search

xamarin / xamarin-macios

.NET for iOS, Mac Catalyst, macOS, and tvOS provide open-source bindings of the Apple SDKs for use with .NET managed languages such as C#
Other
2.44k stars 507 forks source link

SkipCodesignItems does not work when the app bundle specified (not a single file) #19222

Open snechaev opened 10 months ago

snechaev commented 10 months ago

Steps to Reproduce

  1. Download signTest1.zip
  2. Navigate to the folder with the solution file.
  3. Build in the Release configuration: dotnet build -c Release
  4. Check the signatures for main and helper app bundles: 
    codesign --verify --verbose ./Main/bin/Release/net6.0-macos/osx-x64/main.app
codesign --verify --verbose ./Main/bin/Release/net6.0-macos/osx-x64/main.app/Contents/SharedSupport/helper.app

Expected Behavior

Both bundles are signed, so output should be

~/Downloads/signTest1$ codesign --verify --verbose ./Main/bin/Release/net6.0-macos/osx-x64/main.app
./Main/bin/Release/net6.0-macos/osx-x64/main.app: valid on disk
./Main/bin/Release/net6.0-macos/osx-x64/main.app: satisfies its Designated Requirement
---------------------------------------------------------------------------------------------------------------------------------------------------

~/Downloads/signTest1$ codesign --verify --verbose ./Main/bin/Release/net6.0-macos/osx-x64/main.app/Contents/SharedSupport/helper.app
./Main/bin/Release/net6.0-macos/osx-x64/main.app/Contents/SharedSupport/helper.app: valid on disk
./Main/bin/Release/net6.0-macos/osx-x64/main.app/Contents/SharedSupport/helper.app: satisfies its Designated Requirement

Actual Behavior

The signature of the main app bundle is ok, but the signature of the embedded helper app bundle is broken:

~/Downloads/signTest1$ codesign --verify --verbose ./Main/bin/Release/net6.0-macos/osx-x64/main.app
./Main/bin/Release/net6.0-macos/osx-x64/main.app: valid on disk
./Main/bin/Release/net6.0-macos/osx-x64/main.app: satisfies its Designated Requirement
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

~/Downloads/signTest1$ codesign --verify --verbose ./Main/bin/Release/net6.0-macos/osx-x64/main.app/Contents/SharedSupport/helper.app
./Main/bin/Release/net6.0-macos/osx-x64/main.app/Contents/SharedSupport/helper.app: a sealed resource is missing or invalid
file modified: /Users/sergey/Downloads/signTest1/main/bin/Release/net6.0-macos/osx-x64/main.app/Contents/SharedSupport/helper.app/Contents/MonoBundle/libSystem.Native.dylib
file modified: /Users/sergey/Downloads/signTest1/main/bin/Release/net6.0-macos/osx-x64/main.app/Contents/SharedSupport/helper.app/Contents/MonoBundle/libcoreclr.dylib
file modified: /Users/sergey/Downloads/signTest1/main/bin/Release/net6.0-macos/osx-x64/main.app/Contents/SharedSupport/helper.app/Contents/MonoBundle/libSystem.IO.Compression.Native.dylib
file modified: /Users/sergey/Downloads/signTest1/main/bin/Release/net6.0-macos/osx-x64/main.app/Contents/SharedSupport/helper.app/Contents/MonoBundle/libSystem.Globalization.Native.dylib
file modified: /Users/sergey/Downloads/signTest1/main/bin/Release/net6.0-macos/osx-x64/main.app/Contents/SharedSupport/helper.app/Contents/MonoBundle/libSystem.Security.Cryptography.Native.Apple.dylib
file modified: /Users/sergey/Downloads/signTest1/main/bin/Release/net6.0-macos/osx-x64/main.app/Contents/SharedSupport/helper.app/Contents/MonoBundle/libSystem.Net.Security.Native.dylib
file modified: /Users/sergey/Downloads/signTest1/main/bin/Release/net6.0-macos/osx-x64/main.app/Contents/SharedSupport/helper.app/Contents/MonoBundle/libhostfxr.dylib
file modified: /Users/sergey/Downloads/signTest1/main/bin/Release/net6.0-macos/osx-x64/main.app/Contents/SharedSupport/helper.app/Contents/MonoBundle/libhostpolicy.dylib
file modified: /Users/sergey/Downloads/signTest1/main/bin/Release/net6.0-macos/osx-x64/main.app/Contents/SharedSupport/helper.app/Contents/MonoBundle/libSystem.Security.Cryptography.Native.OpenSsl.dylib
file modified: /Users/sergey/Downloads/signTest1/main/bin/Release/net6.0-macos/osx-x64/main.app/Contents/SharedSupport/helper.app/Contents/MonoBundle/libmscordaccore.dylib
file modified: /Users/sergey/Downloads/signTest1/main/bin/Release/net6.0-macos/osx-x64/main.app/Contents/SharedSupport/helper.app/Contents/MonoBundle/libmscordbi.dylib
file modified: /Users/sergey/Downloads/signTest1/main/bin/Release/net6.0-macos/osx-x64/main.app/Contents/SharedSupport/helper.app/Contents/MonoBundle/libdbgshim.dylib
file modified: /Users/sergey/Downloads/signTest1/main/bin/Release/net6.0-macos/osx-x64/main.app/Contents/SharedSupport/helper.app/Contents/MonoBundle/libclrjit.dylib

Environment

Version information ``` Visual Studio Professional 2022 for Mac Version 17.6.5 (build 417) Installation UUID: d19bbf74-d8b5-4bb1-8354-e54c9202ea1c Runtime .NET 7.0.3 (64-bit) Architecture: X64 Microsoft.macOS.Sdk 13.1.1007; git-rev-head:8afca776a0a96613dfb7200e0917bb57f9ed5583; git-branch:release/7.0.1xx-xcode14.2 Roslyn (Language Service) 4.6.0-3.23180.6+99e956e42697a6dd886d1e12478ea2b27cceacfa NuGet Version: 6.4.0.117 .NET SDK (x64) SDK: /usr/local/share/dotnet/sdk/7.0.309/Sdks SDK Versions: 7.0.309 7.0.308 7.0.307 7.0.306 7.0.304 7.0.302 6.0.415 6.0.414 6.0.413 6.0.412 6.0.410 6.0.408 MSBuild SDKs: /Applications/Visual Studio.app/Contents/MonoBundle/MSBuild/Current/bin/Sdks .NET Runtime (x64) Runtime: /usr/local/share/dotnet/dotnet Runtime Versions: 7.0.12 7.0.11 7.0.10 7.0.9 7.0.7 7.0.5 6.0.23 6.0.22 6.0.21 6.0.20 6.0.18 6.0.16 Xamarin.Profiler Version: 1.8.0.49 Location: /Applications/Xamarin Profiler.app/Contents/MacOS/Xamarin Profiler Updater Version: 11 Apple Developer Tools Xcode: 14.3 21812 Build: 14E222b Xamarin.Mac Version: 9.3.0.18 Visual Studio Professional Hash: 9d266025e Branch: xcode14.3 Build date: 2023-09-06 19:52:26-0400 Xamarin.iOS Version: 16.4.0.18 Visual Studio Professional Hash: 9d266025e Branch: xcode14.3 Build date: 2023-09-06 19:52:27-0400 Xamarin Designer Version: 17.6.3.9 Hash: 2648399ae8 Branch: remotes/origin/d17-6 Build date: 2023-10-04 18:09:14 UTC Xamarin.Android Version: 13.2.2.0 (Visual Studio Professional) Commit: xamarin-android/d17-5/45b0e14 Android SDK: /Users/sergey/Library/Developer/Xamarin/android-sdk-macosx Supported Android versions: 12.0 (API level 31) 13.0 (API level 33) SDK Command-line Tools Version: 7.0 SDK Platform Tools Version: 33.0.3 SDK Build Tools Version: 32.0.0 Build Information: Mono: d9a6e87 Java.Interop: xamarin/java.interop/d17-5@149d70fe SQLite: xamarin/sqlite/3.40.1@68c69d8 Xamarin.Android Tools: xamarin/xamarin-android-tools/d17-5@ca1552d Microsoft Build of OpenJDK Java SDK: /Library/Java/JavaVirtualMachines/microsoft-11.jdk 11.0.16.1 Android Designer EPL code available here: https://github.com/xamarin/AndroidDesigner.EPL Eclipse Temurin JDK Java SDK: /Library/Java/JavaVirtualMachines/temurin-8.jdk 1.8.0.302 Android Designer EPL code available here: https://github.com/xamarin/AndroidDesigner.EPL Android SDK Manager Version: 17.6.0.50 Hash: a715dca Branch: HEAD Build date: 2023-10-04 18:09:20 UTC Android Device Manager Version: 0.0.0.1309 Hash: 06e3e77 Branch: HEAD Build date: 2023-10-04 18:09:20 UTC Build Information Release ID: 1706050417 Git revision: 6d6585a706becbd4a5be3b0e99ace260dfdf5748 Build date: 2023-10-04 18:07:30+00 Build branch: release-17.6 Build lane: release-17.6 Operating System Mac OS X 13.5.0 Darwin 22.6.0 Darwin Kernel Version 22.6.0 Wed Jul 5 22:21:56 PDT 2023 root:xnu-8796.141.3~6/RELEASE_X86_64 x86_64 ```

Build Logs

msbuild.zip

Example Project (If Possible)

signTest1.zip

Additional details

This issue is a successor of the https://github.com/xamarin/xamarin-macios/issues/15594.

The task is the same - I need to embed the helper.app app bundle into the main.app and then somehow run it with the Process.Start. And all of this should be properly signed and notarized.

I copy the helper.app into the main.app using additional msbuild targets (see main.csproj). This works fine.

Since the helper.app is already signed when it is copied into the main.app, I used the SkipCodesignItems to prevent it from being re-signed (based on this sample from tests):

<ItemGroup>
    <SkipCodesignItems Include="Contents/SharedSupport/helper.app" />
</ItemGroup>

This does not work and gives the errors mentioned above. I can replace this with the list of all dylibs inside helper.app and the signature will be ok, but it's obviously not the best solution:

<!-- The following works, but is fragile as reuqires to list all dylibs, including standard and 3rd-party -->
<SkipCodesignItems Include="Contents/SharedSupport/helper.app/Contents/MonoBundle/libcoreclr.dylib"/>
<SkipCodesignItems Include="Contents/SharedSupport/helper.app/Contents/MonoBundle/libSystem.Native.dylib"/>
<SkipCodesignItems Include="Contents/SharedSupport/helper.app/Contents/MonoBundle/libSystem.IO.Compression.Native.dylib"/>
<SkipCodesignItems Include="Contents/SharedSupport/helper.app/Contents/MonoBundle/libSystem.Globalization.Native.dylib"/>
<SkipCodesignItems Include="Contents/SharedSupport/helper.app/Contents/MonoBundle/libSystem.Security.Cryptography.Native.Apple.dylib"/>
<SkipCodesignItems Include="Contents/SharedSupport/helper.app/Contents/MonoBundle/libSystem.Net.Security.Native.dylib"/>
<SkipCodesignItems Include="Contents/SharedSupport/helper.app/Contents/MonoBundle/libhostfxr.dylib"/>
<SkipCodesignItems Include="Contents/SharedSupport/helper.app/Contents/MonoBundle/libhostpolicy.dylib"/>
<SkipCodesignItems Include="Contents/SharedSupport/helper.app/Contents/MonoBundle/libmscordaccore.dylib"/>
<SkipCodesignItems Include="Contents/SharedSupport/helper.app/Contents/MonoBundle/libmscordbi.dylib"/>
<SkipCodesignItems Include="Contents/SharedSupport/helper.app/Contents/MonoBundle/libSystem.Security.Cryptography.Native.OpenSsl.dylib"/>
<SkipCodesignItems Include="Contents/SharedSupport/helper.app/Contents/MonoBundle/libdbgshim.dylib"/>
<SkipCodesignItems Include="Contents/SharedSupport/helper.app/Contents/MonoBundle/libclrjit.dylib"/>
rolfbjarne commented 10 months ago

You should be able to use a glob like this:

<SkipCodesignItems Include="Contents/SharedSupport/helper.app/Contents/MonoBundle/*.dylib"/>

that way you don't have to keep the list of files up-to-date.

snechaev commented 10 months ago

Unfortunately, the wildcard-based workaround works only partially and is not usable in production. It works for dotnet build when it is called from the folder, containing the solution. It does not work (file modified: errors for all dylibs inside helper.app) when I run Build/Rebuild from VSfM (by right-clicking the Main project and selecting Build or Rebuild from the context menu).

I understand that VSfM is EOL, but this inconsistent behavior may indicate some flaws inside the signing logic.

The explicit list of all dylibs work in both scenarios (but has its own disadvantages, mentioned above).