8235585: Enable macOS codesigning for all libraries and executables

Reviewed-by: erikj, clanger
2019-12-09 16:14:16 +01:00 · 2019-12-09 16:14:16 +01:00 · f6d50463f6
commit f6d50463f6
parent c617914eeb
7 changed files with 44 additions and 17 deletions
--- a/make/autoconf/basics.m4
+++ b/make/autoconf/basics.m4
@ -1287,12 +1287,23 @@ AC_DEFUN_ONCE([BASIC_SETUP_COMPLEX_TOOLS],
    BASIC_REQUIRE_PROGS(MIG, mig)
    BASIC_REQUIRE_PROGS(XATTR, xattr)
    BASIC_PATH_PROGS(CODESIGN, codesign)
+
    if test "x$CODESIGN" != "x"; then
-      # Verify that the openjdk_codesign certificate is present
-      AC_MSG_CHECKING([if openjdk_codesign certificate is present])
+      # Check for user provided code signing identity.
+      # If no identity was provided, fall back to "openjdk_codesign".
+      AC_ARG_WITH([macosx-codesign-identity], [AS_HELP_STRING([--with-macosx-codesign-identity],
+        [specify the code signing identity])],
+        [MACOSX_CODESIGN_IDENTITY=$with_macosx_codesign_identity],
+        [MACOSX_CODESIGN_IDENTITY=openjdk_codesign]
+      )
+
+      AC_SUBST(MACOSX_CODESIGN_IDENTITY)
+
+      # Verify that the codesign certificate is present
+      AC_MSG_CHECKING([if codesign certificate is present])
      $RM codesign-testfile
      $TOUCH codesign-testfile
-      $CODESIGN -s openjdk_codesign codesign-testfile 2>&AS_MESSAGE_LOG_FD >&AS_MESSAGE_LOG_FD || CODESIGN=
+      $CODESIGN -s "$MACOSX_CODESIGN_IDENTITY" codesign-testfile 2>&AS_MESSAGE_LOG_FD >&AS_MESSAGE_LOG_FD || CODESIGN=
      $RM codesign-testfile
      if test "x$CODESIGN" = x; then
        AC_MSG_RESULT([no])
--- a/make/autoconf/spec.gmk.in
+++ b/make/autoconf/spec.gmk.in
@ -415,6 +415,9 @@ MACOSX_VERSION_MIN=@MACOSX_VERSION_MIN@
 # The highest allowed version of macosx
 MACOSX_VERSION_MAX=@MACOSX_VERSION_MAX@

+# The macosx code signing identity to use
+MACOSX_CODESIGN_IDENTITY=@MACOSX_CODESIGN_IDENTITY@
+
 # Toolchain type: gcc, clang, solstudio, lxc, microsoft...
 TOOLCHAIN_TYPE:=@TOOLCHAIN_TYPE@
 TOOLCHAIN_VERSION := @TOOLCHAIN_VERSION@
--- a/make/common/NativeCompilation.gmk
+++ b/make/common/NativeCompilation.gmk
@ -1048,7 +1048,7 @@ define SetupNativeCompilationBody

    $1_VARDEPS := $$($1_LD) $$($1_SYSROOT_LDFLAGS) $$($1_LDFLAGS) $$($1_EXTRA_LDFLAGS) \
        $$(GLOBAL_LIBS) $$($1_LIBS) $$($1_EXTRA_LIBS) $$($1_MT) \
-        $$($1_CODESIGN) $$($1_CREATE_DEBUGINFO_CMDS) $$($1_MANIFEST_VERSION) \
+        $$($1_CREATE_DEBUGINFO_CMDS) $$($1_MANIFEST_VERSION) \
        $$($1_STRIP_CMD)
    $1_VARDEPS_FILE := $$(call DependOnVariable, $1_VARDEPS, \
        $$($1_OBJECT_DIR)/$$($1_NOSUFFIX).vardeps)
@ -1129,9 +1129,8 @@ define SetupNativeCompilationBody
                # This only works if the openjdk_codesign identity is present on the system. Let
                # silently fail otherwise.
                ifneq ($(CODESIGN), )
-                  ifneq ($$($1_CODESIGN), )
-		    $(CODESIGN) -s openjdk_codesign $$@
-                  endif
+		  $(CODESIGN) -s "$(MACOSX_CODESIGN_IDENTITY)" --timestamp --options runtime \
+		  --entitlements $(TOPDIR)/make/data/macosxsigning/entitlements.plist $$@
                endif
  endif

--- a/make/data/macosxsigning/entitlements.plist
+++ b/make/data/macosxsigning/entitlements.plist
@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
+    <key>com.apple.security.cs.debugger</key>
+    <true/>
+</dict>
+</plist>
--- a/make/launcher/Launcher-jdk.hotspot.agent.gmk
+++ b/make/launcher/Launcher-jdk.hotspot.agent.gmk
@ -1,5 +1,5 @@
 #
-# Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2019, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@ -27,5 +27,5 @@ include LauncherCommon.gmk

 $(eval $(call SetupBuildLauncher, jhsdb, \
    MAIN_CLASS := sun.jvm.hotspot.SALauncher, \
-    MACOSX_SIGNED := true, \
+    MACOSX_PRIVILEGED := true, \
 ))
--- a/make/launcher/Launcher-jdk.jcmd.gmk
+++ b/make/launcher/Launcher-jdk.jcmd.gmk
@ -1,5 +1,5 @@
 #
-# Copyright (c) 2011, 2018, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2019, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@ -30,7 +30,7 @@ $(eval $(call SetupBuildLauncher, jinfo, \
    JAVA_ARGS := \
        -Dsun.jvm.hotspot.debugger.useProcDebugger \
        -Dsun.jvm.hotspot.debugger.useWindbgDebugger, \
-    MACOSX_SIGNED := true, \
+    MACOSX_PRIVILEGED := true, \
 ))

 $(eval $(call SetupBuildLauncher, jmap, \
@ -38,7 +38,7 @@ $(eval $(call SetupBuildLauncher, jmap, \
    JAVA_ARGS := \
        -Dsun.jvm.hotspot.debugger.useProcDebugger \
        -Dsun.jvm.hotspot.debugger.useWindbgDebugger, \
-    MACOSX_SIGNED := true, \
+    MACOSX_PRIVILEGED := true, \
 ))

 $(eval $(call SetupBuildLauncher, jps, \
@ -50,7 +50,7 @@ $(eval $(call SetupBuildLauncher, jstack, \
    JAVA_ARGS := \
        -Dsun.jvm.hotspot.debugger.useProcDebugger \
        -Dsun.jvm.hotspot.debugger.useWindbgDebugger, \
-    MACOSX_SIGNED := true, \
+    MACOSX_PRIVILEGED := true, \
 ))

 $(eval $(call SetupBuildLauncher, jstat, \
--- a/make/launcher/LauncherCommon.gmk
+++ b/make/launcher/LauncherCommon.gmk
@ -74,7 +74,7 @@ JAVA_MANIFEST := $(TOPDIR)/src/java.base/windows/native/launcher/java.manifest
 # CFLAGS   Additional CFLAGS
 # CFLAGS_windows   Additional CFLAGS_windows
 # EXTRA_RC_FLAGS   Additional EXTRA_RC_FLAGS
-# MACOSX_SIGNED   On macosx, sign this binary
+# MACOSX_PRIVILEGED   On macosx, allow to access other processes
 # OPTIMIZATION   Override default optimization level (LOW)
 # OUTPUT_DIR   Override default output directory
 # VERSION_INFO_RESOURCE   Override default Windows resource file
@ -104,9 +104,8 @@ define SetupBuildLauncherBody
  $1_CFLAGS += -DJAVA_ARGS=$$($1_JAVA_ARGS_STR)

  ifeq ($(call isTargetOs, macosx), true)
-    ifeq ($$($1_MACOSX_SIGNED), true)
+    ifeq ($$($1_MACOSX_PRIVILEGED), true)
      $1_PLIST_FILE := Info-privileged.plist
-        $1_CODESIGN := true
    else
      $1_PLIST_FILE := Info-cmdline.plist
    endif
@ -171,7 +170,6 @@ define SetupBuildLauncherBody
      EXTRA_RC_FLAGS := $$($1_EXTRA_RC_FLAGS), \
      MANIFEST := $(JAVA_MANIFEST), \
      MANIFEST_VERSION := $(VERSION_NUMBER_FOUR_POSITIONS), \
-      CODESIGN := $$($1_CODESIGN), \
  ))

  $1 += $$(BUILD_LAUNCHER_$1)