From 57678512d214af368ff055f358c5106f1aa19ac4 Mon Sep 17 00:00:00 2001 From: Mike McLaughlin Date: Fri, 7 Aug 2020 15:21:30 -0700 Subject: [PATCH] Sign and add entitlements to createdump and host binaries (#40485) Sign and add entitlements to createdump and host binaries Enables createdump on MacOS. Part of issue #https://github.com/dotnet/runtime/issues/34916. Don't attempt to sign in a public PR job --- eng/Subsets.props | 2 + eng/pipelines/common/createdump-entitlements.plist | 12 ++++ eng/pipelines/common/entitlements.plist | 18 ++++++ .../common/macos-sign-with-entitlements.yml | 65 ++++++++++++++++++++++ eng/pipelines/coreclr/templates/build-job.yml | 22 ++++++++ eng/pipelines/installer/jobs/base-job.yml | 27 ++++++++- 6 files changed, 143 insertions(+), 3 deletions(-) create mode 100644 eng/pipelines/common/createdump-entitlements.plist create mode 100644 eng/pipelines/common/entitlements.plist create mode 100644 eng/pipelines/common/macos-sign-with-entitlements.yml diff --git a/eng/Subsets.props b/eng/Subsets.props index 293b591..f7f61f9 100644 --- a/eng/Subsets.props +++ b/eng/Subsets.props @@ -70,6 +70,7 @@ <_subset>$(_subset.Replace('+mono+', '+$(DefaultMonoSubsets)+')) <_subset>$(_subset.Replace('+libs+', '+$(DefaultLibrariesSubsets)+')) <_subset>$(_subset.Replace('+installer+', '+$(DefaultInstallerSubsets)+')) + <_subset>$(_subset.Replace('+installer.nocorehost+', '+$(DefaultInstallerSubsets.Replace('corehost+', ''))+')) <_subset>+$(_subset.Trim('+'))+ @@ -106,6 +107,7 @@ + diff --git a/eng/pipelines/common/createdump-entitlements.plist b/eng/pipelines/common/createdump-entitlements.plist new file mode 100644 index 0000000..1f2d379 --- /dev/null +++ b/eng/pipelines/common/createdump-entitlements.plist @@ -0,0 +1,12 @@ + + + + + com.apple.security.cs.allow-dyld-environment-variables + + com.apple.security.cs.disable-library-validation + + com.apple.security.cs.debugger + + + diff --git a/eng/pipelines/common/entitlements.plist b/eng/pipelines/common/entitlements.plist new file mode 100644 index 0000000..f4ea418 --- /dev/null +++ b/eng/pipelines/common/entitlements.plist @@ -0,0 +1,18 @@ + + + + + com.apple.security.cs.allow-jit + + com.apple.security.cs.allow-unsigned-executable-memory + + com.apple.security.cs.allow-dyld-environment-variables + + com.apple.security.cs.disable-library-validation + + com.apple.security.cs.debugger + + com.apple.security.get-task-allow + + + diff --git a/eng/pipelines/common/macos-sign-with-entitlements.yml b/eng/pipelines/common/macos-sign-with-entitlements.yml new file mode 100644 index 0000000..6c65193 --- /dev/null +++ b/eng/pipelines/common/macos-sign-with-entitlements.yml @@ -0,0 +1,65 @@ +parameters: + filesToSign: [] + +steps: + - task: UseDotNet@2 + displayName: 'Use .NET Core SDK 2.1.808' + inputs: + packageType: sdk + version: 2.1.808 + + - ${{ each file in parameters.filesToSign }}: + - script: codesign -s - -f --entitlements ${{ file.entitlementsFile }} ${{ file.path }}/${{ file.name }} + displayName: 'Add entitlements to ${{ file.name }}' + + - task: CopyFiles@2 + displayName: 'Copy entitled file ${{ file.name }}' + inputs: + contents: '${{ file.path }}/${{ file.name }}' + targetFolder: '$(Build.ArtifactStagingDirectory)/mac_entitled' + overWrite: true + + - task: ArchiveFiles@2 + displayName: 'Zip MacOS files for signing' + inputs: + rootFolderOrFile: '$(Build.ArtifactStagingDirectory)/mac_entitled' + archiveFile: '$(Build.ArtifactStagingDirectory)/mac_entitled_to_sign.zip' + archiveType: zip + includeRootFolder: true + replaceExistingArchive: true + + - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 + displayName: 'ESRP CodeSigning' + inputs: + ConnectedServiceName: 'ESRP CodeSigning' + FolderPath: '$(Build.ArtifactStagingDirectory)/' + Pattern: 'mac_entitled_to_sign.zip' + UseMinimatch: true + signConfigType: inlineSignParams + inlineOperation: | + [ + { + "keyCode": "CP-401337-Apple", + "operationCode": "MacAppDeveloperSign", + "parameters" : { + "hardening": "Enable" + }, + "toolName": "sign", + "toolVersion": "1.0" + } + ] + + - task: ExtractFiles@1 + displayName: 'Extract MacOS after signing' + inputs: + archiveFilePatterns: '$(Build.ArtifactStagingDirectory)/mac_entitled_to_sign.zip' + destinationFolder: '$(Build.ArtifactStagingDirectory)/mac_entitled_signed' + + - ${{ each file in parameters.filesToSign }}: + - task: CopyFiles@2 + displayName: 'Copy ${{ file.name }} to destination' + inputs: + contents: ${{ file.name }} + sourceFolder: '$(Build.ArtifactStagingDirectory)/mac_entitled_signed' + targetFolder: '${{ file.path }}' + overWrite: true diff --git a/eng/pipelines/coreclr/templates/build-job.yml b/eng/pipelines/coreclr/templates/build-job.yml index f2b45e8..f56c06f 100644 --- a/eng/pipelines/coreclr/templates/build-job.yml +++ b/eng/pipelines/coreclr/templates/build-job.yml @@ -167,6 +167,28 @@ jobs: - script: $(coreClrRepoRootDir)build-test$(scriptExt) skipstressdependencies skipmanaged skipgeneratelayout $(buildConfig) $(archType) $(crossArg) $(osArg) $(priorityArg) $(compilerArg) displayName: Build native test components + # Sign and add entitlements to these MacOS binaries + - ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}: + - ${{ if eq(parameters.osGroup, 'OSX') }}: + + - template: /eng/pipelines/common/macos-sign-with-entitlements.yml + parameters: + filesToSign: + - name: createdump + path: $(buildProductRootFolderPath) + entitlementsFile: $(Build.SourcesDirectory)/eng/pipelines/common/createdump-entitlements.plist + - name: corerun + path: $(buildProductRootFolderPath) + entitlementsFile: $(Build.SourcesDirectory)/eng/pipelines/common/entitlements.plist + + - task: CopyFiles@2 + displayName: 'Copy signed createdump to sharedFramework' + inputs: + contents: createdump + sourceFolder: $(buildProductRootFolderPath) + targetFolder: $(buildProductRootFolderPath)/sharedFramework + overWrite: true + # Sign on Windows - ${{ if and(eq(parameters.osGroup, 'Windows_NT'), eq(parameters.signBinaries, 'true'), ne(parameters.testGroup, 'clrTools')) }}: - powershell: eng\common\build.ps1 -ci -sign -restore -configuration:$(buildConfig) -warnaserror:0 /p:ArcadeBuild=true /p:OfficialBuild=true /p:TargetOS=$(osGroup) /p:TargetArchitecture=$(archType) /p:Configuration=$(_BuildConfig) /p:DotNetSignType=$env:_SignType -projects $(Build.SourcesDirectory)\eng\empty.csproj diff --git a/eng/pipelines/installer/jobs/base-job.yml b/eng/pipelines/installer/jobs/base-job.yml index b74bf18..9ad5650 100644 --- a/eng/pipelines/installer/jobs/base-job.yml +++ b/eng/pipelines/installer/jobs/base-job.yml @@ -132,7 +132,7 @@ jobs: - name: BaseJobBuildCommand value: >- - $(Build.SourcesDirectory)/build.sh -subset installer -ci + $(Build.SourcesDirectory)/build.sh -ci $(BuildAction) -configuration $(_BuildConfig) $(LiveOverridePathArgs) @@ -456,8 +456,29 @@ jobs: df -h displayName: Disk Usage before Build - - script: $(BaseJobBuildCommand) - displayName: Build + # Build the default subset non-MacOS platforms + - ${{ if ne(parameters.osGroup, 'OSX') }}: + - script: $(BaseJobBuildCommand) + displayName: Build + + # Build corehost, sign and add entitlements to MacOS binaries + - ${{ if eq(parameters.osGroup, 'OSX') }}: + - script: $(BaseJobBuildCommand) -subset corehost + displayName: Build CoreHost + + - ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}: + - template: /eng/pipelines/common/macos-sign-with-entitlements.yml + parameters: + filesToSign: + - name: dotnet + path: $(Build.SourcesDirectory)/artifacts/bin/osx-${{ parameters.archType }}.$(_BuildConfig)/corehost + entitlementsFile: $(Build.SourcesDirectory)/eng/pipelines/common/entitlements.plist + - name: apphost + path: $(Build.SourcesDirectory)/artifacts/bin/osx-${{ parameters.archType }}.$(_BuildConfig)/corehost + entitlementsFile: $(Build.SourcesDirectory)/eng/pipelines/common/entitlements.plist + + - script: $(BaseJobBuildCommand) -subset installer.nocorehost + displayName: Build and Package - ${{ if in(parameters.osGroup, 'OSX', 'iOS','tvOS') }}: - script: | -- 2.7.4