Integrated: 8293550: Optionally add get-task-allow entitlement to macos binaries

Erik Joelsson erikj at openjdk.org
Fri Sep 16 12:37:48 UTC 2022 

On Wed, 14 Sep 2022 20:25:03 GMT, Erik Joelsson <erikj at openjdk.org> wrote:

> When signing Macos binaries, it's possible to add various entitlements. We already do this for things that Java and the JDK needs when actually signing the binaries.
> 
> There is a special entitlement "com.apple.security.get-task-allow" which is needed to be able to debug an application and to get core dumps. Xcode will automatically set this on debug builds, but not on release builds. We never include this as it's not allowed when notarizing applications.
> 
> I was recently made aware of the possibility of adding entitlements without actually signing a binary, using the codesign tool. This makes it possible for us to add the get-task-allow entitlement to builds that are never intended to be notarized. We can also be consistent with adding the standard set of entitlements to all builds, regardless of if proper signing is going to be performed.
> 
> Not adding any entitlements to non signed builds is currently not a problem on x64, however, on aarch64, the Xcode linker will unconditionally always perform an "adhoc" signing without any entitlements. This is blocking at least core file generation from those binaries, and probably other kinds of debug operations as well.
> 
> In this change, I propose that we by default always add entitlements to all builds, and as long as we aren't explicitly signing with a real signing identity with hardened runtime enabled, we also add the get-task-allow entitlement. The codesign behavior is controlled with the new configure parameter `--with-macosx-codesign=[hardened|debug|auto]`.

This pull request has now been integrated.

Changeset: f42caefe
Author:    Erik Joelsson <erikj at openjdk.org>
URL:       https://git.openjdk.org/jdk/commit/f42caefe2e7658bfb5ab8ef938b134bdb6746ff1
Stats:     212 lines in 10 files changed: 158 ins; 47 del; 7 mod

8293550: Optionally add get-task-allow entitlement to macos binaries

Reviewed-by: mikael, cjplummer, ihse

-------------

PR: https://git.openjdk.org/jdk/pull/10275

More information about the build-dev mailing list