On Thu, 15 Sep 2022 18:30:46 GMT, Erik Joelsson <er...@openjdk.org> wrote:
>> When signing Macos binaries, it's possible to add various entitlements. We >> already do this for things that Java and the JDK needs when actually signing >> the binaries. >> >> There is a special entitlement "com.apple.security.get-task-allow" which is >> needed to be able to debug an application and to get core dumps. Xcode will >> automatically set this on debug builds, but not on release builds. We never >> include this as it's not allowed when notarizing applications. >> >> I was recently made aware of the possibility of adding entitlements without >> actually signing a binary, using the codesign tool. This makes it possible >> for us to add the get-task-allow entitlement to builds that are never >> intended to be notarized. We can also be consistent with adding the standard >> set of entitlements to all builds, regardless of if proper signing is going >> to be performed. >> >> Not adding any entitlements to non signed builds is currently not a problem >> on x64, however, on aarch64, the Xcode linker will unconditionally always >> perform an "adhoc" signing without any entitlements. This is blocking at >> least core file generation from those binaries, and probably other kinds of >> debug operations as well. >> >> In this change, I propose that we by default always add entitlements to all >> builds, and as long as we aren't explicitly signing with a real signing >> identity with hardened runtime enabled, we also add the get-task-allow >> entitlement. The codesign behavior is controlled with the new configure >> parameter `--with-macosx-codesign=[hardened|debug|auto]`. > > Erik Joelsson has updated the pull request incrementally with one additional > commit since the last revision: > > Updated doc again doc/building.html line 529: > 527: <p>Modern versions of macOS require applications to be signed and > notarizied before distribution. See Apple's documentation for more background > on what this means and how it works. To help support this, the JDK build can > be configured to automatically sign all native binaries, and the JDK bundle, > with all the options needed for successful notarization, as well as all the > entitlements required by the JDK. To enable <code>hardened</code> signing, > use configure parameter <code>--with-macosx-codesign=hardened</code> and > configure the signing identity you wish to use with > <code>--with-macosx-codesign-identity=<identity></code>. The identity > refers to a signing identity from Apple that needs to be preinstalled on the > build host.</p> > 528: <p>When not signing for distribution with the hardened option, the JDK > build will still attempt to perform <code>adhoc</code> signing, to add the > special entitlement <code>com.apple.security.get-task-allow</code> to each > binary. This entitlement is required to be able to attach to a process or > dump its core. Note that adding this entitlement makes the build invalid for > notarization, so it is only added when signing in <code>debug</code> mode. To > explicitly enable this kind of adhoc signing, use configure parameter > <code>--with-macosx-codesign=debug</code>. It will be enabled by default in > most cases.</p> > 529: <p>It's also possible to completely disable any explicit codesign > operations done by the JDK build using the configure parameter > <code>--without-macosx-codesign</code>. The exact behavior then depends on > the architecture. For macOS on x64, it (at least at the time of this writing) > results in completely unsigned binaries that should still work fine for > development and debugging purposes. On aarch64, the Xcode linker will apply a > default "adhoc" signing, without any entitlements. Such a build > will not allow being attached to or dumping core.</p> I think github messed with the lines I previously selected, so it wasn't always clear which lines my comments were referring to: > <code>adhoc</code> signing, to add the special entitlement You can remove this comma. > This entitlement is required to be able to attach to a process or dump its > core. Only needed to produce a core file. > Such a build will not allow being attached to or dumping core Attaching is still allowed. SA tests that attach to a process have been passing on macosx-aarch64. I assume lldb attaching has worked also, although I didn't try. ------------- PR: https://git.openjdk.org/jdk/pull/10275
