Open Bug 1593072 Opened 2 years ago Updated 2 months ago

[macOS] [automation] Use different entitlement files for child processes and other resources

Categories

(Firefox Build System :: General, enhancement)

Product:
Firefox Build System
Component:
General
Platform:
Unspecified
macOS
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

People

(Reporter: haik, Unassigned)

References

(Depends on 3 open bugs, Blocks 2 open bugs)

Details

We can get some hardening benefits by using different entitlements for different processes. However, first we need to be able to specify which entitlement files should be used for which files in the .app and add support for this in our codesigning automation.

Depends on: 1593071
Blocks: 1562756
Summary: [macOS] Use different entitlement files for child processes and other resources → [macOS] [automation] Use different entitlement files for child processes and other resources

Bug 1593071 landed the following files to sign the parent process and plugin-container process executables. Once the fix for this bug has landed and we've switched to using the new files for codesigning, we can remove the older production.entitlements.xml and developer.entitlements.xml.

browser.developer.entitlements.xml
browser.production.entitlements.xml
plugin-container.developer.entitlements.xml
plugin-container.production.entitlements.xml

And codesign.bash was updated to apply those to the bundle, but also to only sign the executables using entitlements.

Depends on: 1606746
Depends on: 1606778
Depends on: 1617047
Depends on: 1623878
Blocks: 1474451
You need to log in before you can comment on or make changes to this bug.