Sign and add entitlements to createdump and host binaries (#40485)

Sign and add entitlements to createdump and host binaries

Enables createdump on MacOS.

Part of issue #https://github.com/dotnet/runtime/issues/34916.

Don't attempt to sign in a public PR job

diff --git a/eng/Subsets.props b/eng/Subsets.props
index 293b591..f7f61f9 100644 (file)
--- a/eng/Subsets.props
+++ b/eng/Subsets.props
@@ -70,6 +70,7 @@
     <_subset>$(_subset.Replace('+mono+', '+$(DefaultMonoSubsets)+'))</_subset>
     <_subset>$(_subset.Replace('+libs+', '+$(DefaultLibrariesSubsets)+'))</_subset>
     <_subset>$(_subset.Replace('+installer+', '+$(DefaultInstallerSubsets)+'))</_subset>
+    <_subset>$(_subset.Replace('+installer.nocorehost+', '+$(DefaultInstallerSubsets.Replace('corehost+', ''))+'))</_subset>
 
     <!-- Surround _subset in dashes to simplify checks below -->
     <_subset>+$(_subset.Trim('+'))+</_subset>
@@ -106,6 +107,7 @@
     <!-- Installer -->
     <SubsetName Include="Installer" Description="The .NET Core hosts, hosting libraries, bundles, and installers. Includes these projects' tests." />
     <SubsetName Include="CoreHost" Description="The .NET Core hosts." />
+    <SubsetName Include="Installer.NoCoreHost" Description="Hosting libraries, bundles, and installers. Includes these projects' tests." />
     <SubsetName Include="Installer.Managed" Description="The managed .NET hosting projects. This includes HostModel." />
     <SubsetName Include="Installer.DepProjs" Description="The dependency projects. These gather shared framework files and run crossgen on them to turn them into ready-to-run (R2R) assemblies for the current platform." />
     <SubsetName Include="Installer.PkgProjs" Description="The packaging projects. These produce NETCoreApp assets: NuGet packages, installers, zips, and Linux packages." />

diff --git a/eng/pipelines/common/createdump-entitlements.plist b/eng/pipelines/common/createdump-entitlements.plist
new file mode 100644 (file)
index 0000000..1f2d379
--- /dev/null
+++ b/eng/pipelines/common/createdump-entitlements.plist
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+      <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+      <true/>
+    <key>com.apple.security.cs.debugger</key>
+      <true/>
+  </dict>
+</plist>

diff --git a/eng/pipelines/common/entitlements.plist b/eng/pipelines/common/entitlements.plist
new file mode 100644 (file)
index 0000000..f4ea418
--- /dev/null
+++ b/eng/pipelines/common/entitlements.plist
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.cs.allow-jit</key>
+      <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+      <true/>
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+      <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+      <true/>
+    <key>com.apple.security.cs.debugger</key>
+      <true/>
+    <key>com.apple.security.get-task-allow</key>
+      <true/>
+  </dict>
+</plist>

diff --git a/eng/pipelines/common/macos-sign-with-entitlements.yml b/eng/pipelines/common/macos-sign-with-entitlements.yml
new file mode 100644 (file)
index 0000000..6c65193
--- /dev/null
+++ b/eng/pipelines/common/macos-sign-with-entitlements.yml
@@ -0,0 +1,65 @@
+parameters:
+  filesToSign: []
+
+steps:
+  - task: UseDotNet@2
+    displayName: 'Use .NET Core SDK 2.1.808'
+    inputs:
+      packageType: sdk
+      version: 2.1.808
+
+  - ${{ each file in parameters.filesToSign }}:
+    - script: codesign -s - -f --entitlements ${{ file.entitlementsFile }} ${{ file.path }}/${{ file.name }}
+      displayName: 'Add entitlements to ${{ file.name }}'
+
+    - task: CopyFiles@2
+      displayName: 'Copy entitled file ${{ file.name }}'
+      inputs:
+        contents: '${{ file.path }}/${{ file.name }}'
+        targetFolder: '$(Build.ArtifactStagingDirectory)/mac_entitled'
+        overWrite: true
+
+  - task: ArchiveFiles@2
+    displayName: 'Zip MacOS files for signing'
+    inputs:
+      rootFolderOrFile:  '$(Build.ArtifactStagingDirectory)/mac_entitled'
+      archiveFile:       '$(Build.ArtifactStagingDirectory)/mac_entitled_to_sign.zip'
+      archiveType:       zip
+      includeRootFolder: true
+      replaceExistingArchive: true
+
+  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
+    displayName: 'ESRP CodeSigning'
+    inputs:
+      ConnectedServiceName: 'ESRP CodeSigning'
+      FolderPath: '$(Build.ArtifactStagingDirectory)/'
+      Pattern: 'mac_entitled_to_sign.zip'
+      UseMinimatch: true
+      signConfigType: inlineSignParams
+      inlineOperation: |
+        [
+          {
+            "keyCode": "CP-401337-Apple",
+            "operationCode": "MacAppDeveloperSign",
+            "parameters" : {
+              "hardening": "Enable"
+            },
+            "toolName": "sign",
+            "toolVersion": "1.0"
+          }
+        ]  
+
+  - task: ExtractFiles@1
+    displayName: 'Extract MacOS after signing'
+    inputs:
+      archiveFilePatterns: '$(Build.ArtifactStagingDirectory)/mac_entitled_to_sign.zip'
+      destinationFolder: '$(Build.ArtifactStagingDirectory)/mac_entitled_signed'
+
+  - ${{ each file in parameters.filesToSign }}:
+    - task: CopyFiles@2
+      displayName: 'Copy ${{ file.name }} to destination'
+      inputs:
+        contents: ${{ file.name }}
+        sourceFolder: '$(Build.ArtifactStagingDirectory)/mac_entitled_signed'
+        targetFolder: '${{ file.path }}'
+        overWrite: true

diff --git a/eng/pipelines/coreclr/templates/build-job.yml b/eng/pipelines/coreclr/templates/build-job.yml
index f2b45e8..f56c06f 100644 (file)
--- a/eng/pipelines/coreclr/templates/build-job.yml
+++ b/eng/pipelines/coreclr/templates/build-job.yml
@@ -167,6 +167,28 @@ jobs:
       - script: $(coreClrRepoRootDir)build-test$(scriptExt) skipstressdependencies skipmanaged skipgeneratelayout $(buildConfig) $(archType) $(crossArg) $(osArg) $(priorityArg) $(compilerArg)
         displayName: Build native test components
 
+    # Sign and add entitlements to these MacOS binaries
+    - ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}:
+      - ${{ if eq(parameters.osGroup, 'OSX') }}:
+
+        - template: /eng/pipelines/common/macos-sign-with-entitlements.yml
+          parameters:
+            filesToSign: 
+            - name: createdump
+              path: $(buildProductRootFolderPath)
+              entitlementsFile: $(Build.SourcesDirectory)/eng/pipelines/common/createdump-entitlements.plist
+            - name: corerun
+              path: $(buildProductRootFolderPath)
+              entitlementsFile: $(Build.SourcesDirectory)/eng/pipelines/common/entitlements.plist
+
+        - task: CopyFiles@2
+          displayName: 'Copy signed createdump to sharedFramework'
+          inputs:
+            contents: createdump
+            sourceFolder: $(buildProductRootFolderPath)
+            targetFolder: $(buildProductRootFolderPath)/sharedFramework
+            overWrite: true
+
     # Sign on Windows
     - ${{ if and(eq(parameters.osGroup, 'Windows_NT'), eq(parameters.signBinaries, 'true'), ne(parameters.testGroup, 'clrTools')) }}:
       - powershell: eng\common\build.ps1 -ci -sign -restore -configuration:$(buildConfig) -warnaserror:0 /p:ArcadeBuild=true /p:OfficialBuild=true /p:TargetOS=$(osGroup) /p:TargetArchitecture=$(archType) /p:Configuration=$(_BuildConfig) /p:DotNetSignType=$env:_SignType -projects $(Build.SourcesDirectory)\eng\empty.csproj

diff --git a/eng/pipelines/installer/jobs/base-job.yml b/eng/pipelines/installer/jobs/base-job.yml
index b74bf18..9ad5650 100644 (file)
--- a/eng/pipelines/installer/jobs/base-job.yml
+++ b/eng/pipelines/installer/jobs/base-job.yml
@@ -132,7 +132,7 @@ jobs:
 
     - name: BaseJobBuildCommand
       value: >-
-        $(Build.SourcesDirectory)/build.sh -subset installer -ci
+        $(Build.SourcesDirectory)/build.sh -ci
         $(BuildAction)
         -configuration $(_BuildConfig)
         $(LiveOverridePathArgs)
@@ -456,8 +456,29 @@ jobs:
         df -h
       displayName: Disk Usage before Build
 
-  - script: $(BaseJobBuildCommand)
-    displayName: Build
+  # Build the default subset non-MacOS platforms
+  - ${{ if ne(parameters.osGroup, 'OSX') }}:
+    - script: $(BaseJobBuildCommand)
+      displayName: Build
+
+  # Build corehost, sign and add entitlements to MacOS binaries
+  - ${{ if eq(parameters.osGroup, 'OSX') }}:
+    - script: $(BaseJobBuildCommand) -subset corehost
+      displayName: Build CoreHost
+
+    - ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}:
+      - template: /eng/pipelines/common/macos-sign-with-entitlements.yml
+        parameters:
+          filesToSign: 
+          - name: dotnet
+            path: $(Build.SourcesDirectory)/artifacts/bin/osx-${{ parameters.archType }}.$(_BuildConfig)/corehost
+            entitlementsFile: $(Build.SourcesDirectory)/eng/pipelines/common/entitlements.plist
+          - name: apphost
+            path: $(Build.SourcesDirectory)/artifacts/bin/osx-${{ parameters.archType }}.$(_BuildConfig)/corehost
+            entitlementsFile: $(Build.SourcesDirectory)/eng/pipelines/common/entitlements.plist
+
+    - script: $(BaseJobBuildCommand) -subset installer.nocorehost
+      displayName: Build and Package
 
   - ${{ if in(parameters.osGroup, 'OSX', 'iOS','tvOS') }}: 
     - script: |