Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8270199

Most SA tests are skipped on macosx-aarch64 because all executables are signed

    XMLWordPrintable

Details

    • b08

    Backports

      Description

        For any SA test that attaches to an OSX process (this would be all SA tests except for that test core file support), there is a check to make sure that the target jvm process is not a signed binary. If it is, SkippedException is thrown, and the test passes without doing anything. This is all we can do since being signed implied being notarized, and debuggers cannot attach to a notarized binary.

        I recently just noticed that on macosx-aarch64, all our SA tests that attach to a process were being skipped because the binary was signed, even for debug builds. It turns out that for macosx-aarch64, the linker always ads what is known as ad-hoc signing. You can find some info on ad-hoc signing here:

        https://eclecticlight.co/2020/08/22/apple-silicon-macs-will-require-signed-code/

        The tests use the codesign tool to determine if the binary is signed. Normally the check just relies on getting an error code of 1 when not signed, but since all binaries are now signed on macosx-aarch64, we need to modify the check to ignore ad-hoc signing.

        Using "codesign --display" on an an ad-hoc signed binary shows couple lines in the output that are of interest:

        bash-3.2$ codesign --display --verbose=4 a.out
        CodeDirectory v=20400 size=254 flags=0x20002(adhoc,linker-signed) hashes=5+0 location=embedded
        Signature=adhoc

        Whereas the output for a truly signed binary contains the following:

        bash-3.2$ codesign --display --verbose=4 /Applications/Safari.app/
        CodeDirectory v=20100 size=513 flags=0x2000(library-validation) hashes=9+5 location=embedded
        Signature size=4442
        Authority=Software Signing
        Authority=Apple Code Signing Certification Authority
        Authority=Apple Root CA
        Signed Time=May 13, 2021 at 10:54:23 AM
        Internal requirements count=1 size=64

        I think looking for "Signature=adhoc" should be sufficient for detecting ad-hoc signed binaries. We should be able to do a debugger attach to these binaries since they can't be notarized.

        Attachments

          Issue Links

            Activity

              People

                cjplummer Chris Plummer
                cjplummer Chris Plummer
                Votes:
                0 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: