Use managed signer for bundles #110417
Use managed signer for bundles #110417
Conversation
- Write out the updated symtab command when writing Mach-O file - Pass macosCodesign through to test CreateAppHost methods - Remove redundant `codesign` checks - Warn when bundler is told to sign the bundle for a non-macos target
- Allow macosCodesign to be true for non-mac bundles - Allow some padding between string table and signature
Copilot
AI
left a comment
Copilot
AI
left a comment
There was a problem hiding this comment.
Copilot reviewed 5 out of 12 changed files in this pull request and generated 2 suggestions.
Files not reviewed (7)
- src/installer/managed/Microsoft.NET.HostModel/AppHost/MachOUtils.cs: Evaluated as low risk
- src/installer/managed/Microsoft.NET.HostModel/AppHost/HostWriter.cs: Evaluated as low risk
- src/installer/tests/TestUtils/TestApp.cs: Evaluated as low risk
- src/installer/managed/Microsoft.NET.HostModel/MachO/MachOFormatError.cs: Evaluated as low risk
- src/installer/tests/Microsoft.NET.HostModel.Tests/AppHost/CreateAppHost.cs: Evaluated as low risk
- src/installer/managed/Microsoft.NET.HostModel/Bundle/Bundler.cs: Evaluated as low risk
- src/installer/tests/TestUtils/SingleFileTestApp.cs: Evaluated as low risk
Comments skipped due to low confidence (2)
src/installer/managed/Microsoft.NET.HostModel/MachO/MachObjectFile.cs:22
- There is an extra semicolon at the end of the line.
uint csSize = CodeSignature.GetCodeSignatureSize(GetSignatureStart(), identifier);;
src/installer/tests/Microsoft.NET.HostModel.Tests/MachObjectSigning/SigningTests.cs:33
- The 'MemoryMappedFileAccess.CopyOnWrite' might not be necessary for a read-only check. Consider using 'MemoryMappedFileAccess.Read' instead.
using (var managedSignedAccessor = memoryMappedFile.CreateViewAccessor(0, 0, MemoryMappedFileAccess.CopyOnWrite))
src/installer/managed/Microsoft.NET.HostModel/MachO/MachObjectFile.cs
Outdated
Show resolved
Hide resolved
src/installer/tests/Microsoft.NET.HostModel.Tests/MachObjectSigning/SigningTests.cs
Outdated
Show resolved
Hide resolved
jtschuster
changed the title
There was a problem hiding this comment.
Now that we don't use codesign for signing, it looks like the executables are sometimes getting killed by antivirus when tests try to run them immediately after they are modified, leading to flaky tests (locally at least). I'm looking into either retrying or running codesign -v before running the apps on Mac.
What was the end result here? Could a product scenario hit the same thing with running immediately after publish with signing?
src/installer/managed/Microsoft.NET.HostModel/AppHost/HostWriter.cs
Outdated
Show resolved
Hide resolved
src/installer/managed/Microsoft.NET.HostModel/AppHost/HostWriter.cs
Outdated
Show resolved
Hide resolved
| long mmapFileSize = macosCodesign ? | ||
| bundleSize + MachObjectFile.GetSignatureSizeEstimate((uint)bundleSize, Path.GetFileName(appHostPath)) |
There was a problem hiding this comment.
nit: I find this alignment easier to read
| long mmapFileSize = macosCodesign ? | |
| bundleSize + MachObjectFile.GetSignatureSizeEstimate((uint)bundleSize, Path.GetFileName(appHostPath)) | |
| long mmapFileSize = macosCodesign | |
| ? bundleSize + MachObjectFile.GetSignatureSizeEstimate((uint)bundleSize, Path.GetFileName(appHostPath)) |
src/installer/tests/Microsoft.NET.HostModel.Tests/Bundle/BundlerConsistencyTests.cs
Outdated
Show resolved
Hide resolved
src/installer/managed/Microsoft.NET.HostModel/AppHost/HostWriter.cs
Outdated
Show resolved
Hide resolved
- Use the same memory-mapped file instance for placeholder replacement and signing - formatting changes
It looks like the issue is probably related to modifying the exe in place: https://developer.apple.com/documentation/security/updating-mac-software#Update-Files-that-Include-Signed-Code I'll update the code to use CopyOnWrite memory-mapped files, write a new file, then replace the old one. |
Ah, does it cache once the file is created? I had thought it would only cache when it is first run.
I guess doing the inode check with |
It was still broken after changing the behavior to create a new inode. I had forgotten to update the VMSize field of the __LINKEDIT segment when creating the signature. The file size was larger than the VMSize, and that was causing sporadic crashes, but I only noticed it in the larger bundles with larger signatures. I left in the "copy to a temp file, edit, then replace" behavior anyway to make sure we match |
Updates the single-file bundler to use the managed Mach-O signer. Adds the SymbolTable load command to the MachObjectFile class and adds a method to extend the symbol table to include the bundled data. Adds validation when creating a MachObjectFile from a file on disk.
Now that we don't use codesign for signing, it looks like the executables are sometimes getting killed by antivirus when tests try to run them immediately after they are modified, leading to flaky tests (locally at least). I'm looking into either retrying or running
codesign -vbefore running the apps on Mac.Fixes #110055