Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8270199

Most SA tests are skipped on macosx-aarch64 because all executables are signed



    • Type: Bug
    • Status: In Progress
    • Priority: P3
    • Resolution: Unresolved
    • Affects Version/s: 17, 18
    • Fix Version/s: 18
    • Component/s: hotspot
    • Subcomponent:
    • Understanding:
      Fix Understood


      For any SA test that attaches to an OSX process (this would be all SA tests except for that test core file support), there is a check to make sure that the target jvm process is not a signed binary. If it is, SkippedException is thrown, and the test passes without doing anything. This is all we can do since being signed implied being notarized, and debuggers cannot attach to a notarized binary.

      I recently just noticed that on macosx-aarch64, all our SA tests that attach to a process were being skipped because the binary was signed, even for debug builds. It turns out that for macosx-aarch64, the linker always ads what is known as ad-hoc signing. You can find some info on ad-hoc signing here:


      The tests use the codesign tool to determine if the binary is signed. Normally the check just relies on getting an error code of 1 when not signed, but since all binaries are now signed on macosx-aarch64, we need to modify the check to ignore ad-hoc signing.

      Using "codesign --display" on an an ad-hoc signed binary shows couple lines in the output that are of interest:

      bash-3.2$ codesign --display --verbose=4 a.out
      CodeDirectory v=20400 size=254 flags=0x20002(adhoc,linker-signed) hashes=5+0 location=embedded

      Whereas the output for a truly signed binary contains the following:

      bash-3.2$ codesign --display --verbose=4 /Applications/Safari.app/
      CodeDirectory v=20100 size=513 flags=0x2000(library-validation) hashes=9+5 location=embedded
      Signature size=4442
      Authority=Software Signing
      Authority=Apple Code Signing Certification Authority
      Authority=Apple Root CA
      Signed Time=May 13, 2021 at 10:54:23 AM
      Internal requirements count=1 size=64

      I think looking for "Signature=adhoc" should be sufficient for detecting ad-hoc signed binaries. We should be able to do a debugger attach to these binaries since they can't be notarized.


          Issue Links



              cjplummer Chris Plummer
              cjplummer Chris Plummer
              0 Vote for this issue
              5 Start watching this issue