8293550: Optionally add get-task-allow entitlement to macos binaries #10275
Conversation
|
👋 Welcome back erikj! A progress list of the required criteria for merging this PR into |
openjdk
bot
changed the title
Webrevs
|
|
@erikj79 This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be: You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 74 new commits pushed to the
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details. ➡️ To integrate this PR with the above commit message to the |
There was a problem hiding this comment.
I verified that the changes do fix the SA issue with not getting core files produced on macosx-aarch64. I didn't review the makefile logic since I don't understand the makefiles well enough to do so, but what you have outlined in the documentation makes sense, sans the few comments I had.
doc/building.md
Outdated
| specified identity is valid. If hardened isn't possible, then `debug` signing is | ||
| chosen if it works. If nothing works, the codesign step is skipped. Note that on | ||
| `aarch64`, the Xcode linker will always perform a default `adhoc` signing | ||
| without any entitlements, causing attaching and core dumps not to work. |
There was a problem hiding this comment.
I'm getting conflicting messages, both from this text and the PR description, with what is reported in the comments to this PR (and the reason for this PR at all, I assume).
Here and elsewhere it sounds like Xcode will always make adhoc signing without any entitlements on aarch64. If that is done unconditionally, then this fix cannot possible work on aarch64?
I think what you mean is that if no signing is provided, on x64, Xlink just skips signing, but on aarch64, it will create an adhoc signing without any entitlements. But if singing is provided, on both x64 and aarch64 that will be used instead.
If my understanding is correct, then I think this message needs updating. In fact, since we now add signing with entitlements, maybe we don't need to talk at all about what happens if we happen to build without them, and can just remove the last sentence?
There was a problem hiding this comment.
Technically, on aarch64, we overwrite the default linker signing using codesign (using the -f (force) flag). I just wanted to include something that warned of the consequences of not letting the build perform the "debug" mode codesign option.
There was a problem hiding this comment.
I tried to clarify further.
|
Thanks for reviewing! /integrate |
|
Going to push as commit f42caef.
Your commit was automatically rebased without conflicts. |
openjdk
bot
removed
ready
When signing Macos binaries, it's possible to add various entitlements. We already do this for things that Java and the JDK needs when actually signing the binaries.
There is a special entitlement "com.apple.security.get-task-allow" which is needed to be able to debug an application and to get core dumps. Xcode will automatically set this on debug builds, but not on release builds. We never include this as it's not allowed when notarizing applications.
I was recently made aware of the possibility of adding entitlements without actually signing a binary, using the codesign tool. This makes it possible for us to add the get-task-allow entitlement to builds that are never intended to be notarized. We can also be consistent with adding the standard set of entitlements to all builds, regardless of if proper signing is going to be performed.
Not adding any entitlements to non signed builds is currently not a problem on x64, however, on aarch64, the Xcode linker will unconditionally always perform an "adhoc" signing without any entitlements. This is blocking at least core file generation from those binaries, and probably other kinds of debug operations as well.
In this change, I propose that we by default always add entitlements to all builds, and as long as we aren't explicitly signing with a real signing identity with hardened runtime enabled, we also add the get-task-allow entitlement. The codesign behavior is controlled with the new configure parameter
--with-macosx-codesign=[hardened|debug|auto].Progress
Issue
Reviewers
Reviewing
Using
gitCheckout this PR locally:
$ git fetch https://git.openjdk.org/jdk pull/10275/head:pull/10275$ git checkout pull/10275Update a local copy of the PR:
$ git checkout pull/10275$ git pull https://git.openjdk.org/jdk pull/10275/headUsing Skara CLI tools
Checkout this PR locally:
$ git pr checkout 10275View PR using the GUI difftool:
$ git pr show -t 10275Using diff file
Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/10275.diff