Use managed Mach-O signer on non-Mac hosts #45019
Conversation
|
I couldn't figure out the best area label to add to this PR. If you have write-permissions please help me learn by adding exactly one area label. |
1 similar comment
|
I couldn't figure out the best area label to add to this PR. If you have write-permissions please help me learn by adding exactly one area label. |
| .And | ||
| .HaveStdErrContaining($"{appHostFullPath}: is already signed"); | ||
| // osx-arm64 is only supported on net6.0+ | ||
| string[] x64OnlyTfms = ["netcoreapp3.1", "net5.0"]; |
There was a problem hiding this comment.
I think we can just remove the netcoreapp3.1 and net5.0 coverage here. They've been out of support for 2+ years and I don't think there's anything particularly interesting about them from the host side (even for single-file, I think it is covered by our tests for various bundler options).
| if (!selfContained) | ||
| buildArgs.Add("/p:PublishSingleFile=true"); |
There was a problem hiding this comment.
Not part of your change, but I don't think this is necessary. PublishSingleFile shouldn't do anything interesting when just building (other than enable the analyzer I think, but that shouldn't be the point of this test).
| [InlineData("net5.0")] | ||
| [InlineData(ToolsetInfo.CurrentTargetFramework)] | ||
| public void It_codesigns_a_framework_dependent_app(string targetFramework) | ||
| public static TheoryData<string, string, bool> OsxPublishingOptions() |
There was a problem hiding this comment.
nit: OsxPublishingOptions -> OsxBuildOptions?
| @@ -509,5 +507,62 @@ private static bool IsPE32(string path) | |||
| return reader.PEHeaders.PEHeader.Magic == PEMagic.PE32; | |||
| } | |||
| } | |||
|
|
|||
| // Reads the Mach-O load commands and returns true if an LC_CODE_SIGNATURE command is found, otherwise returns false | |||
| static bool HasMachOSignatureLoadCommand(FileInfo file) | |||
There was a problem hiding this comment.
Doesn't matter for this change, but we may want this in a shared test helper so that we can add cross-platform checks for single-file publish with signing after dotnet/runtime#110417 goes in.
| Debug.Assert(stream.Position == loadCommandsSize + 32); | ||
| return hasSignature; | ||
|
|
||
| void ReadUints(Stream stream, Span<byte> buffer, out uint val1, out uint val2) |
There was a problem hiding this comment.
nit: ReadUints -> ReadUInts
| { | ||
| hasSignature = true; | ||
| } | ||
| stream.Position += commandSize-8; |
There was a problem hiding this comment.
nit: I think this is a little clearer that it is accounting for what ReadUInts did.
| stream.Position += commandSize-8; | |
| stream.Position += commandSize - eightByteBuffer.Length; |
In dotnet/runtime#108992, we added a managed ad-hoc signer that's used in HostWriter.CreateAppHost. This PR enables it to be used in the sdk when publishing for osx on non-Mac hosts so that developers can distribute an ad-hoc signed binary without using a Mac.
Tests on all platforms ensure that there is a load command with the LC_CODE_SIGNATURE command type in the Mach-O binary. On MacOS, codesign is used to fully validate the signature in addition.