From f85ba862784274662cc19cbf808d7fe2efbdbb31 Mon Sep 17 00:00:00 2001 From: Jeremy Koritzinsky Date: Tue, 3 Oct 2023 15:08:58 -0700 Subject: [PATCH 1/2] Entitle macos executables while building and ad-hoc re-sign on Helix This moves the entitlement process into the CMake build, reducing how much we do in YAML. It also enables us to get a usable createdump on Helix so we can collect crash dumps on macOS. --- .../common => native}/createdump-entitlements.plist | 0 eng/{pipelines/common => native}/entitlements.plist | 0 .../common/macos-sign-with-entitlements.yml | 5 +---- eng/pipelines/coreclr/templates/build-job.yml | 2 -- eng/pipelines/installer/jobs/build-job.yml | 2 -- src/coreclr/debug/createdump/CMakeLists.txt | 10 ++++++++++ src/coreclr/hosts/corerun/CMakeLists.txt | 12 +++++++++++- src/libraries/sendtohelixhelp.proj | 8 ++++++++ .../corehost/apphost/standalone/CMakeLists.txt | 10 ++++++++++ src/native/corehost/dotnet/CMakeLists.txt | 10 ++++++++++ src/tests/Common/helixpublishwitharcade.proj | 5 +++++ 11 files changed, 55 insertions(+), 9 deletions(-) rename eng/{pipelines/common => native}/createdump-entitlements.plist (100%) rename eng/{pipelines/common => native}/entitlements.plist (100%) diff --git a/eng/pipelines/common/createdump-entitlements.plist b/eng/native/createdump-entitlements.plist similarity index 100% rename from eng/pipelines/common/createdump-entitlements.plist rename to eng/native/createdump-entitlements.plist diff --git a/eng/pipelines/common/entitlements.plist b/eng/native/entitlements.plist similarity index 100% rename from eng/pipelines/common/entitlements.plist rename to eng/native/entitlements.plist diff --git a/eng/pipelines/common/macos-sign-with-entitlements.yml b/eng/pipelines/common/macos-sign-with-entitlements.yml index 4879c5410ea0bd..cf31a32da371e2 100644 --- a/eng/pipelines/common/macos-sign-with-entitlements.yml +++ b/eng/pipelines/common/macos-sign-with-entitlements.yml @@ -11,9 +11,6 @@ steps: installationPath: '$(Agent.TempDirectory)/dotnet' - ${{ each file in parameters.filesToSign }}: - - script: codesign -s - -f --entitlements ${{ file.entitlementsFile }} ${{ file.path }}/${{ file.name }} - displayName: 'Add entitlements to ${{ file.name }}' - - task: CopyFiles@2 displayName: 'Copy entitled file ${{ file.name }}' inputs: @@ -49,7 +46,7 @@ steps: "toolName": "sign", "toolVersion": "1.0" } - ] + ] SessionTimeout: ${{ parameters.timeoutInMinutes }} MaxConcurrency: '50' MaxRetryAttempts: '5' diff --git a/eng/pipelines/coreclr/templates/build-job.yml b/eng/pipelines/coreclr/templates/build-job.yml index 655de0091457c2..d8c7b5f71b3edc 100644 --- a/eng/pipelines/coreclr/templates/build-job.yml +++ b/eng/pipelines/coreclr/templates/build-job.yml @@ -197,10 +197,8 @@ jobs: filesToSign: - name: createdump path: $(buildProductRootFolderPath) - entitlementsFile: $(Build.SourcesDirectory)/eng/pipelines/common/createdump-entitlements.plist - name: corerun path: $(buildProductRootFolderPath) - entitlementsFile: $(Build.SourcesDirectory)/eng/pipelines/common/entitlements.plist - task: CopyFiles@2 displayName: 'Copy signed createdump to sharedFramework' diff --git a/eng/pipelines/installer/jobs/build-job.yml b/eng/pipelines/installer/jobs/build-job.yml index 70f7656e611a18..fec8b7185442b3 100644 --- a/eng/pipelines/installer/jobs/build-job.yml +++ b/eng/pipelines/installer/jobs/build-job.yml @@ -357,10 +357,8 @@ jobs: filesToSign: - name: dotnet path: $(Build.SourcesDirectory)/artifacts/bin/osx-${{ parameters.archType }}.$(_BuildConfig)/corehost - entitlementsFile: $(Build.SourcesDirectory)/eng/pipelines/common/entitlements.plist - name: apphost path: $(Build.SourcesDirectory)/artifacts/bin/osx-${{ parameters.archType }}.$(_BuildConfig)/corehost - entitlementsFile: $(Build.SourcesDirectory)/eng/pipelines/common/entitlements.plist - script: $(BaseJobBuildCommand) -subset host.pkg+host.tools+host.pretest+host.tests+packs displayName: Build and Package diff --git a/src/coreclr/debug/createdump/CMakeLists.txt b/src/coreclr/debug/createdump/CMakeLists.txt index c108586ca05108..66c697c95c02b4 100644 --- a/src/coreclr/debug/createdump/CMakeLists.txt +++ b/src/coreclr/debug/createdump/CMakeLists.txt @@ -106,4 +106,14 @@ endif(CLR_CMAKE_HOST_OSX) endif(CLR_CMAKE_HOST_WIN32) +if (CLR_CMAKE_HOST_APPLE) + # Add a dependency on the entitlements file to ensure that createdump is rebuilt if only the entitlements file changes. + set_source_files_properties(main.cpp PROPERTIES OBJECT_DEPENDS ${CLR_ENG_NATIVE_DIR}/createdump-entitlements.plist) + + add_custom_command( + TARGET createdump + POST_BUILD + COMMAND codesign -s - -f --entitlements ${CLR_ENG_NATIVE_DIR}/createdump-entitlements.plist $) +endif() + install_clr(TARGETS createdump DESTINATIONS . sharedFramework COMPONENT runtime) diff --git a/src/coreclr/hosts/corerun/CMakeLists.txt b/src/coreclr/hosts/corerun/CMakeLists.txt index 9540fc3b006b9d..52cf6e7772e9be 100644 --- a/src/coreclr/hosts/corerun/CMakeLists.txt +++ b/src/coreclr/hosts/corerun/CMakeLists.txt @@ -38,9 +38,19 @@ else(CLR_CMAKE_HOST_WIN32) endif() endif(CLR_CMAKE_HOST_WIN32) +if (CLR_CMAKE_HOST_APPLE) + # Add a dependency on the entitlements file to ensure that corerun is rebuilt if only the entitlements file changes. + set_source_files_properties(corerun.cpp PROPERTIES OBJECT_DEPENDS ${CLR_ENG_NATIVE_DIR}/entitlements.plist) + + add_custom_command( + TARGET corerun + POST_BUILD + COMMAND codesign -s - -f --entitlements ${CLR_ENG_NATIVE_DIR}/entitlements.plist $) +endif() + install_clr(TARGETS corerun DESTINATIONS . COMPONENT hosts) # If there's a dynamic ASAN runtime, then install it in the directory where we put our executable. if (NOT "${ASAN_RUNTIME}" STREQUAL "") install(FILES ${ASAN_RUNTIME} DESTINATION .) -endif() \ No newline at end of file +endif() diff --git a/src/libraries/sendtohelixhelp.proj b/src/libraries/sendtohelixhelp.proj index e962f493b2c167..6983418b1ff5f1 100644 --- a/src/libraries/sendtohelixhelp.proj +++ b/src/libraries/sendtohelixhelp.proj @@ -261,6 +261,14 @@ + + + + $(HelixPreCommands); + find $HELIX_CORRELATION_PAYLOAD -name createdump | xargs -n 1 codesign -s - -f --preserve-metadata=entitlements + + + diff --git a/src/native/corehost/apphost/standalone/CMakeLists.txt b/src/native/corehost/apphost/standalone/CMakeLists.txt index b682fd9ebaed8d..7ca43ab2c006f9 100644 --- a/src/native/corehost/apphost/standalone/CMakeLists.txt +++ b/src/native/corehost/apphost/standalone/CMakeLists.txt @@ -52,3 +52,13 @@ endif() if (CLR_CMAKE_TARGET_WIN32 AND CLR_CMAKE_TARGET_ARCH_ARM64) target_link_libraries(apphost PRIVATE shell32.lib) endif() + +if (CLR_CMAKE_HOST_APPLE) + # Add a dependency on the entitlements file to ensure that apphost is rebuilt if only the entitlements file changes. + set_source_files_properties(hostfxr_resolver.cpp PROPERTIES OBJECT_DEPENDS ${CLR_ENG_NATIVE_DIR}/entitlements.plist) + + add_custom_command( + TARGET apphost + POST_BUILD + COMMAND codesign -s - -f --entitlements ${CLR_ENG_NATIVE_DIR}/entitlements.plist $) +endif() diff --git a/src/native/corehost/dotnet/CMakeLists.txt b/src/native/corehost/dotnet/CMakeLists.txt index 986a09b253252a..db9b8c881e47bf 100644 --- a/src/native/corehost/dotnet/CMakeLists.txt +++ b/src/native/corehost/dotnet/CMakeLists.txt @@ -15,3 +15,13 @@ list(APPEND SOURCES ) include(../exe.cmake) + +if (CLR_CMAKE_HOST_APPLE) + # Add a dependency on the entitlements file to ensure that dotnet is rebuilt if only the entitlements file changes. + set_source_files_properties(../apphost/standalone/hostfxr_resolver.cpp PROPERTIES OBJECT_DEPENDS ${CLR_ENG_NATIVE_DIR}/entitlements.plist) + + add_custom_command( + TARGET dotnet + POST_BUILD + COMMAND codesign -s - -f --entitlements ${CLR_ENG_NATIVE_DIR}/entitlements.plist $) +endif() diff --git a/src/tests/Common/helixpublishwitharcade.proj b/src/tests/Common/helixpublishwitharcade.proj index 41e2e6809ffc99..9a61470acd450f 100644 --- a/src/tests/Common/helixpublishwitharcade.proj +++ b/src/tests/Common/helixpublishwitharcade.proj @@ -875,6 +875,11 @@ + + + $(HelixPreCommands);codesign -s - -f --preserve-metadata=entitlements $HELIX_CORRELATION_PAYLOAD/createdump + + Date: Wed, 4 Oct 2023 13:47:24 -0700 Subject: [PATCH 2/2] Refactor into a function --- eng/native/functions.cmake | 13 +++++++++++++ src/coreclr/debug/createdump/CMakeLists.txt | 8 +------- src/coreclr/hosts/corerun/CMakeLists.txt | 8 +------- .../corehost/apphost/standalone/CMakeLists.txt | 8 +------- src/native/corehost/dotnet/CMakeLists.txt | 8 +------- 5 files changed, 17 insertions(+), 28 deletions(-) diff --git a/eng/native/functions.cmake b/eng/native/functions.cmake index c9f8a619a52913..543722a9c0a59e 100644 --- a/eng/native/functions.cmake +++ b/eng/native/functions.cmake @@ -649,3 +649,16 @@ function(add_library_clr targetName kind) strip_symbols(${ARGV0} symbolFile) endif() endfunction() + +# Adhoc sign targetName with the entitlements in entitlementsFile. +function(adhoc_sign_with_entitlements targetName entitlementsFile) + # Add a dependency from a source file for the target on the entitlements file to ensure that the target is rebuilt if only the entitlements file changes. + get_target_property(sources ${targetName} SOURCES) + list(GET sources 0 firstSource) + set_source_files_properties(${firstSource} PROPERTIES OBJECT_DEPENDS ${entitlementsFile}) + + add_custom_command( + TARGET ${targetName} + POST_BUILD + COMMAND codesign -s - -f --entitlements ${entitlementsFile} $) +endfunction() diff --git a/src/coreclr/debug/createdump/CMakeLists.txt b/src/coreclr/debug/createdump/CMakeLists.txt index 66c697c95c02b4..14475eea5f5fb8 100644 --- a/src/coreclr/debug/createdump/CMakeLists.txt +++ b/src/coreclr/debug/createdump/CMakeLists.txt @@ -107,13 +107,7 @@ endif(CLR_CMAKE_HOST_OSX) endif(CLR_CMAKE_HOST_WIN32) if (CLR_CMAKE_HOST_APPLE) - # Add a dependency on the entitlements file to ensure that createdump is rebuilt if only the entitlements file changes. - set_source_files_properties(main.cpp PROPERTIES OBJECT_DEPENDS ${CLR_ENG_NATIVE_DIR}/createdump-entitlements.plist) - - add_custom_command( - TARGET createdump - POST_BUILD - COMMAND codesign -s - -f --entitlements ${CLR_ENG_NATIVE_DIR}/createdump-entitlements.plist $) + adhoc_sign_with_entitlements(createdump "${CLR_ENG_NATIVE_DIR}/createdump-entitlements.plist") endif() install_clr(TARGETS createdump DESTINATIONS . sharedFramework COMPONENT runtime) diff --git a/src/coreclr/hosts/corerun/CMakeLists.txt b/src/coreclr/hosts/corerun/CMakeLists.txt index 52cf6e7772e9be..8753e0549dccd5 100644 --- a/src/coreclr/hosts/corerun/CMakeLists.txt +++ b/src/coreclr/hosts/corerun/CMakeLists.txt @@ -39,13 +39,7 @@ else(CLR_CMAKE_HOST_WIN32) endif(CLR_CMAKE_HOST_WIN32) if (CLR_CMAKE_HOST_APPLE) - # Add a dependency on the entitlements file to ensure that corerun is rebuilt if only the entitlements file changes. - set_source_files_properties(corerun.cpp PROPERTIES OBJECT_DEPENDS ${CLR_ENG_NATIVE_DIR}/entitlements.plist) - - add_custom_command( - TARGET corerun - POST_BUILD - COMMAND codesign -s - -f --entitlements ${CLR_ENG_NATIVE_DIR}/entitlements.plist $) + adhoc_sign_with_entitlements(corerun "${CLR_ENG_NATIVE_DIR}/entitlements.plist") endif() install_clr(TARGETS corerun DESTINATIONS . COMPONENT hosts) diff --git a/src/native/corehost/apphost/standalone/CMakeLists.txt b/src/native/corehost/apphost/standalone/CMakeLists.txt index 7ca43ab2c006f9..8a6a23934d85df 100644 --- a/src/native/corehost/apphost/standalone/CMakeLists.txt +++ b/src/native/corehost/apphost/standalone/CMakeLists.txt @@ -54,11 +54,5 @@ if (CLR_CMAKE_TARGET_WIN32 AND CLR_CMAKE_TARGET_ARCH_ARM64) endif() if (CLR_CMAKE_HOST_APPLE) - # Add a dependency on the entitlements file to ensure that apphost is rebuilt if only the entitlements file changes. - set_source_files_properties(hostfxr_resolver.cpp PROPERTIES OBJECT_DEPENDS ${CLR_ENG_NATIVE_DIR}/entitlements.plist) - - add_custom_command( - TARGET apphost - POST_BUILD - COMMAND codesign -s - -f --entitlements ${CLR_ENG_NATIVE_DIR}/entitlements.plist $) + adhoc_sign_with_entitlements(apphost "${CLR_ENG_NATIVE_DIR}/entitlements.plist") endif() diff --git a/src/native/corehost/dotnet/CMakeLists.txt b/src/native/corehost/dotnet/CMakeLists.txt index db9b8c881e47bf..d670b95e879c2a 100644 --- a/src/native/corehost/dotnet/CMakeLists.txt +++ b/src/native/corehost/dotnet/CMakeLists.txt @@ -17,11 +17,5 @@ list(APPEND SOURCES include(../exe.cmake) if (CLR_CMAKE_HOST_APPLE) - # Add a dependency on the entitlements file to ensure that dotnet is rebuilt if only the entitlements file changes. - set_source_files_properties(../apphost/standalone/hostfxr_resolver.cpp PROPERTIES OBJECT_DEPENDS ${CLR_ENG_NATIVE_DIR}/entitlements.plist) - - add_custom_command( - TARGET dotnet - POST_BUILD - COMMAND codesign -s - -f --entitlements ${CLR_ENG_NATIVE_DIR}/entitlements.plist $) + adhoc_sign_with_entitlements(dotnet "${CLR_ENG_NATIVE_DIR}/entitlements.plist") endif()