In the log for most SA tests on macos-aarch64-debug, you will see something like:

STDOUT: Executable=/System/Volumes/Data/mesos/work_dir/jib-master/install/2022-12-07-2219530.chris.plummer.jdk/macosx-aarch64-debug.jdk/jdk-20/fastdebug/bin/java
...
STDOUT: CodeDirectory v=20400 size=758 flags=0x2(adhoc) hashes=13+7 location=embedded
STDOUT: Signature=adhoc
...
Could not confirm if TargetJDK is hardened. Assuming not hardened.

The message at the end shouldn't be happening. The problem is in Platform.isHardenedOSX(), which is searching for "flags=0x20002(adhoc,linker-signed)", but instead we are seeing "flags=0x2(adhoc)". This is due to JDK-8293550, which is now explicitly adding adhoc signing. Previously we just allowed the linker to just do the default adhoc signing, which is why you would also see the "linker-signed" flag. Since we explicitly do adhoc signing now, "linker-signed" is missing.

The fix is to just allow either form. Since it is possible to build without the explicitly adhoc signing, we still need to support the old form that includes "linker-signed".

There seems to be no adverse affects from this bug, since the conclusion that the JDK is not hardened is the correct one.