Remove com.apple.security.cs.debugger entitlement from dotnet muxer and apphosts#122901
Remove com.apple.security.cs.debugger entitlement from dotnet muxer and apphosts#122901
Conversation
…nd apphosts Co-authored-by: agocke <[email protected]>
|
cc @hoyosjs |
|
This might break F5 and dump collection. We'd need to properly test this before shipping it. cc: @gregg-miskelly @WardenGnaw (looking again, since it's just host and not createdump, the dump collection part shouldn't be needed. I am not sure why this was ever needed. I'll try to test scenarios to figure this one out) |
|
@hoyosjs and I discussed offline. We (the debugger) codesign with our own entitlement with |
There was a problem hiding this comment.
Pull request overview
This PR removes the unnecessary com.apple.security.cs.debugger entitlement from the main entitlements file used for signing dotnet muxer, apphost, singlefilehost, and corerun on macOS. The debugger entitlement is preserved in createdump-entitlements.plist where it's actually needed.
- Removes the debugger-specific entitlement from general-purpose binaries
- Reduces the risk of triggering macOS security prompts for non-debugging tools
- Maintains proper entitlements for createdump which legitimately requires debugger APIs
Description
Removes
com.apple.security.cs.debuggerentitlement fromeng/native/entitlements.plist, which is used to sign the dotnet muxer, apphost, singlefilehost, and corerun on macOS.This entitlement is meant for debuggers. It's unnecessary for the muxer—debuggers should ship with their own apphost and set their own entitlements.
Preserved:
createdump-entitlements.plistretains the debugger entitlement since createdump usestask_for_pid()andptrace()APIs for dump generation.Low. Removes unnecessary entitlement that could potentially trigger macOS security prompts for non-debugging tools.