diff --git a/eng/pipelines/common/createdump-entitlements.plist b/eng/native/createdump-entitlements.plist similarity index 100% rename from eng/pipelines/common/createdump-entitlements.plist rename to eng/native/createdump-entitlements.plist diff --git a/eng/pipelines/common/entitlements.plist b/eng/native/entitlements.plist similarity index 100% rename from eng/pipelines/common/entitlements.plist rename to eng/native/entitlements.plist diff --git a/eng/native/functions.cmake b/eng/native/functions.cmake index c9f8a619a52913..543722a9c0a59e 100644 --- a/eng/native/functions.cmake +++ b/eng/native/functions.cmake @@ -649,3 +649,16 @@ function(add_library_clr targetName kind) strip_symbols(${ARGV0} symbolFile) endif() endfunction() + +# Adhoc sign targetName with the entitlements in entitlementsFile. +function(adhoc_sign_with_entitlements targetName entitlementsFile) + # Add a dependency from a source file for the target on the entitlements file to ensure that the target is rebuilt if only the entitlements file changes. + get_target_property(sources ${targetName} SOURCES) + list(GET sources 0 firstSource) + set_source_files_properties(${firstSource} PROPERTIES OBJECT_DEPENDS ${entitlementsFile}) + + add_custom_command( + TARGET ${targetName} + POST_BUILD + COMMAND codesign -s - -f --entitlements ${entitlementsFile} $) +endfunction() diff --git a/eng/pipelines/common/macos-sign-with-entitlements.yml b/eng/pipelines/common/macos-sign-with-entitlements.yml index 4879c5410ea0bd..cf31a32da371e2 100644 --- a/eng/pipelines/common/macos-sign-with-entitlements.yml +++ b/eng/pipelines/common/macos-sign-with-entitlements.yml @@ -11,9 +11,6 @@ steps: installationPath: '$(Agent.TempDirectory)/dotnet' - ${{ each file in parameters.filesToSign }}: - - script: codesign -s - -f --entitlements ${{ file.entitlementsFile }} ${{ file.path }}/${{ file.name }} - displayName: 'Add entitlements to ${{ file.name }}' - - task: CopyFiles@2 displayName: 'Copy entitled file ${{ file.name }}' inputs: @@ -49,7 +46,7 @@ steps: "toolName": "sign", "toolVersion": "1.0" } - ] + ] SessionTimeout: ${{ parameters.timeoutInMinutes }} MaxConcurrency: '50' MaxRetryAttempts: '5' diff --git a/eng/pipelines/coreclr/templates/build-job.yml b/eng/pipelines/coreclr/templates/build-job.yml index 99cf517dd3f4d5..9ed21ff433cd9c 100644 --- a/eng/pipelines/coreclr/templates/build-job.yml +++ b/eng/pipelines/coreclr/templates/build-job.yml @@ -197,10 +197,8 @@ jobs: filesToSign: - name: createdump path: $(buildProductRootFolderPath) - entitlementsFile: $(Build.SourcesDirectory)/eng/pipelines/common/createdump-entitlements.plist - name: corerun path: $(buildProductRootFolderPath) - entitlementsFile: $(Build.SourcesDirectory)/eng/pipelines/common/entitlements.plist - task: CopyFiles@2 displayName: 'Copy signed createdump to sharedFramework' diff --git a/eng/pipelines/installer/jobs/build-job.yml b/eng/pipelines/installer/jobs/build-job.yml index 43f19c69ccacfc..4647d32d643a0a 100644 --- a/eng/pipelines/installer/jobs/build-job.yml +++ b/eng/pipelines/installer/jobs/build-job.yml @@ -348,7 +348,6 @@ jobs: displayName: Collect vslogs on exit condition: always() - - ${{ if in(parameters.osGroup, 'osx', 'ios', 'tvos') }}: - script: | du -sh $(Build.SourcesDirectory)/* diff --git a/eng/pipelines/runtime-official.yml b/eng/pipelines/runtime-official.yml index 34053b98a2dd14..836117d9c96dfc 100644 --- a/eng/pipelines/runtime-official.yml +++ b/eng/pipelines/runtime-official.yml @@ -149,16 +149,12 @@ extends: filesToSign: - name: createdump path: $(Build.SourcesDirectory)/artifacts/bin/coreclr/$(osGroup).$(archType).$(_BuildConfig) - entitlementsFile: $(Build.SourcesDirectory)/eng/pipelines/common/createdump-entitlements.plist - name: corerun path: $(Build.SourcesDirectory)/artifacts/bin/coreclr/$(osGroup).$(archType).$(_BuildConfig) - entitlementsFile: $(Build.SourcesDirectory)/eng/pipelines/common/entitlements.plist - name: dotnet path: $(Build.SourcesDirectory)/artifacts/bin/$(osGroup)-$(archType).$(_BuildConfig)/corehost - entitlementsFile: $(Build.SourcesDirectory)/eng/pipelines/common/entitlements.plist - name: apphost path: $(Build.SourcesDirectory)/artifacts/bin/$(osGroup)-$(archType).$(_BuildConfig)/corehost - entitlementsFile: $(Build.SourcesDirectory)/eng/pipelines/common/entitlements.plist - task: CopyFiles@2 displayName: 'Copy signed createdump to sharedFramework' diff --git a/src/coreclr/debug/createdump/CMakeLists.txt b/src/coreclr/debug/createdump/CMakeLists.txt index c108586ca05108..14475eea5f5fb8 100644 --- a/src/coreclr/debug/createdump/CMakeLists.txt +++ b/src/coreclr/debug/createdump/CMakeLists.txt @@ -106,4 +106,8 @@ endif(CLR_CMAKE_HOST_OSX) endif(CLR_CMAKE_HOST_WIN32) +if (CLR_CMAKE_HOST_APPLE) + adhoc_sign_with_entitlements(createdump "${CLR_ENG_NATIVE_DIR}/createdump-entitlements.plist") +endif() + install_clr(TARGETS createdump DESTINATIONS . sharedFramework COMPONENT runtime) diff --git a/src/coreclr/hosts/corerun/CMakeLists.txt b/src/coreclr/hosts/corerun/CMakeLists.txt index 9540fc3b006b9d..8753e0549dccd5 100644 --- a/src/coreclr/hosts/corerun/CMakeLists.txt +++ b/src/coreclr/hosts/corerun/CMakeLists.txt @@ -38,9 +38,13 @@ else(CLR_CMAKE_HOST_WIN32) endif() endif(CLR_CMAKE_HOST_WIN32) +if (CLR_CMAKE_HOST_APPLE) + adhoc_sign_with_entitlements(corerun "${CLR_ENG_NATIVE_DIR}/entitlements.plist") +endif() + install_clr(TARGETS corerun DESTINATIONS . COMPONENT hosts) # If there's a dynamic ASAN runtime, then install it in the directory where we put our executable. if (NOT "${ASAN_RUNTIME}" STREQUAL "") install(FILES ${ASAN_RUNTIME} DESTINATION .) -endif() \ No newline at end of file +endif() diff --git a/src/libraries/sendtohelixhelp.proj b/src/libraries/sendtohelixhelp.proj index e962f493b2c167..6983418b1ff5f1 100644 --- a/src/libraries/sendtohelixhelp.proj +++ b/src/libraries/sendtohelixhelp.proj @@ -261,6 +261,14 @@ + + + + $(HelixPreCommands); + find $HELIX_CORRELATION_PAYLOAD -name createdump | xargs -n 1 codesign -s - -f --preserve-metadata=entitlements + + + diff --git a/src/native/corehost/apphost/standalone/CMakeLists.txt b/src/native/corehost/apphost/standalone/CMakeLists.txt index b682fd9ebaed8d..8a6a23934d85df 100644 --- a/src/native/corehost/apphost/standalone/CMakeLists.txt +++ b/src/native/corehost/apphost/standalone/CMakeLists.txt @@ -52,3 +52,7 @@ endif() if (CLR_CMAKE_TARGET_WIN32 AND CLR_CMAKE_TARGET_ARCH_ARM64) target_link_libraries(apphost PRIVATE shell32.lib) endif() + +if (CLR_CMAKE_HOST_APPLE) + adhoc_sign_with_entitlements(apphost "${CLR_ENG_NATIVE_DIR}/entitlements.plist") +endif() diff --git a/src/native/corehost/dotnet/CMakeLists.txt b/src/native/corehost/dotnet/CMakeLists.txt index 986a09b253252a..d670b95e879c2a 100644 --- a/src/native/corehost/dotnet/CMakeLists.txt +++ b/src/native/corehost/dotnet/CMakeLists.txt @@ -15,3 +15,7 @@ list(APPEND SOURCES ) include(../exe.cmake) + +if (CLR_CMAKE_HOST_APPLE) + adhoc_sign_with_entitlements(dotnet "${CLR_ENG_NATIVE_DIR}/entitlements.plist") +endif() diff --git a/src/tests/Common/helixpublishwitharcade.proj b/src/tests/Common/helixpublishwitharcade.proj index 41e2e6809ffc99..9a61470acd450f 100644 --- a/src/tests/Common/helixpublishwitharcade.proj +++ b/src/tests/Common/helixpublishwitharcade.proj @@ -875,6 +875,11 @@ + + + $(HelixPreCommands);codesign -s - -f --preserve-metadata=entitlements $HELIX_CORRELATION_PAYLOAD/createdump + +