From 8bcf12171e9180f8c7ecc60a6167016980eefccf Mon Sep 17 00:00:00 2001 From: rschuenemann Date: Thu, 13 Feb 2020 10:07:38 +0100 Subject: [PATCH] 8238534: Deep sign macOS bundles before bundle archive is being created Reviewed-by: erikj, clanger --- make/Bundles.gmk | 108 +++++++++++++++++++++++++++++++------- make/autoconf/spec.gmk.in | 10 +++- 2 files changed, 98 insertions(+), 20 deletions(-) diff --git a/make/Bundles.gmk b/make/Bundles.gmk index 5f1449233d..be552cc6a3 100644 --- a/make/Bundles.gmk +++ b/make/Bundles.gmk @@ -1,5 +1,5 @@ # -# Copyright (c) 2016, 2019, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2016, 2020, Oracle and/or its affiliates. All rights reserved. # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. # # This code is free software; you can redistribute it and/or modify it @@ -221,24 +221,96 @@ ifneq ($(filter product-bundles legacy-bundles, $(MAKECMDGOALS)), ) $(SYMBOLS_EXCLUDE_PATTERN), \ $(ALL_JRE_FILES)) - $(eval $(call SetupBundleFile, BUILD_JDK_BUNDLE, \ - BUNDLE_NAME := $(JDK_BUNDLE_NAME), \ - FILES := $(JDK_BUNDLE_FILES), \ - SPECIAL_INCLUDES := $(JDK_SPECIAL_INCLUDES), \ - BASE_DIRS := $(JDK_IMAGE_DIR), \ - SUBDIR := $(JDK_BUNDLE_SUBDIR), \ - )) - - PRODUCT_TARGETS += $(BUILD_JDK_BUNDLE) - - $(eval $(call SetupBundleFile, BUILD_JRE_BUNDLE, \ - BUNDLE_NAME := $(JRE_BUNDLE_NAME), \ - FILES := $(JRE_BUNDLE_FILES), \ - BASE_DIRS := $(JRE_IMAGE_DIR), \ - SUBDIR := $(JRE_BUNDLE_SUBDIR), \ - )) + # On Macosx release builds, when there is a code signing certificate available, + # the final bundle layout can be signed. + SIGN_BUNDLE := false + ifeq ($(OPENJDK_TARGET_OS)-$(DEBUG_LEVEL), macosx-release) + ifneq ($(CODESIGN), ) + SIGN_BUNDLE := true + endif + endif - LEGACY_TARGETS += $(BUILD_JRE_BUNDLE) + ifeq ($(SIGN_BUNDLE), true) + # Macosx release build and code signing available. + + ################################################################################ + # JDK bundle + $(eval $(call SetupCopyFiles, CREATE_JDK_BUNDLE_DIR_SIGNED, \ + SRC := $(JDK_IMAGE_DIR), \ + FILES := $(JDK_BUNDLE_FILES), \ + DEST := $(JDK_MACOSX_BUNDLE_DIR_SIGNED), \ + )) + + JDK_SIGNED_CODE_RESOURCES := \ + $(JDK_MACOSX_BUNDLE_DIR_SIGNED)/$(JDK_MACOSX_CONTENTS_SUBDIR)/_CodeSignature/CodeResources + + $(JDK_SIGNED_CODE_RESOURCES): $(CREATE_JDK_BUNDLE_DIR_SIGNED) + $(call LogWarn, Signing $(JDK_BUNDLE_NAME)) + $(CODESIGN) -s "$(MACOSX_CODESIGN_IDENTITY)" \ + --timestamp --options runtime --deep --force \ + $(JDK_MACOSX_BUNDLE_DIR_SIGNED)/$(JDK_MACOSX_BUNDLE_TOP_DIR) $(LOG_DEBUG) + $(TOUCH) $@ + + $(eval $(call SetupBundleFile, BUILD_JDK_BUNDLE, \ + BUNDLE_NAME := $(JDK_BUNDLE_NAME), \ + FILES := \ + $(CREATE_JDK_BUNDLE_DIR_SIGNED) \ + $(JDK_SIGNED_CODE_RESOURCES), \ + BASE_DIRS := $(JDK_MACOSX_BUNDLE_DIR_SIGNED), \ + SUBDIR := $(JDK_BUNDLE_SUBDIR), \ + )) + + PRODUCT_TARGETS += $(BUILD_JDK_BUNDLE) + + ################################################################################ + # JRE bundle + $(eval $(call SetupCopyFiles, CREATE_JRE_BUNDLE_DIR_SIGNED, \ + SRC := $(JRE_IMAGE_DIR), \ + FILES := $(JRE_BUNDLE_FILES), \ + DEST := $(JRE_MACOSX_BUNDLE_DIR_SIGNED), \ + )) + + JRE_SIGNED_CODE_RESOURCES := \ + $(JRE_MACOSX_BUNDLE_DIR_SIGNED)/$(JRE_MACOSX_CONTENTS_SUBDIR)/_CodeSignature/CodeResources + + $(JRE_SIGNED_CODE_RESOURCES): $(CREATE_JRE_BUNDLE_DIR_SIGNED) + $(call LogWarn, Signing $(JRE_BUNDLE_NAME)) + $(CODESIGN) -s "$(MACOSX_CODESIGN_IDENTITY)" \ + --timestamp --options runtime --deep --force \ + $(JRE_MACOSX_BUNDLE_DIR_SIGNED)/$(JRE_MACOSX_BUNDLE_TOP_DIR) $(LOG_DEBUG) + $(TOUCH) $@ + + $(eval $(call SetupBundleFile, BUILD_JRE_BUNDLE, \ + BUNDLE_NAME := $(JRE_BUNDLE_NAME), \ + FILES := \ + $(CREATE_JRE_BUNDLE_DIR_SIGNED) \ + $(JRE_SIGNED_CODE_RESOURCES), \ + BASE_DIRS := $(JRE_MACOSX_BUNDLE_DIR_SIGNED), \ + SUBDIR := $(JRE_BUNDLE_SUBDIR), \ + )) + + LEGACY_TARGETS += $(BUILD_JRE_BUNDLE) + else + # Not a Macosx release build or code signing not available. + $(eval $(call SetupBundleFile, BUILD_JDK_BUNDLE, \ + BUNDLE_NAME := $(JDK_BUNDLE_NAME), \ + FILES := $(JDK_BUNDLE_FILES), \ + SPECIAL_INCLUDES := $(JDK_SPECIAL_INCLUDES), \ + BASE_DIRS := $(JDK_IMAGE_DIR), \ + SUBDIR := $(JDK_BUNDLE_SUBDIR), \ + )) + + PRODUCT_TARGETS += $(BUILD_JDK_BUNDLE) + + $(eval $(call SetupBundleFile, BUILD_JRE_BUNDLE, \ + BUNDLE_NAME := $(JRE_BUNDLE_NAME), \ + FILES := $(JRE_BUNDLE_FILES), \ + BASE_DIRS := $(JRE_IMAGE_DIR), \ + SUBDIR := $(JRE_BUNDLE_SUBDIR), \ + )) + + LEGACY_TARGETS += $(BUILD_JRE_BUNDLE) + endif $(eval $(call SetupBundleFile, BUILD_JDK_SYMBOLS_BUNDLE, \ BUNDLE_NAME := $(JDK_SYMBOLS_BUNDLE_NAME), \ diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in index a4f35008b0..bd58a7ec33 100644 --- a/make/autoconf/spec.gmk.in +++ b/make/autoconf/spec.gmk.in @@ -868,10 +868,16 @@ DOCS_OUTPUTDIR := $(DOCS_IMAGE_DIR) # Macosx bundles directory definitions JDK_MACOSX_BUNDLE_SUBDIR=jdk-bundle JRE_MACOSX_BUNDLE_SUBDIR=jre-bundle +JDK_MACOSX_BUNDLE_SUBDIR_SIGNED=jdk-bundle-signed +JRE_MACOSX_BUNDLE_SUBDIR_SIGNED=jre-bundle-signed JDK_MACOSX_BUNDLE_DIR=$(IMAGES_OUTPUTDIR)/$(JDK_MACOSX_BUNDLE_SUBDIR) JRE_MACOSX_BUNDLE_DIR=$(IMAGES_OUTPUTDIR)/$(JRE_MACOSX_BUNDLE_SUBDIR) -JDK_MACOSX_CONTENTS_SUBDIR=jdk-$(VERSION_NUMBER).jdk/Contents -JRE_MACOSX_CONTENTS_SUBDIR=jre-$(VERSION_NUMBER).jre/Contents +JDK_MACOSX_BUNDLE_DIR_SIGNED=$(IMAGES_OUTPUTDIR)/$(JDK_MACOSX_BUNDLE_SUBDIR_SIGNED) +JRE_MACOSX_BUNDLE_DIR_SIGNED=$(IMAGES_OUTPUTDIR)/$(JRE_MACOSX_BUNDLE_SUBDIR_SIGNED) +JDK_MACOSX_BUNDLE_TOP_DIR=jdk-$(VERSION_NUMBER).jdk +JRE_MACOSX_BUNDLE_TOP_DIR=jre-$(VERSION_NUMBER).jre +JDK_MACOSX_CONTENTS_SUBDIR=$(JDK_MACOSX_BUNDLE_TOP_DIR)/Contents +JRE_MACOSX_CONTENTS_SUBDIR=$(JRE_MACOSX_BUNDLE_TOP_DIR)/Contents JDK_MACOSX_CONTENTS_DIR=$(JDK_MACOSX_BUNDLE_DIR)/$(JDK_MACOSX_CONTENTS_SUBDIR) JRE_MACOSX_CONTENTS_DIR=$(JRE_MACOSX_BUNDLE_DIR)/$(JRE_MACOSX_CONTENTS_SUBDIR) -- GitLab