Cross-compilingmake run-test-tier1
For more details on how to run tests, please see Testing the JDK (html, markdown).
+Signing
+macOS
+Modern versions of macOS require applications to be signed and notarizied before distribution. See Apple's documentation for more background on what this means and how it works. To help support this, the JDK build can be configured to automatically sign all native binaries, and the JDK bundle, with all the options needed for successful notarization, as well as all the entitlements required by the JDK. To enable hardened signing, use configure parameter --with-macosx-codesign=hardened and configure the signing identity you wish to use with --with-macosx-codesign-identity=<identity>. The identity refers to a signing identity from Apple that needs to be preinstalled on the build host.
+When not signing for distribution with the hardened option, the JDK build will still attempt to perform adhoc signing to add the special entitlement com.apple.security.get-task-allow to each binary. This entitlement is required to be able to dump core files from a process. Note that adding this entitlement makes the build invalid for notarization, so it is only added when signing in debug mode. To explicitly enable this kind of adhoc signing, use configure parameter --with-macosx-codesign=debug. It will be enabled by default in most cases.
+It's also possible to completely disable any explicit codesign operations done by the JDK build using the configure parameter --without-macosx-codesign. The exact behavior then depends on the architecture. For macOS on x64, it (at least at the time of this writing) results in completely unsigned binaries that should still work fine for development and debugging purposes. On aarch64, the Xcode linker will apply a default "adhoc" signing, without any entitlements. Such a build does not allow dumping core files.
+The default mode "auto" will try for hardened signing if the debug level is release and either the default identity or the specified identity is valid. If hardened isn't possible, then debug signing is chosen if it works. If nothing works, the codesign build step is disabled.
Cross-compiling
Cross-compiling means using one platform (the build platform) to generate output that can ran on another platform (the target platform).
The typical reason for cross-compiling is that the build is performed on a more powerful desktop computer, but the resulting binaries will be able to run on a different, typically low-performing system. Most of the complications that arise when building for embedded is due to this separation of build and target systems.
diff --git a/doc/building.md b/doc/building.md
index c27138fd539..defeb791a1a 100644
--- a/doc/building.md
+++ b/doc/building.md
@@ -877,6 +877,42 @@ make run-test-tier1
For more details on how to run tests, please see **Testing the JDK**
([html](testing.html), [markdown](testing.md)).
+## Signing
+
+### macOS
+
+Modern versions of macOS require applications to be signed and notarizied before
+distribution. See Apple's documentation for more background on what this means
+and how it works. To help support this, the JDK build can be configured to
+automatically sign all native binaries, and the JDK bundle, with all the options
+needed for successful notarization, as well as all the entitlements required by
+the JDK. To enable `hardened` signing, use configure parameter
+`--with-macosx-codesign=hardened` and configure the signing identity you wish to
+use with `--with-macosx-codesign-identity=`. The identity refers to a
+signing identity from Apple that needs to be preinstalled on the build host.
+
+When not signing for distribution with the hardened option, the JDK build will
+still attempt to perform `adhoc` signing to add the special entitlement
+`com.apple.security.get-task-allow` to each binary. This entitlement is required
+to be able to dump core files from a process. Note that adding this entitlement
+makes the build invalid for notarization, so it is only added when signing in
+`debug` mode. To explicitly enable this kind of adhoc signing, use configure
+parameter `--with-macosx-codesign=debug`. It will be enabled by default in most
+cases.
+
+It's also possible to completely disable any explicit codesign operations done
+by the JDK build using the configure parameter `--without-macosx-codesign`.
+The exact behavior then depends on the architecture. For macOS on x64, it (at
+least at the time of this writing) results in completely unsigned binaries that
+should still work fine for development and debugging purposes. On aarch64, the
+Xcode linker will apply a default "adhoc" signing, without any entitlements.
+Such a build does not allow dumping core files.
+
+The default mode "auto" will try for `hardened` signing if the debug level is
+`release` and either the default identity or the specified identity is valid.
+If hardened isn't possible, then `debug` signing is chosen if it works. If
+nothing works, the codesign build step is disabled.
+
## Cross-compiling
Cross-compiling means using one platform (the *build* platform) to generate
diff --git a/make/Bundles.gmk b/make/Bundles.gmk
index b52b5720772..9dc5f9602d5 100644
--- a/make/Bundles.gmk
+++ b/make/Bundles.gmk
@@ -278,16 +278,7 @@ ifneq ($(filter product-bundles% legacy-bundles, $(MAKECMDGOALS)), )
$(SYMBOLS_EXCLUDE_PATTERN), \
$(ALL_JRE_FILES))
- # On Macosx release builds, when there is a code signing certificate available,
- # the final bundle layout can be signed.
- SIGN_BUNDLE := false
- ifeq ($(call isTargetOs, macosx)+$(DEBUG_LEVEL), true+release)
- ifneq ($(CODESIGN), )
- SIGN_BUNDLE := true
- endif
- endif
-
- ifeq ($(SIGN_BUNDLE), true)
+ ifeq ($(MACOSX_CODESIGN_MODE), hardened)
# Macosx release build and code signing available.
################################################################################
diff --git a/make/autoconf/basic_tools.m4 b/make/autoconf/basic_tools.m4
index 56e76f3def9..31499a3784c 100644
--- a/make/autoconf/basic_tools.m4
+++ b/make/autoconf/basic_tools.m4
@@ -376,41 +376,6 @@ AC_DEFUN_ONCE([BASIC_SETUP_COMPLEX_TOOLS],
UTIL_REQUIRE_PROGS(MIG, mig)
UTIL_REQUIRE_PROGS(XATTR, xattr)
UTIL_LOOKUP_PROGS(CODESIGN, codesign)
-
- # Check for user provided code signing identity.
- UTIL_ARG_WITH(NAME: macosx-codesign-identity, TYPE: string,
- DEFAULT: openjdk_codesign, CHECK_VALUE: UTIL_CHECK_STRING_NON_EMPTY,
- DESC: [specify the macosx code signing identity],
- CHECKING_MSG: [for macosx code signing identity]
- )
- AC_SUBST(MACOSX_CODESIGN_IDENTITY)
-
- if test "x$CODESIGN" != "x"; then
- # Verify that the codesign certificate is present
- AC_MSG_CHECKING([if codesign certificate is present])
- $RM codesign-testfile
- $TOUCH codesign-testfile
- $CODESIGN -s "$MACOSX_CODESIGN_IDENTITY" codesign-testfile 2>&AS_MESSAGE_LOG_FD \
- >&AS_MESSAGE_LOG_FD || CODESIGN=
- $RM codesign-testfile
- if test "x$CODESIGN" = x; then
- AC_MSG_RESULT([no])
- else
- AC_MSG_RESULT([yes])
- # Verify that the codesign has --option runtime
- AC_MSG_CHECKING([if codesign has --option runtime])
- $RM codesign-testfile
- $TOUCH codesign-testfile
- $CODESIGN --option runtime -s "$MACOSX_CODESIGN_IDENTITY" codesign-testfile \
- 2>&AS_MESSAGE_LOG_FD >&AS_MESSAGE_LOG_FD || CODESIGN=
- $RM codesign-testfile
- if test "x$CODESIGN" = x; then
- AC_MSG_ERROR([codesign does not have --option runtime. macOS 10.13.6 and above is required.])
- else
- AC_MSG_RESULT([yes])
- fi
- fi
- fi
UTIL_REQUIRE_PROGS(SETFILE, SetFile)
fi
if ! test "x$OPENJDK_TARGET_OS" = "xwindows"; then
diff --git a/make/autoconf/configure.ac b/make/autoconf/configure.ac
index b927945fe44..7e794804ba2 100644
--- a/make/autoconf/configure.ac
+++ b/make/autoconf/configure.ac
@@ -247,6 +247,7 @@ JDKOPT_EXCLUDE_TRANSLATIONS
JDKOPT_ENABLE_DISABLE_MANPAGES
JDKOPT_ENABLE_DISABLE_CDS_ARCHIVE
JDKOPT_ENABLE_DISABLE_COMPATIBLE_CDS_ALIGNMENT
+JDKOPT_SETUP_MACOSX_SIGNING
###############################################################################
#
diff --git a/make/autoconf/jdk-options.m4 b/make/autoconf/jdk-options.m4
index 643594ce44e..a9409de1a79 100644
--- a/make/autoconf/jdk-options.m4
+++ b/make/autoconf/jdk-options.m4
@@ -696,3 +696,105 @@ AC_DEFUN_ONCE([JDKOPT_SETUP_REPRODUCIBLE_BUILD],
UTIL_DEPRECATED_ARG_ENABLE(reproducible-build)
])
+
+################################################################################
+#
+# Setup signing on macOS. This can either be setup to sign with a real identity
+# and enabling the hardened runtime, or it can simply add the debug entitlement
+# com.apple.security.get-task-allow without actually signing any binaries. The
+# latter is needed to be able to debug processes and dump core files on modern
+# versions of macOS. It can also be skipped completely.
+#
+# Check if codesign will run with the given parameters
+# $1: Parameters to run with
+# $2: Checking message
+# Sets CODESIGN_SUCCESS=true/false
+AC_DEFUN([JDKOPT_CHECK_CODESIGN_PARAMS],
+[
+ PARAMS="$1"
+ MESSAGE="$2"
+ CODESIGN_TESTFILE="$CONFIGURESUPPORT_OUTPUTDIR/codesign-testfile"
+ $RM "$CODESIGN_TESTFILE"
+ $TOUCH "$CODESIGN_TESTFILE"
+ CODESIGN_SUCCESS=false
+ $CODESIGN $PARAMS "$CODESIGN_TESTFILE" 2>&AS_MESSAGE_LOG_FD \
+ >&AS_MESSAGE_LOG_FD && CODESIGN_SUCCESS=true
+ $RM "$CODESIGN_TESTFILE"
+ AC_MSG_CHECKING([$MESSAGE])
+ if test "x$CODESIGN_SUCCESS" = "xtrue"; then
+ AC_MSG_RESULT([yes])
+ else
+ AC_MSG_RESULT([no])
+ fi
+])
+
+AC_DEFUN([JDKOPT_CHECK_CODESIGN_HARDENED],
+[
+ JDKOPT_CHECK_CODESIGN_PARAMS([-s "$MACOSX_CODESIGN_IDENTITY" --option runtime],
+ [if codesign with hardened runtime is possible])
+])
+
+AC_DEFUN([JDKOPT_CHECK_CODESIGN_DEBUG],
+[
+ JDKOPT_CHECK_CODESIGN_PARAMS([-s -], [if debug mode codesign is possible])
+])
+
+AC_DEFUN([JDKOPT_SETUP_MACOSX_SIGNING],
+[
+ ENABLE_CODESIGN=false
+ if test "x$OPENJDK_TARGET_OS" = "xmacosx" && test "x$CODESIGN" != "x"; then
+
+ UTIL_ARG_WITH(NAME: macosx-codesign, TYPE: literal, OPTIONAL: true,
+ VALID_VALUES: [hardened debug auto], DEFAULT: auto,
+ ENABLED_DEFAULT: true,
+ CHECKING_MSG: [for macosx code signing mode],
+ DESC: [set the macosx code signing mode (hardened, debug, auto)]
+ )
+
+ MACOSX_CODESIGN_MODE=disabled
+ if test "x$MACOSX_CODESIGN_ENABLED" = "xtrue"; then
+
+ # Check for user provided code signing identity.
+ UTIL_ARG_WITH(NAME: macosx-codesign-identity, TYPE: string,
+ DEFAULT: openjdk_codesign, CHECK_VALUE: UTIL_CHECK_STRING_NON_EMPTY,
+ DESC: [specify the macosx code signing identity],
+ CHECKING_MSG: [for macosx code signing identity]
+ )
+ AC_SUBST(MACOSX_CODESIGN_IDENTITY)
+
+ if test "x$MACOSX_CODESIGN" = "xauto"; then
+ # Only try to default to hardened signing on release builds
+ if test "x$DEBUG_LEVEL" = "xrelease"; then
+ JDKOPT_CHECK_CODESIGN_HARDENED
+ if test "x$CODESIGN_SUCCESS" = "xtrue"; then
+ MACOSX_CODESIGN_MODE=hardened
+ fi
+ fi
+ if test "x$MACOSX_CODESIGN_MODE" = "xdisabled"; then
+ JDKOPT_CHECK_CODESIGN_DEBUG
+ if test "x$CODESIGN_SUCCESS" = "xtrue"; then
+ MACOSX_CODESIGN_MODE=debug
+ fi
+ fi
+ AC_MSG_CHECKING([for macosx code signing mode])
+ AC_MSG_RESULT([$MACOSX_CODESIGN_MODE])
+ elif test "x$MACOSX_CODESIGN" = "xhardened"; then
+ JDKOPT_CHECK_CODESIGN_HARDENED
+ if test "x$CODESIGN_SUCCESS" = "xfalse"; then
+ AC_MSG_ERROR([Signing with hardened runtime is not possible])
+ fi
+ MACOSX_CODESIGN_MODE=hardened
+ elif test "x$MACOSX_CODESIGN" = "xdebug"; then
+ JDKOPT_CHECK_CODESIGN_DEBUG
+ if test "x$CODESIGN_SUCCESS" = "xfalse"; then
+ AC_MSG_ERROR([Signing in debug mode is not possible])
+ fi
+ MACOSX_CODESIGN_MODE=debug
+ else
+ AC_MSG_ERROR([unknown value for --with-macosx-codesign: $MACOSX_CODESIGN])
+ fi
+ fi
+ AC_SUBST(MACOSX_CODESIGN_IDENTITY)
+ AC_SUBST(MACOSX_CODESIGN_MODE)
+ fi
+])
diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in
index 8fbf290f984..c9718d620e4 100644
--- a/make/autoconf/spec.gmk.in
+++ b/make/autoconf/spec.gmk.in
@@ -459,7 +459,8 @@ MACOSX_VERSION_MIN=@MACOSX_VERSION_MIN@
# The highest allowed version of macosx
MACOSX_VERSION_MAX=@MACOSX_VERSION_MAX@
-# The macosx code signing identity to use
+# The macosx code signing configuration
+MACOSX_CODESIGN_MODE:=@MACOSX_CODESIGN_MODE@
MACOSX_CODESIGN_IDENTITY=@MACOSX_CODESIGN_IDENTITY@
# Toolchain type: gcc, clang, xlc, microsoft...
diff --git a/make/common/NativeCompilation.gmk b/make/common/NativeCompilation.gmk
index 7fa155b9cd6..b36dd9c652b 100644
--- a/make/common/NativeCompilation.gmk
+++ b/make/common/NativeCompilation.gmk
@@ -267,10 +267,15 @@ endif
# specialized file is found, returns the default file.
# $1 Executable to find entitlements file for.
ENTITLEMENTS_DIR := $(TOPDIR)/make/data/macosxsigning
-DEFAULT_ENTITLEMENTS_FILE := $(ENTITLEMENTS_DIR)/default.plist
+ifeq ($(MACOSX_CODESIGN_MODE), debug)
+ CODESIGN_PLIST_SUFFIX := -debug
+else
+ CODESIGN_PLIST_SUFFIX :=
+endif
+DEFAULT_ENTITLEMENTS_FILE := $(ENTITLEMENTS_DIR)/default$(CODESIGN_PLIST_SUFFIX).plist
GetEntitlementsFile = \
- $(foreach f, $(ENTITLEMENTS_DIR)/$(strip $(notdir $1)).plist, \
+ $(foreach f, $(ENTITLEMENTS_DIR)/$(strip $(notdir $1))$(CODESIGN_PLIST_SUFFIX).plist, \
$(if $(wildcard $f), $f, $(DEFAULT_ENTITLEMENTS_FILE)) \
)
@@ -1204,11 +1209,12 @@ define SetupNativeCompilationBody
$$($1_MT) -nologo -manifest $$($1_MANIFEST) -identity:"$$($1_NAME).exe, version=$$($1_MANIFEST_VERSION)" -outputresource:$$@;#1
endif
endif
- # This only works if the openjdk_codesign identity is present on the system. Let
- # silently fail otherwise.
- ifneq ($(CODESIGN), )
+ # On macosx, optionally run codesign on every binary
+ ifeq ($(MACOSX_CODESIGN_MODE), hardened)
$(CODESIGN) -f -s "$(MACOSX_CODESIGN_IDENTITY)" --timestamp --options runtime \
--entitlements $$(call GetEntitlementsFile, $$@) $$@
+ else ifeq ($(MACOSX_CODESIGN_MODE), debug)
+ $(CODESIGN) -f -s - --entitlements $$(call GetEntitlementsFile, $$@) $$@
endif
endif
diff --git a/make/data/macosxsigning/default-debug.plist b/make/data/macosxsigning/default-debug.plist
new file mode 100644
index 00000000000..40041790f6a
--- /dev/null
+++ b/make/data/macosxsigning/default-debug.plist
@@ -0,0 +1,18 @@
+
+
+
+
+ com.apple.security.cs.allow-jit
+
+ com.apple.security.cs.allow-unsigned-executable-memory
+
+ com.apple.security.cs.disable-library-validation
+
+ com.apple.security.cs.allow-dyld-environment-variables
+
+ com.apple.security.cs.debugger
+
+ com.apple.security.get-task-allow
+
+
+
diff --git a/make/data/macosxsigning/java-debug.plist b/make/data/macosxsigning/java-debug.plist
new file mode 100644
index 00000000000..354919ff1b4
--- /dev/null
+++ b/make/data/macosxsigning/java-debug.plist
@@ -0,0 +1,20 @@
+
+
+
+
+ com.apple.security.cs.allow-jit
+
+ com.apple.security.cs.allow-unsigned-executable-memory
+
+ com.apple.security.cs.disable-library-validation
+
+ com.apple.security.cs.allow-dyld-environment-variables
+
+ com.apple.security.cs.debugger
+
+ com.apple.security.device.audio-input
+
+ com.apple.security.get-task-allow
+
+
+