Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8293550

Optionally add get-task-allow entitlement to macos binaries

    XMLWordPrintable

Details

    • b16
    • os_x

    Backports

      Description

        When signing Macos binaries, it's possible to add various entitlements. We already do this for things that Java and the JDK needs when actually signing the binaries.

        There is a special entitlement "com.apple.security.get-task-allow" which is needed to be able to get core dumps. Xcode will automatically set this on debug builds, but not on release builds. We never include this as it's not allowed when notarizing applications.

        I was recently made aware of the possibility of adding entitlements without actually signing a binary. This makes it possible for us to add the get-task-allow entitlement to builds that are never intended to be notarized. We can also be consistent with adding the standard set of entitlements to all builds, regardless of if proper signing is going to be performed.

        Not adding any entitlements to non signed builds is currently not a problem on x64, however, on aarch64, the Xcode linker will unconditionally always perform an "adhoc" signing without any entitlements. This is blocking at least core file generation from those binaries, and probably other kinds of debug operations as well.

        In this change, I propose that we by default always add entitlements to all builds, and as long as we aren't explicitly signing with a real signing identity with hardened runtime enabled, we should also add the get-task-allow entitlement.

        Attachments

          Issue Links

            backported by

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8294996 Optionally add get-task-allow entitlement to macos binaries

            • P3 - Major loss of function.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8296264 Optionally add get-task-allow entitlement to macos binaries

            • P3 - Major loss of function.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8298036 Optionally add get-task-allow entitlement to macos binaries

            • P3 - Major loss of function.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8302653 Optionally add get-task-allow entitlement to macos binaries

            • P3 - Major loss of function.
            • Resolved
            blocks

            Bug - A problem which impairs or prevents the functions of the product. JDK-8293563 [macos-aarch64] SA core file tests failing with sun.jvm.hotspot.oops.UnknownOopException

            • P3 - Major loss of function.
            • Resolved
            relates to

            Bug - A problem which impairs or prevents the functions of the product. JDK-8294310 compare.sh fails on macos after JDK-8293550

            • P2 - Crashes, loss of data, severe memory leak.
            • Resolved

            Bug - A problem which impairs or prevents the functions of the product. JDK-8300490 Spaces in name of MacOS Code Signing Identity are not correctly handled after JDK-8293550

            • P3 - Major loss of function.
            • Resolved

            Bug - A problem which impairs or prevents the functions of the product. JDK-8298343 "Could not confirm if TargetJDK is hardened." warning for SA tests on macosx-aarch64-debug

            • P5 - Cosmetic problem like misspelt words or misaligned text.
            • Resolved

            Bug - A problem which impairs or prevents the functions of the product. JDK-8293563 [macos-aarch64] SA core file tests failing with sun.jvm.hotspot.oops.UnknownOopException

            • P3 - Major loss of function.
            • Resolved

            Bug - A problem which impairs or prevents the functions of the product. JDK-8293965 Code signing warnings after JDK-8293550

            • P4 - Minor loss of function, or other problem where easy workaround is present.
            • Resolved
            links to

            Commit Commit openjdk/jdk11u-dev/630c80eb

            Commit Commit openjdk/jdk17u-dev/da6fca4d

            Commit Commit openjdk/jdk/f42caefe

            Review Review openjdk/jdk11u-dev/1739

            Review Review openjdk/jdk17u-dev/916

            Review Review openjdk/jdk/10275

            Activity

              People

                erikj Erik Joelsson
                erikj Erik Joelsson
                Votes:
                0 Vote for this issue
                Watchers:
                12 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: