>release</code> and either the default identity or the specified identity is valid. If hardened isn't possible, then <code>debug</code> signing is chosen if it works. If nothing works, the codesign build step is disabled.</p>
 <h2 id="cross-compiling">Cross-compiling</h2>
 <p>Cross-compiling means using one platform (the <em>build</em> platform) to generate output that can ran on another platform (the <em>target</em> platform).</p>
 <p>The typical reason for cross-compiling is that the build is performed on a more powerful desktop computer, but the resulting binaries will be able to run on a different, typically low-performing system. Most of the complications that arise when building for embedded is due to this separation of <em>build</em> and <em>target</em> systems.</p>

doc/building.md

@@ -868,6 +868,42 @@ make run-test-tier1
 For more details on how to run tests, please see **Testing the JDK**
 ([html](testing.html), [markdown](testing.md)).
 
+## Signing
+
+### macOS
+
+Modern versions of macOS require applications to be signed and notarizied before
+distribution. See Apple's documentation for more background on what this means
+and how it works. To help support this, the JDK build can be configured to
+automatically sign all native binaries, and the JDK bundle, with all the options
+needed for successful notarization, as well as all the entitlements required by
+the JDK. To enable `hardened` signing, use configure parameter
+`--with-macosx-codesign=hardened` and configure the signing identity you wish to
+use with `--with-macosx-codesign-identity=<identity>`. The identity refers to a
+signing identity from Apple that needs to be preinstalled on the build host.
+
+When not signing for distribution with the hardened option, the JDK build will
+still attempt to perform `adhoc` signing to add the special entitlement
+`com.apple.security.get-task-allow` to each binary. This entitlement is required
+to be able to dump core files from a process. Note that adding this entitlement
+makes the build invalid for notarization, so it is only added when signing in
+`debug` mode. To explicitly enable this kind of adhoc signing, use configure
+parameter `--with-macosx-codesign=debug`. It will be enabled by default in most
+cases.
+
+It's also possible to completely disable any explicit codesign operations done
+by the JDK build using the configure parameter `--without-macosx-codesign`.
+The exact behavior then depends on the architecture. For macOS on x64, it (at
+least at the time of this writing) results in completely unsigned binaries that
+should still work fine for development and debugging purposes. On aarch64, the
+Xcode linker will apply a default "adhoc" signing, without any entitlements.
+Such a build does not allow dumping core files.
+
+The default mode "auto" will try for `hardened` signing if the debug level is
+`release` and either the default identity or the specified identity is valid.
+If hardened isn't possible, then `debug` signing is chosen if it works. If
+nothing works, the codesign build step is disabled.
+
 ## Cross-compiling
 
 Cross-compiling means using one platform (the *build* platform) to generate

make/Bundles.gmk

@@ -278,16 +278,7 @@ ifneq ($(filter product-bundles% legacy-bundles, $(MAKECMDGOALS)), )
       $(SYMBOLS_EXCLUDE_PATTERN), \
       $(ALL_JRE_FILES))
 
-  # On Macosx release builds, when there is a code signing certificate available,
-  # the final bundle layout can be signed.
-  SIGN_BUNDLE := false
-  ifeq ($(call isTargetOs, macosx)+$(DEBUG_LEVEL), true+release)
-    ifneq ($(CODESIGN), )
-      SIGN_BUNDLE := true
-    endif
-  endif
-
-  ifeq ($(SIGN_BUNDLE), true)
+  ifeq ($(MACOSX_CODESIGN_MODE), hardened)
     # Macosx release build and code signing available.
 
     ################################################################################

make/autoconf/basic_tools.m4

@@ -376,41 +376,6 @@ AC_DEFUN_ONCE([BASIC_SETUP_COMPLEX_TOOLS],
     UTIL_REQUIRE_PROGS(MIG, mig)
     UTIL_REQUIRE_PROGS(XATTR, xattr)
     UTIL_LOOKUP_PROGS(CODESIGN, codesign)
-
-    # Check for user provided code signing identity.
-    UTIL_ARG_WITH(NAME: macosx-codesign-identity, TYPE: string,
-        DEFAULT: openjdk_codesign, CHECK_VALUE: UTIL_CHECK_STRING_NON_EMPTY,
-        DESC: [specify the macosx code signing identity],
-        CHECKING_MSG: [for macosx code signing identity]
-    )
-    AC_SUBST(MACOSX_CODESIGN_IDENTITY)
-
-    if test "x$CODESIGN" != "x"; then
-      # Verify that the codesign certificate is present
-      AC_MSG_CHECKING([if codesign certificate is present])
-      $RM codesign-testfile
-      $TOUCH codesign-testfile
-      $CODESIGN -s "$MACOSX_CODESIGN_IDENTITY" codesign-testfile 2>&AS_MESSAGE_LOG_FD \
-          >&AS_MESSAGE_LOG_FD || CODESIGN=
-      $RM codesign-testfile
-      if test "x$CODESIGN" = x; then
-        AC_MSG_RESULT([no])
-      else
-        AC_MSG_RESULT([yes])
-        # Verify that the codesign has --option runtime
-        AC_MSG_CHECKING([if codesign has --option runtime])
-        $RM codesign-testfile
-        $TOUCH codesign-testfile
-        $CODESIGN --option runtime -s "$MACOSX_CODESIGN_IDENTITY" codesign-testfile \
-            2>&AS_MESSAGE_LOG_FD >&AS_MESSAGE_LOG_FD || CODESIGN=
-        $RM codesign-testfile
-        if test "x$CODESIGN" = x; then
-          AC_MSG_ERROR([codesign does not have --option runtime. macOS 10.13.6 and above is required.])
-        else
-          AC_MSG_RESULT([yes])
-        fi
-      fi
-    fi
     UTIL_REQUIRE_PROGS(SETFILE, SetFile)
   fi
   if ! test "x$OPENJDK_TARGET_OS" = "xwindows"; then

make/autoconf/configure.ac

@@ -249,6 +249,7 @@ JDKOPT_EXCLUDE_TRANSLATIONS
 JDKOPT_ENABLE_DISABLE_MANPAGES
 JDKOPT_ENABLE_DISABLE_CDS_ARCHIVE
 JDKOPT_ENABLE_DISABLE_COMPATIBLE_CDS_ALIGNMENT
+JDKOPT_SETUP_MACOSX_SIGNING
 
 ###############################################################################
 #

make/autoconf/jdk-options.m4

@@ -727,3 +727,105 @@ AC_DEFUN_ONCE([JDKOPT_SETUP_REPRODUCIBLE_BUILD],
   AC_SUBST(SOURCE_DATE)
   AC_SUBST(ENABLE_REPRODUCIBLE_BUILD)
 ])
+
+################################################################################
+#
+# Setup signing on macOS. This can either be setup to sign with a real identity
+# and enabling the hardened runtime, or it can simply add the debug entitlement
+# com.apple.security.get-task-allow without actually signing any binaries. The
+# latter is needed to be able to debug processes and dump core files on modern
+# versions of macOS. It can also be skipped completely.
+#
+# Check if codesign will run with the given parameters
+# $1: Parameters to run with
+# $2: Checking message
+# Sets CODESIGN_SUCCESS=true/false
+AC_DEFUN([JDKOPT_CHECK_CODESIGN_PARAMS],
+[
+  PARAMS="$1"
+  MESSAGE="$2"
+  CODESIGN_TESTFILE="$CONFIGURESUPPORT_OUTPUTDIR/codesign-testfile"
+  $RM "$CODESIGN_TESTFILE"
+  $TOUCH "$CODESIGN_TESTFILE"
+  CODESIGN_SUCCESS=false
+  $CODESIGN $PARAMS "$CODESIGN_TESTFILE" 2>&AS_MESSAGE_LOG_FD \
+      >&AS_MESSAGE_LOG_FD && CODESIGN_SUCCESS=true
+  $RM "$CODESIGN_TESTFILE"
+  AC_MSG_CHECKING([$MESSAGE])
+  if test "x$CODESIGN_SUCCESS" = "xtrue"; then
+    AC_MSG_RESULT([yes])
+  else
+    AC_MSG_RESULT([no])
+  fi
+])
+
+AC_DEFUN([JDKOPT_CHECK_CODESIGN_HARDENED],
+[
+  JDKOPT_CHECK_CODESIGN_PARAMS([-s "$MACOSX_CODESIGN_IDENTITY" --option runtime],
+      [if codesign with hardened runtime is possible])
+])
+
+AC_DEFUN([JDKOPT_CHECK_CODESIGN_DEBUG],
+[
+  JDKOPT_CHECK_CODESIGN_PARAMS([-s -], [if debug mode codesign is possible])
+])
+
+AC_DEFUN([JDKOPT_SETUP_MACOSX_SIGNING],
+[
+  ENABLE_CODESIGN=false
+  if test "x$OPENJDK_TARGET_OS" = "xmacosx" && test "x$CODESIGN" != "x"; then
+
+    UTIL_ARG_WITH(NAME: macosx-codesign, TYPE: literal, OPTIONAL: true,
+        VALID_VALUES: [hardened debug auto], DEFAULT: auto,
+        ENABLED_DEFAULT: true,
+        CHECKING_MSG: [for macosx code signing mode],
+        DESC: [set the macosx code signing mode (hardened, debug, auto)]
+    )
+
+    MACOSX_CODESIGN_MODE=disabled
+    if test "x$MACOSX_CODESIGN_ENABLED" = "xtrue"; then
+
+      # Check for user provided code signing identity.
+      UTIL_ARG_WITH(NAME: macosx-codesign-identity, TYPE: string,
+          DEFAULT: openjdk_codesign, CHECK_VALUE: UTIL_CHECK_STRING_NON_EMPTY,
+          DESC: [specify the macosx code signing identity],
+          CHECKING_MSG: [for macosx code signing identity]
+      )
+      AC_SUBST(MACOSX_CODESIGN_IDENTITY)
+
+      if test "x$MACOSX_CODESIGN" = "xauto"; then
+        # Only try to default to hardened signing on release builds
+        if test "x$DEBUG_LEVEL" = "xrelease"; then
+          JDKOPT_CHECK_CODESIGN_HARDENED
+          if test "x$CODESIGN_SUCCESS" = "xtrue"; then
+            MACOSX_CODESIGN_MODE=hardened
+          fi
+        fi
+        if test "x$MACOSX_CODESIGN_MODE" = "xdisabled"; then
+          JDKOPT_CHECK_CODESIGN_DEBUG
+          if test "x$CODESIGN_SUCCESS" = "xtrue"; then
+            MACOSX_CODESIGN_MODE=debug
+          fi
+        fi
+        AC_MSG_CHECKING([for macosx code signing mode])
+        AC_MSG_RESULT([$MACOSX_CODESIGN_MODE])
+      elif test "x$MACOSX_CODESIGN" = "xhardened"; then
+        JDKOPT_CHECK_CODESIGN_HARDENED
+        if test "x$CODESIGN_SUCCESS" = "xfalse"; then
+          AC_MSG_ERROR([Signing with hardened runtime is not possible])
+        fi
+        MACOSX_CODESIGN_MODE=hardened
+      elif test "x$MACOSX_CODESIGN" = "xdebug"; then
+        JDKOPT_CHECK_CODESIGN_DEBUG
+        if test "x$CODESIGN_SUCCESS" = "xfalse"; then
+          AC_MSG_ERROR([Signing in debug mode is not possible])
+        fi
+        MACOSX_CODESIGN_MODE=debug
+      else
+        AC_MSG_ERROR([unknown value for --with-macosx-codesign: $MACOSX_CODESIGN])
+      fi
+    fi
+    AC_SUBST(MACOSX_CODESIGN_IDENTITY)
+    AC_SUBST(MACOSX_CODESIGN_MODE)
+  fi
+])

make/autoconf/spec.gmk.in

@@ -443,7 +443,8 @@ MACOSX_VERSION_MIN=@MACOSX_VERSION_MIN@
 # The highest allowed version of macosx
 MACOSX_VERSION_MAX=@MACOSX_VERSION_MAX@
 
-# The macosx code signing identity to use
+# The macosx code signing configuration
+MACOSX_CODESIGN_MODE:=@MACOSX_CODESIGN_MODE@
 MACOSX_CODESIGN_IDENTITY=@MACOSX_CODESIGN_IDENTITY@
 
 # Toolchain type: gcc, clang, xlc, microsoft...

make/common/NativeCompilation.gmk

@@ -267,10 +267,15 @@ endif
 # specialized file is found, returns the default file.
 # $1 Executable to find entitlements file for.
 ENTITLEMENTS_DIR := $(TOPDIR)/make/data/macosxsigning
-DEFAULT_ENTITLEMENTS_FILE := $(ENTITLEMENTS_DIR)/default.plist
+ifeq ($(MACOSX_CODESIGN_MODE), debug)
+  CODESIGN_PLIST_SUFFIX := -debug
+else
+  CODESIGN_PLIST_SUFFIX :=
+endif
+DEFAULT_ENTITLEMENTS_FILE := $(ENTITLEMENTS_DIR)/default$(CODESIGN_PLIST_SUFFIX).plist
 
 GetEntitlementsFile = \
-    $(foreach f, $(ENTITLEMENTS_DIR)/$(strip $(notdir $1)).plist, \
+    $(foreach f, $(ENTITLEMENTS_DIR)/$(strip $(notdir $1))$(CODESIGN_PLIST_SUFFIX).plist, \
       $(if $(wildcard $f), $f, $(DEFAULT_ENTITLEMENTS_FILE)) \
     )
 
@@ -1206,11 +1211,12 @@ define SetupNativeCompilationBody
 		    $$($1_MT) -nologo -manifest $$($1_MANIFEST) -identity:"$$($1_NAME).exe, version=$$($1_MANIFEST_VERSION)" -outputresource:$$@;#1
                   endif
                 endif
-                # This only works if the openjdk_codesign identity is present on the system. Let
-                # silently fail otherwise.
-                ifneq ($(CODESIGN), )
+                # On macosx, optionally run codesign on every binary
+                ifeq ($(MACOSX_CODESIGN_MODE), hardened)
 		  $(CODESIGN) -f -s "$(MACOSX_CODESIGN_IDENTITY)" --timestamp --options runtime \
 		      --entitlements $$(call GetEntitlementsFile, $$@) $$@
+                else ifeq ($(MACOSX_CODESIGN_MODE), debug)
+		  $(CODESIGN) -f -s - --entitlements $$(call GetEntitlementsFile, $$@) $$@
                 endif
   endif
 

make/data/macosxsigning/default-debug.plist

@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
+    <key>com.apple.security.cs.debugger</key>
+    <true/>
+    <key>com.apple.security.get-task-allow</key>
+    <true/>
+</dict>
+</plist>

make/data/macosxsigning/java-debug.plist

@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
+    <key>com.apple.security.cs.debugger</key>
+    <true/>
+    <key>com.apple.security.device.audio-input</key>
+    <true/>
+    <key>com.apple.security.get-task-allow</key>
+    <true/>
+</dict>
+</plist>