On Thu, 15 Sep 2022 18:30:46 GMT, Erik Joelsson <er...@openjdk.org> wrote:

>> When signing Macos binaries, it's possible to add various entitlements. We 
>> already do this for things that Java and the JDK needs when actually signing 
>> the binaries.
>> 
>> There is a special entitlement "com.apple.security.get-task-allow" which is 
>> needed to be able to debug an application and to get core dumps. Xcode will 
>> automatically set this on debug builds, but not on release builds. We never 
>> include this as it's not allowed when notarizing applications.
>> 
>> I was recently made aware of the possibility of adding entitlements without 
>> actually signing a binary, using the codesign tool. This makes it possible 
>> for us to add the get-task-allow entitlement to builds that are never 
>> intended to be notarized. We can also be consistent with adding the standard 
>> set of entitlements to all builds, regardless of if proper signing is going 
>> to be performed.
>> 
>> Not adding any entitlements to non signed builds is currently not a problem 
>> on x64, however, on aarch64, the Xcode linker will unconditionally always 
>> perform an "adhoc" signing without any entitlements. This is blocking at 
>> least core file generation from those binaries, and probably other kinds of 
>> debug operations as well.
>> 
>> In this change, I propose that we by default always add entitlements to all 
>> builds, and as long as we aren't explicitly signing with a real signing 
>> identity with hardened runtime enabled, we also add the get-task-allow 
>> entitlement. The codesign behavior is controlled with the new configure 
>> parameter `--with-macosx-codesign=[hardened|debug|auto]`.
>
> Erik Joelsson has updated the pull request incrementally with one additional 
> commit since the last revision:
> 
>   Updated doc again

doc/building.html line 529:

> 527: <p>Modern versions of macOS require applications to be signed and 
> notarizied before distribution. See Apple's documentation for more background 
> on what this means and how it works. To help support this, the JDK build can 
> be configured to automatically sign all native binaries, and the JDK bundle, 
> with all the options needed for successful notarization, as well as all the 
> entitlements required by the JDK. To enable <code>hardened</code> signing, 
> use configure parameter <code>--with-macosx-codesign=hardened</code> and 
> configure the signing identity you wish to use with 
> <code>--with-macosx-codesign-identity=&lt;identity&gt;</code>. The identity 
> refers to a signing identity from Apple that needs to be preinstalled on the 
> build host.</p>
> 528: <p>When not signing for distribution with the hardened option, the JDK 
> build will still attempt to perform <code>adhoc</code> signing, to add the 
> special entitlement <code>com.apple.security.get-task-allow</code> to each 
> binary. This entitlement is required to be able to attach to a process or 
> dump its core. Note that adding this entitlement makes the build invalid for 
> notarization, so it is only added when signing in <code>debug</code> mode. To 
> explicitly enable this kind of adhoc signing, use configure parameter 
> <code>--with-macosx-codesign=debug</code>. It will be enabled by default in 
> most cases.</p>
> 529: <p>It's also possible to completely disable any explicit codesign 
> operations done by the JDK build using the configure parameter 
> <code>--without-macosx-codesign</code>. The exact behavior then depends on 
> the architecture. For macOS on x64, it (at least at the time of this writing) 
> results in completely unsigned binaries that should still work fine for 
> development and debugging purposes. On aarch64, the Xcode linker will apply a 
> default &quot;adhoc&quot; signing, without any entitlements. Such a build 
> will not allow being attached to or dumping core.</p>

I think github messed with the lines I previously selected, so it wasn't always 
clear which lines my comments were referring to:

> <code>adhoc</code> signing, to add the special entitlement

You can remove this comma.

> This entitlement is required to be able to attach to a process or dump its 
> core.

Only needed to produce a core file.

> Such a build will not allow being attached to or dumping core

Attaching is still allowed. SA tests that attach to a process have been passing 
on macosx-aarch64. I assume lldb attaching has worked also, although I didn't 
try.

-------------

PR: https://git.openjdk.org/jdk/pull/10275

Reply via email to