-
Bug
-
Resolution: Fixed
-
P4
-
11, 14, 15
-
b15
-
os_x
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8242104 | 14.0.2 | Erik Joelsson | P4 | Resolved | Fixed | b04 |
| JDK-8247355 | 13.0.4 | Erik Joelsson | P4 | Resolved | Fixed | b05 |
| JDK-8241686 | 11.0.8 | Erik Joelsson | P4 | Resolved | Fixed | b01 |
From build-dev: https://mail.openjdk.java.net/pipermail/build-dev/2020-February/026874.html
---
Hi all,
A recent change in OpenJDK tip (https://hg.openjdk.java.net/jdk/jdk/rev/dcf88e5c8c07) contains a potential bug when try to sign the macOS binary on older macOS.
The current macOS signing process will execute the following command in order:
1. Checking whether codesign certificate is present (https://hg.openjdk.java.net/jdk/jdk/rev/dcf88e5c8c07#l1.26)
2. Using codesign with `--options runtime` to sign the binary (https://hg.openjdk.java.net/jdk/jdk/rev/dcf88e5c8c07#l3.19)
Notice in the first step, the codesign command is not using the `--options runtime` option. Because the `--options runtime` is only available in the Xcode 10 or later and requires the macOS to be 10.13.6 or later (https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/resolving_common_notarization_issues). So if a developer use old Xcode or macOS to sign the binary the `configure` command will pass but they will hit an exception when the script try to sign the binary. And I want to propose a change to make sure this fail fast.
Proposed changes:
```
--- a/make/autoconf/basic_tools.m4
+++ b/make/autoconf/basic_tools.m4
@@ -397,10 +397,21 @@ AC_DEFUN_ONCE([BASIC_SETUP_COMPLEX_TOOLS],
$RM codesign-testfile
if test "x$CODESIGN" = x; then
AC_MSG_RESULT([no])
else
AC_MSG_RESULT([yes])
+ # Verify that the codesign has --option runtime
+ AC_MSG_CHECKING([if codesign has --option runtime])
+ $RM codesign-testfile
+ $TOUCH codesign-testfile
+ $CODESIGN --option runtime -s "$MACOSX_CODESIGN_IDENTITY" codesign-testfile 2>&AS_MESSAGE_LOG_FD >&AS_MESSAGE_LOG_FD || CODESIGN=
+ $RM codesign-testfile
+ if test "x$CODESIGN" = x; then
+ AC_MSG_ERROR([codesign does not have --option runtime. macOS 10.13.6 and above is required.])
+ else
+ AC_MSG_RESULT([yes])
+ fi
fi
fi
UTIL_REQUIRE_PROGS(SETFILE, SetFile)
elif test "x$OPENJDK_TARGET_OS" = "xsolaris"; then
UTIL_REQUIRE_PROGS(ELFEDIT, elfedit)
```
And a run on a macOS 10.12 with this change will see this output:
```
checking for codesign... /usr/bin/codesign
checking if codesign certificate is present... yes
checking if codesign has --option runtime... configure: error: codesign does not have --option runtime. macOS 10.13 and above is required.
configure exiting with result code 1
```
Please let me what you think.
Thank you,
Junyuan
---
---
Hi all,
A recent change in OpenJDK tip (https://hg.openjdk.java.net/jdk/jdk/rev/dcf88e5c8c07) contains a potential bug when try to sign the macOS binary on older macOS.
The current macOS signing process will execute the following command in order:
1. Checking whether codesign certificate is present (https://hg.openjdk.java.net/jdk/jdk/rev/dcf88e5c8c07#l1.26)
2. Using codesign with `--options runtime` to sign the binary (https://hg.openjdk.java.net/jdk/jdk/rev/dcf88e5c8c07#l3.19)
Notice in the first step, the codesign command is not using the `--options runtime` option. Because the `--options runtime` is only available in the Xcode 10 or later and requires the macOS to be 10.13.6 or later (https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/resolving_common_notarization_issues). So if a developer use old Xcode or macOS to sign the binary the `configure` command will pass but they will hit an exception when the script try to sign the binary. And I want to propose a change to make sure this fail fast.
Proposed changes:
```
--- a/make/autoconf/basic_tools.m4
+++ b/make/autoconf/basic_tools.m4
@@ -397,10 +397,21 @@ AC_DEFUN_ONCE([BASIC_SETUP_COMPLEX_TOOLS],
$RM codesign-testfile
if test "x$CODESIGN" = x; then
AC_MSG_RESULT([no])
else
AC_MSG_RESULT([yes])
+ # Verify that the codesign has --option runtime
+ AC_MSG_CHECKING([if codesign has --option runtime])
+ $RM codesign-testfile
+ $TOUCH codesign-testfile
+ $CODESIGN --option runtime -s "$MACOSX_CODESIGN_IDENTITY" codesign-testfile 2>&AS_MESSAGE_LOG_FD >&AS_MESSAGE_LOG_FD || CODESIGN=
+ $RM codesign-testfile
+ if test "x$CODESIGN" = x; then
+ AC_MSG_ERROR([codesign does not have --option runtime. macOS 10.13.6 and above is required.])
+ else
+ AC_MSG_RESULT([yes])
+ fi
fi
fi
UTIL_REQUIRE_PROGS(SETFILE, SetFile)
elif test "x$OPENJDK_TARGET_OS" = "xsolaris"; then
UTIL_REQUIRE_PROGS(ELFEDIT, elfedit)
```
And a run on a macOS 10.12 with this change will see this output:
```
checking for codesign... /usr/bin/codesign
checking if codesign certificate is present... yes
checking if codesign has --option runtime... configure: error: codesign does not have --option runtime. macOS 10.13 and above is required.
configure exiting with result code 1
```
Please let me what you think.
Thank you,
Junyuan
---
- backported by
-
JDK-8241686 macOS codesign fail on macOS 10.13.5 or older
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-