[R-SIG-Mac] get-task-allow entitlement

Gábor Csárdi c@@rd|@g@bor @end|ng |rom gm@||@com
Tue Apr 5 09:28:11 CEST 2022


Thanks! node.js is notarized with these entitlements, so I am fairly
sure that Apple will allow it.

I have re-signed all my R installations and added this entitlement
some time ago, and haven't seen any issues so far. But yeah, that is
not much testing at all.

Btw. if anyone wants to add it to already installed R versions, it
goes like this. Replace the version number (installation directory) as
needed:
codesign -d --xml --entitlements -
/Library/Frameworks/R.framework/Versions/4.1-arm64/Resources/bin/exec/R
> ~/r.entitlements
/usr/libexec/PlistBuddy -c "Add :com.apple.security.get-task-allow
bool true" ~/r.entitlements
sudo codesign -s - -f --entitlements ~/r.entitlements
/Library/Frameworks/R.framework/Versions/4.1-arm64/Resources/bin/exec/R

I have also added this to https://github.com/gaborcsardi/rim so you can run
rim system allow-debugger --all
to update all installed versions of R.

Thanks for considering this,
G.

On Tue, Apr 5, 2022 at 1:04 AM Simon Urbanek
<simon.urbanek using r-project.org> wrote:
>
> Gábor,
>
> thanks. I will check the notarization process to see if Apple will allow it. There are some restrictions for processes that have get-task-allow entitlement, so if it is allowed I'll would ask for some more testing to make sure this doesn't affect something else in the R ecosystem. I agree that having to clear the entitlements to debug R is a bit of a pain.
>
> Thanks,
> Simon
>
>
>
> > On 5/04/2022, at 4:59 AM, Gábor Csárdi <csardi.gabor using gmail.com> wrote:
> >
> > Simon, I wonder if you would consider adding the get-task-allow
> > entitlement to the R builds.
> >
> > get-task-allow allows debugging with lldb or other debuggers, and also
> > enables core dumps.
> >
> > Apple suggests that you avoid get-task-allow in production builds:
> > https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues?language=objc
> > However, they also note here that a legitimate use case for it is
> > allowing the debugging of plugins, which is exactly the case we have
> > for R:
> >
> > "To enable debugging a plug-in in the context of a host executable,
> > the host can include the com.apple.security.get-task-allow entitlement
> > if it also includes the Disable Library Validation Entitlement. Don’t
> > disable library validation for executables that don’t host plug-ins
> > because library validation protects them from loading untrusted code."
> >
> > R already has disable-library-validation of course.
> >
> > FWIW node.js, which is a similar environment to R, in that it needs
> > load extension packages, added this to their builds:
> > https://github.com/nodejs/node/pull/34378
> > https://github.com/nodejs/node/commit/b0e4970b8fe0dbd6bf437b3b06d0438d906ea94d
> >
> > G.
> >
> > _______________________________________________
> > R-SIG-Mac mailing list
> > R-SIG-Mac using r-project.org
> > https://stat.ethz.ch/mailman/listinfo/r-sig-mac
> >
>



More information about the R-SIG-Mac mailing list