-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] Remove unsigned executable entitlement #51294
Conversation
@janvorli @mikem8361 what is the best way to validate this locally? Doesnt look like local builds are signed? |
What I usually do is to publish a self contained testing .NET app, store it in a special directory structure and sign the native binaries and include the entitlements. Here are the steps:
* Copy all the test app binaries into the Somewhere out of that dir structure, create a file named
The string after the After that, just execute the host executable from the |
Closing for now, will reopen when ready to merge. |
I have tested that the changed entitlements do seem to work:
I do see an error but the app does seem to function without the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thank you for testing it!
@mangod9 there seems to be another copy of the entitlements.plist file checked in here: which appears to be used to sign/notarize @mmitche do we use that file for signing the shipping bits? or what is it used for? |
ah good catch @akoeplinger . cc @jcagme @mikem8361 since they added the two files. I can update the other one too. |
Yes, this entitlements.plist is used to entitle the hosts with the So who wants to remove the |
customer had asked about |
I don't think that createdump/debugging and the hosts need this entitlement. They still need to be separate files because they add the debugging specific entitlements. |
I'm not sure if we can just change the file in the dotnet-release repo, it might be used for 5.0 releases as well? It'd be great if the entitlements.plist in dotnet/runtime was actually used as the source of truth. |
@akoeplinger even .NET 5 and .NET Core 3.1 stuff didn't need that |
(We use MAP_JIT to all executable memory mappings since 3.1) |
I will check with @jcagme to ensure we dont revert it in 5/3.1, since that would need to go through approvals. |
we should be able to now remove this particular entitlement:
allow-unsigned-executable-memory
. Fixes #45677