Entitle macOS executables while building (#92967)

dotnet · Oct 10, 2023 · 4f77a1b · 4f77a1b
1 parent 5b7ab04
commit 4f77a1b
Show file tree

Hide file tree

Showing 13 changed files with 44 additions and 12 deletions.
diff --git a/...ines/common/createdump-entitlements.plist → eng/native/createdump-entitlements.plist b/...ines/common/createdump-entitlements.plist → eng/native/createdump-entitlements.plist
diff --git a/eng/pipelines/common/entitlements.plist → eng/native/entitlements.plist b/eng/pipelines/common/entitlements.plist → eng/native/entitlements.plist
diff --git a/eng/native/functions.cmake b/eng/native/functions.cmake
@@ -649,3 +649,16 @@ function(add_library_clr targetName kind)
     strip_symbols(${ARGV0} symbolFile)
   endif()
 endfunction()
+
+# Adhoc sign targetName with the entitlements in entitlementsFile.
+function(adhoc_sign_with_entitlements targetName entitlementsFile)
+    # Add a dependency from a source file for the target on the entitlements file to ensure that the target is rebuilt if only the entitlements file changes.
+    get_target_property(sources ${targetName} SOURCES)
+    list(GET sources 0 firstSource)
+    set_source_files_properties(${firstSource} PROPERTIES OBJECT_DEPENDS ${entitlementsFile})
+
+    add_custom_command(
+        TARGET ${targetName}
+        POST_BUILD
+        COMMAND codesign -s - -f --entitlements ${entitlementsFile} $<TARGET_FILE:${targetName}>)
+endfunction()
diff --git a/eng/pipelines/common/macos-sign-with-entitlements.yml b/eng/pipelines/common/macos-sign-with-entitlements.yml
@@ -11,9 +11,6 @@ steps:
       installationPath: '$(Agent.TempDirectory)/dotnet'
 
   - ${{ each file in parameters.filesToSign }}:
-    - script: codesign -s - -f --entitlements ${{ file.entitlementsFile }} ${{ file.path }}/${{ file.name }}
-      displayName: 'Add entitlements to ${{ file.name }}'
-
     - task: CopyFiles@2
       displayName: 'Copy entitled file ${{ file.name }}'
       inputs:
@@ -49,7 +46,7 @@ steps:
             "toolName": "sign",
             "toolVersion": "1.0"
           }
-        ]  
+        ]
       SessionTimeout: ${{ parameters.timeoutInMinutes }}
       MaxConcurrency: '50'
       MaxRetryAttempts: '5'

diff --git a/eng/pipelines/coreclr/templates/build-job.yml b/eng/pipelines/coreclr/templates/build-job.yml
@@ -197,10 +197,8 @@ jobs:
             filesToSign:
             - name: createdump
               path: $(buildProductRootFolderPath)
-              entitlementsFile: $(Build.SourcesDirectory)/eng/pipelines/common/createdump-entitlements.plist
             - name: corerun
               path: $(buildProductRootFolderPath)
-              entitlementsFile: $(Build.SourcesDirectory)/eng/pipelines/common/entitlements.plist
 
         - task: CopyFiles@2
           displayName: 'Copy signed createdump to sharedFramework'

diff --git a/eng/pipelines/installer/jobs/build-job.yml b/eng/pipelines/installer/jobs/build-job.yml
@@ -347,7 +347,6 @@ jobs:
           displayName: Collect vslogs on exit
           condition: always()
 
-
       - ${{ if in(parameters.osGroup, 'osx', 'ios', 'tvos') }}:
         - script: |
             du -sh $(Build.SourcesDirectory)/*

diff --git a/eng/pipelines/runtime-official.yml b/eng/pipelines/runtime-official.yml
@@ -149,16 +149,12 @@ extends:
                     filesToSign:
                     - name: createdump
                       path: $(Build.SourcesDirectory)/artifacts/bin/coreclr/$(osGroup).$(archType).$(_BuildConfig)
-                      entitlementsFile: $(Build.SourcesDirectory)/eng/pipelines/common/createdump-entitlements.plist
                     - name: corerun
                       path: $(Build.SourcesDirectory)/artifacts/bin/coreclr/$(osGroup).$(archType).$(_BuildConfig)
-                      entitlementsFile: $(Build.SourcesDirectory)/eng/pipelines/common/entitlements.plist
                     - name: dotnet
                       path: $(Build.SourcesDirectory)/artifacts/bin/$(osGroup)-$(archType).$(_BuildConfig)/corehost
-                      entitlementsFile: $(Build.SourcesDirectory)/eng/pipelines/common/entitlements.plist
                     - name: apphost
                       path: $(Build.SourcesDirectory)/artifacts/bin/$(osGroup)-$(archType).$(_BuildConfig)/corehost
-                      entitlementsFile: $(Build.SourcesDirectory)/eng/pipelines/common/entitlements.plist
 
               - task: CopyFiles@2
                 displayName: 'Copy signed createdump to sharedFramework'

diff --git a/src/coreclr/debug/createdump/CMakeLists.txt b/src/coreclr/debug/createdump/CMakeLists.txt
@@ -106,4 +106,8 @@ endif(CLR_CMAKE_HOST_OSX)
 
 endif(CLR_CMAKE_HOST_WIN32)
 
+if (CLR_CMAKE_HOST_APPLE)
+    adhoc_sign_with_entitlements(createdump "${CLR_ENG_NATIVE_DIR}/createdump-entitlements.plist")
+endif()
+
 install_clr(TARGETS createdump DESTINATIONS . sharedFramework COMPONENT runtime)
diff --git a/src/coreclr/hosts/corerun/CMakeLists.txt b/src/coreclr/hosts/corerun/CMakeLists.txt
@@ -38,9 +38,13 @@ else(CLR_CMAKE_HOST_WIN32)
     endif()
 endif(CLR_CMAKE_HOST_WIN32)
 
+if (CLR_CMAKE_HOST_APPLE)
+    adhoc_sign_with_entitlements(corerun "${CLR_ENG_NATIVE_DIR}/entitlements.plist")
+endif()
+
 install_clr(TARGETS corerun DESTINATIONS . COMPONENT hosts)
 
 # If there's a dynamic ASAN runtime, then install it in the directory where we put our executable.
 if (NOT "${ASAN_RUNTIME}" STREQUAL "")
     install(FILES ${ASAN_RUNTIME} DESTINATION .)
-endif()
+endif()
diff --git a/src/libraries/sendtohelixhelp.proj b/src/libraries/sendtohelixhelp.proj
@@ -261,6 +261,14 @@
       </HelixPostCommands>
     </PropertyGroup>
 
+    <!-- ad-hoc sign createdump on the helix machine to allow us to collect dumps -->
+    <PropertyGroup Condition="'$(RuntimeFlavor)' == 'CoreCLR' and '$(TargetOS)' == 'osx'">
+      <HelixPreCommands>
+        $(HelixPreCommands);
+        find $HELIX_CORRELATION_PAYLOAD -name createdump | xargs -n 1 codesign -s - -f --preserve-metadata=entitlements
+      </HelixPreCommands>
+    </PropertyGroup>
+
     <Error Condition="'$(NeedsWorkload)' == 'true' and '$(TestUsingWorkloads)' == 'true' and ('$(SdkWithWorkloadForTestingPath)' == '' or !Exists($(SdkWithWorkloadForTestingPath)))"
            Text="Could not find workload at %24(SdkWithWorkloadForTestingPath)=$(SdkWithWorkloadForTestingPath)" />
 

diff --git a/src/native/corehost/apphost/standalone/CMakeLists.txt b/src/native/corehost/apphost/standalone/CMakeLists.txt
@@ -52,3 +52,7 @@ endif()
 if (CLR_CMAKE_TARGET_WIN32 AND CLR_CMAKE_TARGET_ARCH_ARM64)
     target_link_libraries(apphost PRIVATE shell32.lib)
 endif()
+
+if (CLR_CMAKE_HOST_APPLE)
+    adhoc_sign_with_entitlements(apphost "${CLR_ENG_NATIVE_DIR}/entitlements.plist")
+endif()
diff --git a/src/native/corehost/dotnet/CMakeLists.txt b/src/native/corehost/dotnet/CMakeLists.txt
@@ -15,3 +15,7 @@ list(APPEND SOURCES
 )
 
 include(../exe.cmake)
+
+if (CLR_CMAKE_HOST_APPLE)
+    adhoc_sign_with_entitlements(dotnet "${CLR_ENG_NATIVE_DIR}/entitlements.plist")
+endif()
diff --git a/src/tests/Common/helixpublishwitharcade.proj b/src/tests/Common/helixpublishwitharcade.proj
@@ -875,6 +875,11 @@
     </ItemGroup>
   </Target>
 
+  <!-- Adhoc-sign createdump so we can use it in our tests -->
+  <PropertyGroup Condition="'$(RuntimeFlavor)' == 'CoreCLR' and '$(TargetOS)' == 'osx'">
+    <HelixPreCommands>$(HelixPreCommands);codesign -s - -f --preserve-metadata=entitlements $HELIX_CORRELATION_PAYLOAD/createdump</HelixPreCommands>
+  </PropertyGroup>
+
   <PropertyGroup>
     <SigningCommand Condition="'$(TargetOS)' == 'iOS' or '$(TargetOS)' == 'tvOS'">
     <![CDATA[