mirrors/JetBrainsRuntime
1
0
Fork 0
mirror of https://github.com/JetBrains/JetBrainsRuntime.git synced 2025-12-06 01:19:28 +01:00
Code Issues Packages Projects Releases Wiki Activity

8293550: Optionally add get-task-allow entitlement to macos binaries

Browse Source 
Reviewed-by: mikael, cjplummer, ihse
This commit is contained in:
Erik Joelsson
2022-09-16 12:33:32 +00:00
parent 5feca688df
commit f42caefe2e
10 changed files with 200 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
doc/building.md
View File

@@ -877,6 +877,42 @@ make run-test-tier1
For more details on how to run tests, please see **Testing the JDK**
([html](testing.html), [markdown](testing.md)).
## Signing
### macOS
Modern versions of macOS require applications to be signed and notarizied before
distribution. See Apple's documentation for more background on what this means
and how it works. To help support this, the JDK build can be configured to
automatically sign all native binaries, and the JDK bundle, with all the options
needed for successful notarization, as well as all the entitlements required by
the JDK. To enable `hardened` signing, use configure parameter
`--with-macosx-codesign=hardened` and configure the signing identity you wish to
use with `--with-macosx-codesign-identity=<identity>`. The identity refers to a
signing identity from Apple that needs to be preinstalled on the build host.
When not signing for distribution with the hardened option, the JDK build will
still attempt to perform `adhoc` signing to add the special entitlement
`com.apple.security.get-task-allow` to each binary. This entitlement is required
to be able to dump core files from a process. Note that adding this entitlement
makes the build invalid for notarization, so it is only added when signing in
`debug` mode. To explicitly enable this kind of adhoc signing, use configure
parameter `--with-macosx-codesign=debug`. It will be enabled by default in most
cases.
It's also possible to completely disable any explicit codesign operations done
by the JDK build using the configure parameter `--without-macosx-codesign`.
The exact behavior then depends on the architecture. For macOS on x64, it (at
least at the time of this writing) results in completely unsigned binaries that
should still work fine for development and debugging purposes. On aarch64, the
Xcode linker will apply a default "adhoc" signing, without any entitlements.
Such a build does not allow dumping core files.
The default mode "auto" will try for `hardened` signing if the debug level is
`release` and either the default identity or the specified identity is valid.
If hardened isn't possible, then `debug` signing is chosen if it works. If
nothing works, the codesign build step is disabled.
## Cross-compiling
Cross-compiling means using one platform (the *build* platform) to generate