Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MacOS hardened runtime support #1130

Closed
tkie opened this issue Jun 25, 2019 · 120 comments · Fixed by #1199
Closed

MacOS hardened runtime support #1130

tkie opened this issue Jun 25, 2019 · 120 comments · Fixed by #1199
Assignees
Labels
enhancement Issues that enhance the code or documentation of the repo in any way
Milestone

Comments

@tkie
Copy link

tkie commented Jun 25, 2019

I would like to bundle the AdoptOpenJDK into a MacOS application. To use Apple's notary service all executables in my app have to be codesigned with hardened runtime support.

The ApoptOpenJDK executables are codesigned already, but unfortunately without hardened runtime support.

I can re-sign them myself like this:

codesign --verbose --options runtime --force --sign "Developer ID Application: SecSign Technologies Inc." bin/java

but apparently this damages the executables. For example "java" is not able to print its version any more:

java --version
Error occurred during initialization of VM
Could not reserve enough space in CodeHeap 'non-nmethods' (2496K)

Would the ApoptOpenJDK team be able to enable the hardened runtime ("--options runtime") during the codesigning in the build process of the AdoptOpenJDK? This would be great.

Thank you in advance for any comments on this issue.

Kind regards
Tilo

@karianna karianna added the enhancement Issues that enhance the code or documentation of the repo in any way label Jun 25, 2019
@karianna karianna added this to the June 2019 milestone Jun 25, 2019
@karianna karianna modified the milestones: June 2019, July 2019 Jul 5, 2019
@gdams
Copy link
Member

gdams commented Jul 29, 2019

when I try and add this flag I get the following error:
error: invalid or inappropriate API flag(s) specified

@karianna
Copy link
Contributor

@tkie Do you have any further insights here?

@karianna karianna added this to the July 2019 milestone Jul 30, 2019
@gdams
Copy link
Member

gdams commented Jul 30, 2019

looking at https://help.apple.com/xcode/mac/current/#/dev033e997ca it suggests that we may need to codesign on macOS 10.13 or above, let me have a play here.

@tkie
Copy link
Author

tkie commented Jul 30, 2019

I use XCode Version 10.3 (10G8) on MacOS 10.14.6.
I don't know which is the minimum XCode version to support the hardened runtime, but it is a rather new feature.

@gdams
Copy link
Member

gdams commented Jul 30, 2019

okay so I've made a bit of progress here, I can sign enable a jdk12 build. In order to work around the error:

Error occurred during initialization of VM
Could not reserve enough space in CodeHeap 'non-nmethods' (2496K)

you need to add entitlements in the form of a plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.cs.allow-jit</key>
    <true/>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
    <key>com.apple.security.cs.disable-executable-page-protection</key>
    <true/>
    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
    <true/>
</dict>
</plist>

and then add --entitlements <path to entitlements.plist> as a flag when you codesign.

inspecting the executable I can now see the runtime option:

➜  Home codesign -dvvv ./bin/java
Executable=/Users/gdams/tmp/jdk-11.0.4+11/Contents/Home/bin/java
Identifier=net.java.openjdk.cmd
Format=Mach-O thin (x86_64)
CodeDirectory v=20500 size=832 flags=0x10000(runtime) hashes=17+5 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha1=89dde46e6d5094c92508bc3d95ecf04cbf2e5c6b
CandidateCDHash sha256=7504cd1dc13d553e9cb3d469a508900a34d3cbc7
Hash choices=sha1,sha256
CDHash=7504cd1dc13d553e9cb3d469a508900a34d3cbc7
Signature size=9037
Authority=Developer ID Application: London Jamocha Community CIC (VDX7B37674)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=30 Jul 2019 at 11:12:25
Info.plist entries=4
TeamIdentifier=VDX7B37674
Runtime Version=10.10.0
Sealed Resources=none
Internal requirements count=1 size=180

@gdams
Copy link
Member

gdams commented Jul 30, 2019

@tkie can you confirm that the above also works for you? If it does then I'll get that change added to the build scripts.

@gdams
Copy link
Member

gdams commented Jul 30, 2019

I've also managed to make this work on jdk8 by adding this to the entitlements.plist file:

<key>com.apple.security.cs.disable-library-validation</key>
<true/>

@gdams
Copy link
Member

gdams commented Jul 30, 2019

test jdk11 app notarization: report (successful)

test jdk12 app notarization: report (successful)

@tkie
Copy link
Author

tkie commented Jul 30, 2019

@gdams I'm sorry, I have never built the JDK myself. I have always downloaded binary distributions. Maybe you could make your today's JDK 11 test build for MacOS available for download somewhere? Then I could try to get a notarization from Apple for my application into which I would like bundle the JDK. So I could confirm whether your change works.

@gdams
Copy link
Member

gdams commented Jul 31, 2019

@tkie I've landed a fix that fixes anything on JDK11+. Please note that this change won't be noticeable until our next release (I'll discuss with the Adopt folks the possibility of a re-release so that people can consume this immediately.

On JDK8 we still have an issue:

The binary uses an SDK older than the 10.9 SDK

My suggestion would be that we investigate shipping a JDK8 build that is optimized for bundling (i.e built on a later toolchain) but this might not be a simple task as it requires a load of backports from later JDK's to the JDK8u repo.

@gdams
Copy link
Member

gdams commented Jul 31, 2019

@tkie
Copy link
Author

tkie commented Jul 31, 2019

@gdams Thank you for the JDK12 build. I can confirm that my application including the JRE from OpenJDK12U-jre_x64_mac_hotspot_2019-07-31-11-04.tar.gz was notarized by Apple.

@tkie
Copy link
Author

tkie commented Jul 31, 2019

@gdams I have also tested with OpenJDK11U-jre_x64_mac_hotspot_2019-07-31-11-27.tar.gz. Notarization with it was also successful.
From my point of view the issue is solved and it would not be necessary to investigate Java 8.
Thank you for having solved this issue for Java 11 and above.

@karianna karianna modified the milestones: July 2019, August 2019 Aug 6, 2019
@thartwell
Copy link

We also get the "The binary uses an SDK older than the 10.9 SDK" error when we attempt to notarize our application with Java 1.8 Runtime included .

We currently need to stay with Java 1.8 so can't upgrade to a more recent Java.

Is there a date when an updated Java 1.8 runtime will be available that will pass this notarization test ?

@benjohnde
Copy link

@adamulrich
Copy link

When can we expect an openjdk 8 build that passes notarization?

@aahlenst
Copy link
Contributor

@meshcow Hard to estimate. That's why I gave no estimate in the first place. Pipelines with the regular builds are still running (for example, 14.0.1 with HotSpot and 11.0.7 with OpenJ9). The version with hardened runtime will be built afterwards.

@karianna
Copy link
Contributor

@meshcow - we'll be building an 8u252.1 to test our Mac Os notarization patch, should be here in a day or two.

@ijabz
Copy link

ijabz commented Apr 17, 2020

FYI I used BellSoft 8u252 to try and get a libAppleScriptEngine.dylib that is built against later sdk to allow notarization, and can confirm that worked.

@ijabz
Copy link

ijabz commented Apr 17, 2020

Can also confirm I bundled AdoptJDk 11.0.7 JRE build and into my app and successfully notarized my application.

@as1an
Copy link

as1an commented Apr 17, 2020

FYI I used BellSoft 8u252 to try and get a libAppleScriptEngine.dylib that is built against later sdk to allow notarization, and can confirm that worked.

Could you tell, please, what you are using to bundle jre with your app? When I use javapackager it says fxbundlerpath/Contents/MacOS/libpackager.dylib: is already signed.
And how do you do that with AdoptJDK 11?

@ijabz
Copy link

ijabz commented Apr 17, 2020

I used Appbundler (InfinityKind fork) - https://github.com/TheInfiniteKind/appbundler/
I will try and post a full detailed answer on stackoveflow tomorrow

@ijabz
Copy link

ijabz commented Apr 18, 2020

@as1an Added answer to my own question at https://stackoverflow.com/questions/58548736/notarize-existing-java-application-for-macos-catalina

@Ram-Krishnamurthy
Copy link

Anyone has a J9 JVM 1.8 notarized build for us to test?

@Ram-Krishnamurthy
Copy link

@meshcow Hard to estimate. That's why I gave no estimate in the first place. Pipelines with the regular builds are still running (for example, 14.0.1 with HotSpot and 11.0.7 with OpenJ9). The version with hardened runtime will be built afterwards.

@aahlenst Will this include J9 version of 1.8 JVM as well?

@karianna
Copy link
Contributor

It's coming this week.

@Ram-Krishnamurthy
Copy link

Great thanks!

@gdams
Copy link
Member

gdams commented Apr 22, 2020

A Notarized JDK8u Hotspot binary has been released today jdk8u252-b09.1

https://adoptopenjdk.net/archive.html?variant=openjdk8&jvmVariant=hotspot

Try it out and let us know if you have any issues!

OpenJ9 will also be out shortly

@meshcow
Copy link

meshcow commented Apr 22, 2020

We were able to notarize our app with bundled hotspot 8u252-b09.1 JRE successfully.
Thank you guys very much!

@Ram-Krishnamurthy
Copy link

@meshcow Does your app embed the JVM or it uses it externally? We are seeing runtime issue saying the signature is different in the JVM from our app signature.

@meshcow
Copy link

meshcow commented Apr 22, 2020

@meshcow Does your app embed the JVM or it uses it externally? We are seeing runtime issue saying the signature is different in the JVM from our app signature.

The JVM is embedded (JNI), the app is signed by our cert. We didn't sign anything within JRE, as it turned out everything in it was signed already.
No issues so far.

@addsomebass
Copy link

@meshcow I know this is unrelated, and I apologize if this is not the right forum for this, but I have been struggling to get JNI working in a bundled app, and I was wondering if you could share any resources that helped you get there. All of the current java app bundlers I can find produce an un-hardened executable that prevents notarization, even when the JRE is notarizable.

Any help to get over this last hurdle would be much appreciated.

@meshcow
Copy link

meshcow commented Apr 23, 2020

@addsomebass - We use standard by-the-book approach: a small launcher written in Objective C which uses Java Invocation API to load the JVM and start our [pure] Java app with it. The launcher gets put into the OSX app's directory under /Contents/MacOs. The JRE gets put there into java app folder under /Contents/[app-name]/jre.
The OSX app gets signed, and then it is ready to be sent for notrization. We use the following cmd-line args for codesign: --strict --timestamp --entitlements entitlements.plist --force --deep --options runtime, and the entitlemenst.plist contents is as in this answer: https://stackoverflow.com/a/58553559.

So the only thing I could advice is to create your own launcher. It shouldn't be that hard, there are plenty of examples you can find, e.g. https://github.com/search?l=Objective-C&q=JNI_createJavaVM&type=Code

@dg76
Copy link

dg76 commented Apr 23, 2020

@addsomebass I think you don't need an own launcher. I am using JNI in a normal Java program that is bundled using the Java packager jpackage of Java 14. You can find my steps here: https://blog.dgunia.de/2020/02/12/signed-macos-programs-with-java-14/ It describes only the signing, not the JNI part. But I have created a normal JNI dylib file that is also signed during that process. It works fine so far, it was possible to notarize it.

@meshcow
Copy link

meshcow commented Apr 23, 2020

@addsomebass @dg76 Java 8 is our case, not 14

@addsomebass
Copy link

@meshcow @dg76 thanks for the tips. We need to use Java 8 as well due to RMI changes.

@meydominic
Copy link

meydominic commented Apr 30, 2020

Thanks for supporting notarization now. But where ist javapackager in package? I can only find "normal" jdk8 build without javapackager. Is there a full jdk with javapackager built in?

@Ram-Krishnamurthy
Copy link

Ram-Krishnamurthy commented May 5, 2020

@gdams @aahlenst
We used the Open J9 hardened version released last week and we got this error from Apple during notarization:

{ "severity": "error", "code": null, "path": "/jre/Contents/MacOS/libjli.dylib", "message": "The signature of the binary is invalid.", "docUrl": null, "architecture": "x86_64" }

It says libjli.dylib has no signature, but I believe its a link file?

We also tried this command

File downloaded - OpenJDK8U-jre_x64_mac_openj9_macosXL_8u252b09_openj9-0.20.0.tar.gz* unzipped it to the folder jdk8u252-b09-jre-j9 and then checked signature -
codesign -vvvv jdk8u252-b09-jre-j9jdk8u252-b09-jre-j9/: code has no resources but signature indicates they must be present

Not sure if both are related. Is there a fix for this?

Thank you.

@aahlenst
Copy link
Contributor

aahlenst commented May 6, 2020

If you need help, please open issues in https://github.com/adoptopenjdk/openjdk-support/.

@adoptium adoptium locked as resolved and limited conversation to collaborators May 6, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
enhancement Issues that enhance the code or documentation of the repo in any way
Projects
None yet
Development

Successfully merging a pull request may close this issue.