enable hardned runtime on jdk8u mac binaries (#1686)

adoptium · Apr 21, 2020 · ce08097 · ce08097
1 parent ede09d6
commit ce08097
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 36 deletions.
diff --git a/build-farm/platform-specific-configurations/mac.sh b/build-farm/platform-specific-configurations/mac.sh
@@ -50,8 +50,8 @@ else
   fi
 fi
 
-# The configure option '--with-macosx-codesign-identity' is supported in JDK11 and JDK14+
-if [ "$JAVA_FEATURE_VERSION" -eq 11 ] || [ "$JAVA_FEATURE_VERSION" -ge 14 ]
+# The configure option '--with-macosx-codesign-identity' is supported in JDK8 OpenJ9 and JDK11 and JDK14+
+if [[ ( "$JAVA_FEATURE_VERSION" -eq 11 ) || ( "$JAVA_FEATURE_VERSION" -ge 14 ) || ( "$JAVA_FEATURE_VERSION" -eq 8 && "${VARIANT}" == "${BUILD_VARIANT_OPENJ9}" ) ]]
 then
   export CONFIGURE_ARGS_FOR_ANY_PLATFORM="${CONFIGURE_ARGS_FOR_ANY_PLATFORM} --with-sysroot=/Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/"
   # Login to KeyChain

diff --git a/entitlements.plist b/entitlements.plist
@@ -6,11 +6,11 @@
     <true/>
     <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
     <true/>
-    <key>com.apple.security.cs.disable-executable-page-protection</key>
+    <key>com.apple.security.cs.disable-library-validation</key>
     <true/>
     <key>com.apple.security.cs.allow-dyld-environment-variables</key>
     <true/>
-    <key>com.apple.security.cs.disable-library-validation</key>
+    <key>com.apple.security.cs.debugger</key>
     <true/>
 </dict>
-</plist>
+</plist>
diff --git a/pipelines/build/common/openjdk_build_pipeline.groovy b/pipelines/build/common/openjdk_build_pipeline.groovy
@@ -155,7 +155,7 @@ class Build {
     def sign(VersionInfo versionInfo) {
         // Sign and archive jobs if needed
         // TODO: This version info check needs to be updated when the notarization fix gets applied to other versions.
-        if (buildConfig.TARGET_OS == "windows" || (buildConfig.TARGET_OS == "mac" && versionInfo.major == 8) || (buildConfig.TARGET_OS == "mac" && versionInfo.major == 13)) {
+        if (buildConfig.TARGET_OS == "windows" || (buildConfig.TARGET_OS == "mac" && versionInfo.major == 8 && buildConfig.VARIANT != "openj9") || (buildConfig.TARGET_OS == "mac" && versionInfo.major == 13)) {
             context.node('master') {
                 context.stage("sign") {
                     def filter = ""

diff --git a/sign.sh b/sign.sh
@@ -82,43 +82,18 @@ signRelease()
       done
       ;;
     "mac"*)
+      # TODO: Remove this completly once https://github.com/AdoptOpenJDK/openjdk-jdk11u/commit/b3250adefed0c1778f38a7e221109ae12e7c421e has been backported to JDK8u
       echo "Signing OSX release"
 
       # Login to KeyChain
       # shellcheck disable=SC2046
       # shellcheck disable=SC2006
       security unlock-keychain -p `cat ~/.password`
 
-      ########################################
-      ## TODO: Remove me pending resolution to https://github.com/AdoptOpenJDK/TSC/issues/107
-      FILES=$(find "${TMP_DIR}" -perm +111 -type f || find "${TMP_DIR}" -perm /111 -type f)
-      echo "$FILES" | while read -r f; do codesign -s "Developer ID Application: London Jamocha Community CIC" "$f"; done
-      ########################################
-      ## TODO: Bring me back pending resolution to https://github.com/AdoptOpenJDK/TSC/issues/107
-
-#      ENTITLEMENTS="$WORKSPACE/entitlements.plist"
-#      # Sign all files with the executable permission bit set.
-#      FILES=$(find "${TMP_DIR}" -perm +111 -type f -o -name '*.dylib'  -type f || find "${TMP_DIR}" -perm /111 -type f -o -name '*.dylib'  -type f)
-#      echo "$FILES" | while read -r f; do codesign --entitlements "$ENTITLEMENTS" --options runtime --timestamp --sign "Developer ID Application: London Jamocha Community CIC" "$f"; done
-#
-#      # Loop through jmods, extract, sign and repack
-#      JMODS_DIR=$(find "$TMP_DIR" -type d -name jmods 2>/dev/null || echo "")
-#      if [[ -n $JMODS_DIR ]]; then
-#        cd "$JMODS_DIR"
-#        for jmod in ./*; do
-#          rm -rf tmp
-#          # Use brew install p7zip to get 7z
-#          7z x "$jmod" -otmp
-#          cd tmp
-#          FILES=$(find bin lib -type f 2>/dev/null || echo "")
-#          if [[ -n $FILES ]]; then
-#            echo "$FILES" | while read -r f; do codesign --entitlements "$ENTITLEMENTS" --options runtime --timestamp --sign "Developer ID Application: London Jamocha Community CIC" "$f"; done
-#          fi
-#          7z a -r ../"$jmod" .
-#          cd ../
-#          rm -rf tmp
-#        done
-#      fi
+      ENTITLEMENTS="$WORKSPACE/entitlements.plist"
+      # Sign all files with the executable permission bit set.
+      FILES=$(find "${TMP_DIR}" -perm +111 -type f -o -name '*.dylib'  -type f || find "${TMP_DIR}" -perm /111 -type f -o -name '*.dylib'  -type f)
+      echo "$FILES" | while read -r f; do codesign --entitlements "$ENTITLEMENTS" --options runtime --timestamp --sign "Developer ID Application: London Jamocha Community CIC" "$f"; done
       ;;
     *)
       echo "Skipping code signing as it's not supported on $OPERATING_SYSTEM"