On Thu, 15 Sep 2022 02:29:29 GMT, Chris Plummer <cjplum...@openjdk.org> wrote:
>> Erik Joelsson has updated the pull request incrementally with one additional >> commit since the last revision: >> >> Comment fix > > doc/building.html line 528: > >> 526: <h3 id="macos-1">macOS</h3> >> 527: <p>On modern versions of macOS, signing and notarizing applications are >> required before distribution. For more background on what this means and how >> it works, see Apple's documentation. To help support this, the JDK build can >> be configured to automatically sign all native binaries and the JDK bundle >> with all the options needed for successful notarization, as well as all the >> entitlements required by the JDK. To enable <code>hardened</code> signing, >> use configure parameter <code>--with-macosx-codesign=hardened</code> and >> configure the signing identity you wish to use with >> <code>--with-macosx-codesign-identity=<identity></code>. The identity >> refers to a signing identity from Apple that needs to be preinstalled on the >> build host.</p> >> 528: <p>When not signing with the hardened option for distribution, the JDK >> build will still attempt to perform <code>adhoc</code> signing, to add the >> special entitlement <code>com.apple.security.get-task-allow</code> to each >> binary. This entitlement is required to be able to debug a process or dump >> its core. Note that adding this entitlement makes the build invalid for >> notarization, so it is only added when signing in <code>debug</code> mode. >> To explicitly enable this kind of adhoc signing use configure parameter >> <code>--with-macosx-codesign=debug</code>. It will be enabled by default in >> most cases.</p> > > Remove the second comma. > > Add comma after "To explicitly enable this kind of adhoc signing" > > I don't think com.apple.security.get-task-allow is needed to debug a process. > That has been working fine for SA on macosx-aarch64, even with the adhoc > signing that xcode does by default. I think it might be what is needed for > notarized binaries in order to attach to them, but clearly that can't be done > as part of the build if you want to notarize. Thanks, I reworked the text. ------------- PR: https://git.openjdk.org/jdk/pull/10275