On Thu, 15 Sep 2022 13:14:15 GMT, Erik Joelsson <er...@openjdk.org> wrote:
>> When signing Macos binaries, it's possible to add various entitlements. We >> already do this for things that Java and the JDK needs when actually signing >> the binaries. >> >> There is a special entitlement "com.apple.security.get-task-allow" which is >> needed to be able to debug an application and to get core dumps. Xcode will >> automatically set this on debug builds, but not on release builds. We never >> include this as it's not allowed when notarizing applications. >> >> I was recently made aware of the possibility of adding entitlements without >> actually signing a binary, using the codesign tool. This makes it possible >> for us to add the get-task-allow entitlement to builds that are never >> intended to be notarized. We can also be consistent with adding the standard >> set of entitlements to all builds, regardless of if proper signing is going >> to be performed. >> >> Not adding any entitlements to non signed builds is currently not a problem >> on x64, however, on aarch64, the Xcode linker will unconditionally always >> perform an "adhoc" signing without any entitlements. This is blocking at >> least core file generation from those binaries, and probably other kinds of >> debug operations as well. >> >> In this change, I propose that we by default always add entitlements to all >> builds, and as long as we aren't explicitly signing with a real signing >> identity with hardened runtime enabled, we also add the get-task-allow >> entitlement. The codesign behavior is controlled with the new configure >> parameter `--with-macosx-codesign=[hardened|debug|auto]`. > > Erik Joelsson has updated the pull request incrementally with one additional > commit since the last revision: > > Reworked doc text Mostly looks good, but I've left a few remarks that I think needs addressing. doc/building.md line 908: > 906: chosen if it works. If nothing works, the codesign step is skipped. Note > that on > 907: `aarch64`, the Xcode linker will always perform a default `adhoc` signing > 908: without any entitlements, causing attaching and core dumps not to work. I'm getting conflicting messages, both from this text and the PR description, with what is reported in the comments to this PR (and the reason for this PR at all, I assume). Here and elsewhere it sounds like Xcode will always make `adhoc` signing *without any entitlements* on aarch64. If that is done unconditionally, then this fix cannot possible work on aarch64? I *think* what you mean is that *if no signing is provided*, on x64, Xlink just skips signing, but on aarch64, it will create an adhoc signing without any entitlements. But if singing is provided, on both x64 and aarch64 that will be used instead. If my understanding is correct, then I think this message needs updating. In fact, since we now add signing with entitlements, maybe we don't need to talk at all about what happens if we happen to build without them, and can just remove the last sentence? ------------- Marked as reviewed by ihse (Reviewer). PR: https://git.openjdk.org/jdk/pull/10275
