On Wed, 14 Sep 2022 20:25:03 GMT, Erik Joelsson <er...@openjdk.org> wrote:
> When signing Macos binaries, it's possible to add various entitlements. We > already do this for things that Java and the JDK needs when actually signing > the binaries. > > There is a special entitlement "com.apple.security.get-task-allow" which is > needed to be able to debug an application and to get core dumps. Xcode will > automatically set this on debug builds, but not on release builds. We never > include this as it's not allowed when notarizing applications. > > I was recently made aware of the possibility of adding entitlements without > actually signing a binary, using the codesign tool. This makes it possible > for us to add the get-task-allow entitlement to builds that are never > intended to be notarized. We can also be consistent with adding the standard > set of entitlements to all builds, regardless of if proper signing is going > to be performed. > > Not adding any entitlements to non signed builds is currently not a problem > on x64, however, on aarch64, the Xcode linker will unconditionally always > perform an "adhoc" signing without any entitlements. This is blocking at > least core file generation from those binaries, and probably other kinds of > debug operations as well. > > In this change, I propose that we by default always add entitlements to all > builds, and as long as we aren't explicitly signing with a real signing > identity with hardened runtime enabled, we also add the get-task-allow > entitlement. The codesign behavior is controlled with the new configure > parameter `--with-macosx-codesign=[hardened|debug|auto]`. This pull request has now been integrated. Changeset: f42caefe Author: Erik Joelsson <er...@openjdk.org> URL: https://git.openjdk.org/jdk/commit/f42caefe2e7658bfb5ab8ef938b134bdb6746ff1 Stats: 212 lines in 10 files changed: 158 ins; 47 del; 7 mod 8293550: Optionally add get-task-allow entitlement to macos binaries Reviewed-by: mikael, cjplummer, ihse ------------- PR: https://git.openjdk.org/jdk/pull/10275
