RFR: 8293550: Optionally add get-task-allow entitlement to macos binaries [v5]

Chris Plummer cjplummer at openjdk.org
Thu Sep 15 22:49:44 UTC 2022 

On Thu, 15 Sep 2022 18:30:46 GMT, Erik Joelsson <erikj at openjdk.org> wrote:

>> When signing Macos binaries, it's possible to add various entitlements. We already do this for things that Java and the JDK needs when actually signing the binaries.
>> 
>> There is a special entitlement "com.apple.security.get-task-allow" which is needed to be able to debug an application and to get core dumps. Xcode will automatically set this on debug builds, but not on release builds. We never include this as it's not allowed when notarizing applications.
>> 
>> I was recently made aware of the possibility of adding entitlements without actually signing a binary, using the codesign tool. This makes it possible for us to add the get-task-allow entitlement to builds that are never intended to be notarized. We can also be consistent with adding the standard set of entitlements to all builds, regardless of if proper signing is going to be performed.
>> 
>> Not adding any entitlements to non signed builds is currently not a problem on x64, however, on aarch64, the Xcode linker will unconditionally always perform an "adhoc" signing without any entitlements. This is blocking at least core file generation from those binaries, and probably other kinds of debug operations as well.
>> 
>> In this change, I propose that we by default always add entitlements to all builds, and as long as we aren't explicitly signing with a real signing identity with hardened runtime enabled, we also add the get-task-allow entitlement. The codesign behavior is controlled with the new configure parameter `--with-macosx-codesign=[hardened|debug|auto]`.
>
> Erik Joelsson has updated the pull request incrementally with one additional commit since the last revision:
> 
>   Updated doc again

doc/building.html line 529:

> 527: <p>Modern versions of macOS require applications to be signed and notarizied before distribution. See Apple's documentation for more background on what this means and how it works. To help support this, the JDK build can be configured to automatically sign all native binaries, and the JDK bundle, with all the options needed for successful notarization, as well as all the entitlements required by the JDK. To enable <code>hardened</code> signing, use configure parameter <code>--with-macosx-codesign=hardened</code> and configure the signing identity you wish to use with <code>--with-macosx-codesign-identity=<identity></code>. The identity refers to a signing identity from Apple that needs to be preinstalled on the build host.</p>
> 528: <p>When not signing for distribution with the hardened option, the JDK build will still attempt to perform <code>adhoc</code> signing, to add the special entitlement <code>com.apple.security.get-task-allow</code> to each binary. This entitlement is required to be able to attach to a process or dump its core. Note that adding this entitlement makes the build invalid for notarization, so it is only added when signing in <code>debug</code> mode. To explicitly enable this kind of adhoc signing, use configure parameter <code>--with-macosx-codesign=debug</code>. It will be enabled by default in most cases.</p>
> 529: <p>It's also possible to completely disable any explicit codesign operations done by the JDK build using the configure parameter <code>--without-macosx-codesign</code>. The exact behavior then depends on the architecture. For macOS on x64, it (at least at the time of this writing) results in completely unsigned binaries that should still work fine for development and debugging purposes. On aarch64, the Xcode linker will apply a default "adhoc" signing, without any entitlements. Such a build will not allow being attached to or dumping core.</p>

I think github messed with the lines I previously selected, so it wasn't always clear which lines my comments were referring to:

> <code>adhoc</code> signing, to add the special entitlement

You can remove this comma.

> This entitlement is required to be able to attach to a process or dump its core.

Only needed to produce a core file.

> Such a build will not allow being attached to or dumping core

Attaching is still allowed. SA tests that attach to a process have been passing on macosx-aarch64. I assume lldb attaching has worked also, although I didn't try.

-------------

PR: https://git.openjdk.org/jdk/pull/10275

More information about the build-dev mailing list