sdk icon indicating copy to clipboard operation
sdk copied to clipboard
verified publisher icon dotnet

dotnet tools do not support differing entitlements than the dotnet muxer on Mac

Open agocke opened this issue 3 years ago • 4 comments

See https://github.com/dotnet/runtime/issues/63952 for context. In this case, a dotnet tool requires more entitlements than dotnet, so it can't be executed using the dotnet muxer. If dotnet tools always use an apphost, then the host should be ad hoc signed, which would allow all requirements.

agocke avatar Jan 27 '22 21:01 agocke

This issue affects dotnet test as well.

ClearScriptLib avatar Feb 01 '22 14:02 ClearScriptLib

@agocke Do we have to increase the entitlements for the host created during tool install? Is there risk in setting more entitlements for dotnet?

marcpopMSFT avatar Feb 09 '22 22:02 marcpopMSFT

Is there risk in setting more entitlements for dotnet?

Yeah, those are minimum install requirements for dotnet, so we want that list to be as small as possible. For the dotnet tool, the host that sometimes gets created is ad hoc signed, so it automatically has all entitlements. I believe the improvement here would be to always create and use a host for dotnet tools.

agocke avatar Feb 09 '22 23:02 agocke

I suspect with the new possibility of RID-specific tools, a tool author would be able to ensure that their macos variants have all of the entitlements they require?

baronfel avatar Jun 19 '25 22:06 baronfel