RFR: 8293550: Optionally add get-task-allow entitlement to macos binaries [v2]
Erik Joelsson
erikj at openjdk.org
Thu Sep 15 12:52:51 UTC 2022
On Thu, 15 Sep 2022 01:50:12 GMT, Chris Plummer <cjplummer at openjdk.org> wrote:
>> Erik Joelsson has updated the pull request incrementally with one additional commit since the last revision:
>>
>> Comment fix
>
> make/data/macosxsigning/default-debug.plist line 15:
>
>> 13: <key>com.apple.security.cs.debugger</key>
>> 14: <true/>
>> 15: <key>com.apple.security.get-task-allow</key>
>
> If instead of creating this new plist file you instead just added this property to default.plist, would that cause notarization to fail, or would notarizing simply strip this entitlement, which is what you would want.
Yes, that would cause notarization to fail. Note that notarization does not change the binaries. We just send them in to be scanned by Apple, and they save some kind of fingerprint in a database. (There is a post notarization step called stapling that does modify the binaries, but all it does is attaching a signature from the notarization process to make it possible to verify notarization offline.)
I could have opted to generate the plist files using PlistBuddy instead of keeping 4 static files around, but decided against it to keep the build logic simpler. If we ever need any more variants, I will probably rethink this.
-------------
PR: https://git.openjdk.org/jdk/pull/10275
More information about the build-dev
mailing list