On Wed, 14 Sep 2022 20:25:03 GMT, Erik Joelsson <er...@openjdk.org> wrote:
> When signing Macos binaries, it's possible to add various entitlements. We > already do this for things that Java and the JDK needs when actually signing > the binaries. > > There is a special entitlement "com.apple.security.get-task-allow" which is > needed to be able to debug an application and to get core dumps. Xcode will > automatically set this on debug builds, but not on release builds. We never > include this as it's not allowed when notarizing applications. > > I was recently made aware of the possibility of adding entitlements without > actually signing a binary, using the codesign tool. This makes it possible > for us to add the get-task-allow entitlement to builds that are never > intended to be notarized. We can also be consistent with adding the standard > set of entitlements to all builds, regardless of if proper signing is going > to be performed. > > Not adding any entitlements to non signed builds is currently not a problem > on x64, however, on aarch64, the Xcode linker will unconditionally always > perform an "adhoc" signing without any entitlements. This is blocking at > least core file generation from those binaries, and probably other kinds of > debug operations as well. > > In this change, I propose that we by default always add entitlements to all > builds, and as long as we aren't explicitly signing with a real signing > identity with hardened runtime enabled, we also add the get-task-allow > entitlement. The codesign behavior is controlled with the new configure > parameter `--with-macosx-codesign=[hardened|debug|auto]`. Marked as reviewed by mikael (Reviewer). make/autoconf/jdk-options.m4 line 702: > 700: > ################################################################################ > 701: # > 702: # Setup signing on Macos. This can either be setup to sign with a real > identity nit: macOS (same below)? ------------- PR: https://git.openjdk.org/jdk/pull/10275