On Wed, 14 Sep 2022 21:55:03 GMT, Erik Joelsson <er...@openjdk.org> wrote:
>> When signing Macos binaries, it's possible to add various entitlements. We >> already do this for things that Java and the JDK needs when actually signing >> the binaries. >> >> There is a special entitlement "com.apple.security.get-task-allow" which is >> needed to be able to debug an application and to get core dumps. Xcode will >> automatically set this on debug builds, but not on release builds. We never >> include this as it's not allowed when notarizing applications. >> >> I was recently made aware of the possibility of adding entitlements without >> actually signing a binary, using the codesign tool. This makes it possible >> for us to add the get-task-allow entitlement to builds that are never >> intended to be notarized. We can also be consistent with adding the standard >> set of entitlements to all builds, regardless of if proper signing is going >> to be performed. >> >> Not adding any entitlements to non signed builds is currently not a problem >> on x64, however, on aarch64, the Xcode linker will unconditionally always >> perform an "adhoc" signing without any entitlements. This is blocking at >> least core file generation from those binaries, and probably other kinds of >> debug operations as well. >> >> In this change, I propose that we by default always add entitlements to all >> builds, and as long as we aren't explicitly signing with a real signing >> identity with hardened runtime enabled, we also add the get-task-allow >> entitlement. The codesign behavior is controlled with the new configure >> parameter `--with-macosx-codesign=[hardened|debug|auto]`. > > Erik Joelsson has updated the pull request incrementally with one additional > commit since the last revision: > > Comment fix I verified that the changes do fix the SA issue with not getting core files produced on macosx-aarch64. I didn't review the makefile logic since I don't understand the makefiles well enough to do so, but what you have outlined in the documentation makes sense, sans the few comments I had. doc/building.html line 528: > 526: <h3 id="macos-1">macOS</h3> > 527: <p>On modern versions of macOS, signing and notarizing applications are > required before distribution. For more background on what this means and how > it works, see Apple's documentation. To help support this, the JDK build can > be configured to automatically sign all native binaries and the JDK bundle > with all the options needed for successful notarization, as well as all the > entitlements required by the JDK. To enable <code>hardened</code> signing, > use configure parameter <code>--with-macosx-codesign=hardened</code> and > configure the signing identity you wish to use with > <code>--with-macosx-codesign-identity=<identity></code>. The identity > refers to a signing identity from Apple that needs to be preinstalled on the > build host.</p> > 528: <p>When not signing with the hardened option for distribution, the JDK > build will still attempt to perform <code>adhoc</code> signing, to add the > special entitlement <code>com.apple.security.get-task-allow</code> to each > binary. This entitlement is required to be able to debug a process or dump > its core. Note that adding this entitlement makes the build invalid for > notarization, so it is only added when signing in <code>debug</code> mode. To > explicitly enable this kind of adhoc signing use configure parameter > <code>--with-macosx-codesign=debug</code>. It will be enabled by default in > most cases.</p> Remove the second comma. Add comma after "To explicitly enable this kind of adhoc signing" I don't think com.apple.security.get-task-allow is needed to debug a process. That has been working fine for SA on macosx-aarch64, even with the adhoc signing that xcode does by default. I think it might be what is needed for notarized binaries in order to attach to them, but clearly that can't be done as part of the build if you want to notarize. doc/building.html line 529: > 527: <p>On modern versions of macOS, signing and notarizing applications are > required before distribution. For more background on what this means and how > it works, see Apple's documentation. To help support this, the JDK build can > be configured to automatically sign all native binaries and the JDK bundle > with all the options needed for successful notarization, as well as all the > entitlements required by the JDK. To enable <code>hardened</code> signing, > use configure parameter <code>--with-macosx-codesign=hardened</code> and > configure the signing identity you wish to use with > <code>--with-macosx-codesign-identity=<identity></code>. The identity > refers to a signing identity from Apple that needs to be preinstalled on the > build host.</p> > 528: <p>When not signing with the hardened option for distribution, the JDK > build will still attempt to perform <code>adhoc</code> signing, to add the > special entitlement <code>com.apple.security.get-task-allow</code> to each > binary. This entitlement is required to be able to debug a process or dump > its core. Note that adding this entitlement makes the build invalid for > notarization, so it is only added when signing in <code>debug</code> mode. To > explicitly enable this kind of adhoc signing use configure parameter > <code>--with-macosx-codesign=debug</code>. It will be enabled by default in > most cases.</p> > 529: <p>If no macosx codesign option is specified, the default is to try for > <code>hardened</code> signing if the debug level is <code>release</code> and > either the default identity or the specified identity is valid, if not > <code>debug</code> signing is chosen if it works and if nothing works, the > codesign step is skipped. Note that on <code>aarch64</code>, the Xcode linker > will always perform a default <code>adhoc</code> signing without any > entitlements, causing debugging and core dumps not to work, unless this is > signature replaced by the <code>debug</code> sign operation.</p> The first sentence is hard to read. Should be broken up and or restructured. "unless this is signature" -> "unless this signature" "sign operation" -> "codesign option"? ------------- PR: https://git.openjdk.org/jdk/pull/10275
