RFR: 8293550: Optionally add get-task-allow entitlement to macos binaries [v2]

Erik Joelsson erikj at openjdk.org
Thu Sep 15 13:14:15 UTC 2022 

On Thu, 15 Sep 2022 02:29:29 GMT, Chris Plummer <cjplummer at openjdk.org> wrote:

>> Erik Joelsson has updated the pull request incrementally with one additional commit since the last revision:
>> 
>>   Comment fix
>
> doc/building.html line 528:
> 
>> 526: <h3 id="macos-1">macOS</h3>
>> 527: <p>On modern versions of macOS, signing and notarizing applications are required before distribution. For more background on what this means and how it works, see Apple's documentation. To help support this, the JDK build can be configured to automatically sign all native binaries and the JDK bundle with all the options needed for successful notarization, as well as all the entitlements required by the JDK. To enable <code>hardened</code> signing, use configure parameter <code>--with-macosx-codesign=hardened</code> and configure the signing identity you wish to use with <code>--with-macosx-codesign-identity=<identity></code>. The identity refers to a signing identity from Apple that needs to be preinstalled on the build host.</p>
>> 528: <p>When not signing with the hardened option for distribution, the JDK build will still attempt to perform <code>adhoc</code> signing, to add the special entitlement <code>com.apple.security.get-task-allow</code> to each binary. This entitlement is required to be able to debug a process or dump its core. Note that adding this entitlement makes the build invalid for notarization, so it is only added when signing in <code>debug</code> mode. To explicitly enable this kind of adhoc signing use configure parameter <code>--with-macosx-codesign=debug</code>. It will be enabled by default in most cases.</p>
> 
> Remove the second comma.
> 
> Add comma after "To explicitly enable this kind of adhoc signing"
> 
> I don't think com.apple.security.get-task-allow is needed to debug a process. That has been working fine for SA on macosx-aarch64, even with the adhoc signing that xcode does by default. I think it might be what is needed for notarized binaries in order to attach to them, but clearly that can't be done as part of the build if you want to notarize.

Thanks, I reworked the text.

-------------

PR: https://git.openjdk.org/jdk/pull/10275

More information about the build-dev mailing list