Details
-
Bug
-
Resolution: Fixed
-
P3
-
17, 18
-
b08
Backports
Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
---|---|---|---|---|---|---|
JDK-8315403 | 17.0.10-oracle | Chris Plummer | P3 | Resolved | Fixed | b01 |
JDK-8317988 | 17.0.10 | Goetz Lindenmaier | P3 | Resolved | Fixed | b01 |
JDK-8328883 | 11.0.24 | Andrew Lu | P3 | Resolved | Fixed | b01 |
Description
I recently just noticed that on macosx-aarch64, all our SA tests that attach to a process were being skipped because the binary was signed, even for debug builds. It turns out that for macosx-aarch64, the linker always ads what is known as ad-hoc signing. You can find some info on ad-hoc signing here:
https://eclecticlight.co/2020/08/22/apple-silicon-macs-will-require-signed-code/
The tests use the codesign tool to determine if the binary is signed. Normally the check just relies on getting an error code of 1 when not signed, but since all binaries are now signed on macosx-aarch64, we need to modify the check to ignore ad-hoc signing.
Using "codesign --display" on an an ad-hoc signed binary shows couple lines in the output that are of interest:
bash-3.2$ codesign --display --verbose=4 a.out
CodeDirectory v=20400 size=254 flags=0x20002(adhoc,linker-signed) hashes=5+0 location=embedded
Signature=adhoc
Whereas the output for a truly signed binary contains the following:
bash-3.2$ codesign --display --verbose=4 /Applications/Safari.app/
CodeDirectory v=20100 size=513 flags=0x2000(library-validation) hashes=9+5 location=embedded
Signature size=4442
Authority=Software Signing
Authority=Apple Code Signing Certification Authority
Authority=Apple Root CA
Signed Time=May 13, 2021 at 10:54:23 AM
Internal requirements count=1 size=64
I think looking for "Signature=adhoc" should be sufficient for detecting ad-hoc signed binaries. We should be able to do a debugger attach to these binaries since they can't be notarized.
Attachments
Issue Links
- backported by
-
JDK-8315403 Most SA tests are skipped on macosx-aarch64 because all executables are signed
- Resolved
-
JDK-8317988 Most SA tests are skipped on macosx-aarch64 because all executables are signed
- Resolved
-
JDK-8328883 Most SA tests are skipped on macosx-aarch64 because all executables are signed
- Resolved
- relates to
-
JDK-8271512 ProblemList serviceability/sa/sadebugd/DebugdConnectTest.java due to 8270326
- Resolved
-
JDK-8270326 [MacOSX-AARCH64] serviceability/sa/sadebugd/DebugdConnectTest.java fails with java.rmi.ConnectException
- Open
-
JDK-8254941 Implement Serviceability Agent for macOS/AArch64
- Resolved
- links to
-
Commit openjdk/jdk11u-dev/8c18317e
-
Commit openjdk/jdk17u-dev/c17878a9
-
Commit openjdk/jdk/16e0ad0a
-
Review openjdk/jdk11u-dev/2616
-
Review openjdk/jdk17u-dev/1866
-
Review openjdk/jdk/6906