Clarification of what is needed here. When we codesign the files that end up being in the macOS .app bundle, one of the inputs to the codesign invocation is an entitlement file which contains a list of macOS entitlements. For executables, the entitlements turn on or off security hardening features. At present, our codesigning consumes one entitlement file (there are production and developer versions) from mozilla-central and uses the entitlements in the file to codesign all files. That is, all files are codesigned with the same entitlements. With this fix, we would like to be able to specify an entitlement file for each file in the .app so that each file can be signed with different entitlements. In practice, we are likely to have one empty entitlement file for resource files, one for the parent process executable, and one for each child process executable (of which there is one for now). I use [this script](https://github.com/hafta/codesign-tree) for testing different entitlement configurations. The script consumes a json configuration file that is a mapping between files in a directory and an entitlement file. The script runs the macOS codesign command and applies the specified entitlements and options for each file. We don't need to use this, but the request is for something equivalent so that a file in mozilla-central would control which entitlements are used for each file. Once we have this capability, we can enable stronger entitlements for Firefox.
Bug 1593072 Comment 2 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Clarification of what is needed here: control of which entitlements each file in the .app bundle are signed with using a file in the tree. When we codesign the files that end up being in the macOS .app bundle, one of the inputs to the codesign invocation is an entitlement file which contains a list of macOS entitlements. For executables, the entitlements turn on or off security hardening features. At present, our codesigning consumes one entitlement file (there are production and developer versions) from mozilla-central and uses the entitlements in the file to codesign all files. That is, all files are codesigned with the same entitlements. With this fix, we would like to be able to specify an entitlement file for each file in the .app so that each file can be signed with different entitlements. In practice, we are likely to have one empty entitlement file for resource files, one for the parent process executable, and one for each child process executable (of which there is one for now). I use [this script](https://github.com/hafta/codesign-tree) for testing different entitlement configurations. The script consumes a json configuration file that is a mapping between files in a directory and an entitlement file. The script runs the macOS codesign command and applies the specified entitlements and options for each file. We don't need to use this, but the request is for something equivalent so that a file in mozilla-central would control which entitlements are used for each file. Once we have this capability, we can enable stronger entitlements for Firefox.