On Thu, 15 Sep 2022 23:17:39 GMT, Erik Joelsson <er...@openjdk.org> wrote:
>> When signing Macos binaries, it's possible to add various entitlements. We >> already do this for things that Java and the JDK needs when actually signing >> the binaries. >> >> There is a special entitlement "com.apple.security.get-task-allow" which is >> needed to be able to debug an application and to get core dumps. Xcode will >> automatically set this on debug builds, but not on release builds. We never >> include this as it's not allowed when notarizing applications. >> >> I was recently made aware of the possibility of adding entitlements without >> actually signing a binary, using the codesign tool. This makes it possible >> for us to add the get-task-allow entitlement to builds that are never >> intended to be notarized. We can also be consistent with adding the standard >> set of entitlements to all builds, regardless of if proper signing is going >> to be performed. >> >> Not adding any entitlements to non signed builds is currently not a problem >> on x64, however, on aarch64, the Xcode linker will unconditionally always >> perform an "adhoc" signing without any entitlements. This is blocking at >> least core file generation from those binaries, and probably other kinds of >> debug operations as well. >> >> In this change, I propose that we by default always add entitlements to all >> builds, and as long as we aren't explicitly signing with a real signing >> identity with hardened runtime enabled, we also add the get-task-allow >> entitlement. The codesign behavior is controlled with the new configure >> parameter `--with-macosx-codesign=[hardened|debug|auto]`. > > Erik Joelsson has updated the pull request incrementally with one additional > commit since the last revision: > > Updated doc Marked as reviewed by cjplummer (Reviewer). ------------- PR: https://git.openjdk.org/jdk/pull/10275
