> When signing Macos binaries, it's possible to add various entitlements. We > already do this for things that Java and the JDK needs when actually signing > the binaries. > > There is a special entitlement "com.apple.security.get-task-allow" which is > needed to be able to debug an application and to get core dumps. Xcode will > automatically set this on debug builds, but not on release builds. We never > include this as it's not allowed when notarizing applications. > > I was recently made aware of the possibility of adding entitlements without > actually signing a binary, using the codesign tool. This makes it possible > for us to add the get-task-allow entitlement to builds that are never > intended to be notarized. We can also be consistent with adding the standard > set of entitlements to all builds, regardless of if proper signing is going > to be performed. > > Not adding any entitlements to non signed builds is currently not a problem > on x64, however, on aarch64, the Xcode linker will unconditionally always > perform an "adhoc" signing without any entitlements. This is blocking at > least core file generation from those binaries, and probably other kinds of > debug operations as well. > > In this change, I propose that we by default always add entitlements to all > builds, and as long as we aren't explicitly signing with a real signing > identity with hardened runtime enabled, we also add the get-task-allow > entitlement. The codesign behavior is controlled with the new configure > parameter `--with-macosx-codesign=[hardened|debug|auto]`.
Erik Joelsson has updated the pull request incrementally with one additional commit since the last revision: Updated doc again ------------- Changes: - all: https://git.openjdk.org/jdk/pull/10275/files - new: https://git.openjdk.org/jdk/pull/10275/files/b0b4c7bd..b14a6b14 Webrevs: - full: https://webrevs.openjdk.org/?repo=jdk&pr=10275&range=04 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=10275&range=03-04 Stats: 14 lines in 2 files changed: 7 ins; 0 del; 7 mod Patch: https://git.openjdk.org/jdk/pull/10275.diff Fetch: git fetch https://git.openjdk.org/jdk pull/10275/head:pull/10275 PR: https://git.openjdk.org/jdk/pull/10275
