Add flag and tests for codesigning single-file bundles targeting MacOS

src/Tasks/Microsoft.NET.Build.Tasks/GenerateBundle.cs

@@ -30,6 +30,7 @@ public class GenerateBundle : TaskBase
         public bool ShowDiagnosticOutput { get; set; }
         [Required]
         public bool EnableCompressionInSingleFile { get; set; }
+        public bool EnableMacOsCodeSign { get; set; } = true;
 
         [Output]
         public ITaskItem[] ExcludedFiles { get; set; }
@@ -66,7 +67,8 @@ protected override void ExecuteCore()
                 targetOS,
                 targetArch,
                 version,
-                ShowDiagnosticOutput);
+                ShowDiagnosticOutput,
+                macosCodesign: EnableMacOsCodeSign);
 
             var fileSpec = new List<FileSpec>(FilesToBundle.Length);
 

src/Tasks/Microsoft.NET.Build.Tasks/targets/Microsoft.NET.Publish.targets

@@ -1138,7 +1138,8 @@ Copyright (c) .NET Foundation. All rights reserved.
                     TargetFrameworkVersion="$(_TargetFrameworkVersionWithoutV)"
                     RuntimeIdentifier="$(RuntimeIdentifier)"
                     OutputDir="$(PublishDir)"
-                    ShowDiagnosticOutput="$(TraceSingleFileBundler)">
+                    ShowDiagnosticOutput="$(TraceSingleFileBundler)"
+                    EnableMacOSCodeSign="$(_EnableMacOSCodeSign)">
       <Output TaskParameter="ExcludedFiles" ItemName="_FilesExcludedFromBundle"/>
     </GenerateBundle>
 

test/Microsoft.NET.Build.Tests/AppHostTests.cs

@@ -3,7 +3,6 @@
 
 #nullable disable
 
-using System.Buffers.Binary;
 using System.Diagnostics;
 using System.Reflection.PortableExecutable;
 using System.Text.RegularExpressions;
@@ -80,40 +79,6 @@ public void It_builds_a_runnable_apphost_by_default(string targetFramework)
                 .HaveStdOutContaining("Hello World!");
         }
 
-        [PlatformSpecificTheory(TestPlatforms.OSX)]
-        [InlineData("netcoreapp3.1")]
-        [InlineData("net5.0")]
-        [InlineData(ToolsetInfo.CurrentTargetFramework)]
-        public void It_can_disable_codesign_if_opt_out(string targetFramework)
-        {
-            var testAsset = _testAssetsManager
-                .CopyTestAsset("HelloWorld", identifier: targetFramework)
-                .WithSource()
-                .WithTargetFramework(targetFramework);
-
-            var buildCommand = new BuildCommand(testAsset);
-            buildCommand
-                .Execute(new string[] {
-                    "/p:_EnableMacOSCodeSign=false;ProduceReferenceAssembly=false",
-                })
-                .Should()
-                .Pass();
-
-            var outputDirectory = buildCommand.GetOutputDirectory(targetFramework);
-            var appHostFullPath = Path.Combine(outputDirectory.FullName, "HelloWorld");
-
-            // Check that the apphost was not signed
-            var codesignPath = @"/usr/bin/codesign";
-            new RunExeCommand(Log, codesignPath, new string[] { "-d", appHostFullPath })
-                .Execute()
-                .Should()
-                .Fail()
-                .And
-                .HaveStdErrContaining($"{appHostFullPath}: code object is not signed at all");
-
-            outputDirectory.Should().OnlyHaveFiles(GetExpectedFilesFromBuild(testAsset, targetFramework));
-        }
-
         [PlatformSpecificTheory(TestPlatforms.OSX)]
         [InlineData("netcoreapp3.1", "win-x64")]
         [InlineData("net5.0", "win-x64")]
@@ -154,11 +119,15 @@ public void It_does_not_try_to_codesign_non_osx_app_hosts(string targetFramework
         }
 
         [Theory]
-        [InlineData("net6.0", "osx-x64")]
-        [InlineData("net6.0", "osx-arm64")]
-        [InlineData(ToolsetInfo.CurrentTargetFramework, "osx-x64")]
-        [InlineData(ToolsetInfo.CurrentTargetFramework, "osx-arm64")]
-        public void It_codesigns_an_app_targeting_osx(string targetFramework, string rid)
+        [InlineData("net8.0", "osx-x64", true)]
+        [InlineData("net8.0", "osx-arm64", true)]
+        [InlineData(ToolsetInfo.CurrentTargetFramework, "osx-x64", true)]
+        [InlineData(ToolsetInfo.CurrentTargetFramework, "osx-arm64", true)]
+        [InlineData("net8.0", "osx-x64", false)]
+        [InlineData("net8.0", "osx-arm64", false)]
+        [InlineData(ToolsetInfo.CurrentTargetFramework, "osx-x64", false)]
+        [InlineData(ToolsetInfo.CurrentTargetFramework, "osx-arm64", false)]
+        public void It_codesigns_an_app_targeting_osx(string targetFramework, string rid, bool shouldSign)
         {
             const string testAssetName = "HelloWorld";
             var testAsset = _testAssetsManager
@@ -167,7 +136,7 @@ public void It_codesigns_an_app_targeting_osx(string targetFramework, string rid
                 .WithTargetFramework(targetFramework);
 
             var buildCommand = new BuildCommand(testAsset);
-            var buildArgs = new List<string>() { $"/p:RuntimeIdentifier={rid}" };
+            var buildArgs = new List<string>() { $"/p:RuntimeIdentifier={rid}", $"/p:_EnableMacOSCodeSign={shouldSign}" };
             buildCommand
                 .Execute(buildArgs.ToArray())
                 .Should()
@@ -177,21 +146,12 @@ public void It_codesigns_an_app_targeting_osx(string targetFramework, string rid
             var appHostFullPath = Path.Combine(outputDirectory.FullName, testAssetName);
 
             // Check that the apphost is signed
-            HasMachOSignatureLoadCommand(new FileInfo(appHostFullPath)).Should().BeTrue();
-            // When on a Mac, use the codesign tool to verify the signature as well
+            MachOSignature.HasMachOSignatureLoadCommand(new FileInfo(appHostFullPath)).Should().Be(shouldSign, $"The app host should {(shouldSign ? "" : "not ")}have a Mach-O signature load command.");
             if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX))
             {
-                var codesignPath = @"/usr/bin/codesign";
-                new RunExeCommand(Log, codesignPath, ["-s", "-", appHostFullPath])
-                    .Execute()
-                    .Should()
-                    .Fail()
-                    .And
-                    .HaveStdErrContaining($"{appHostFullPath}: is already signed");
-                new RunExeCommand(Log, codesignPath, ["-v", appHostFullPath])
-                    .Execute()
+                MachOSignature.HasValidMachOSignature(new FileInfo(appHostFullPath), Log)
                     .Should()
-                    .Pass();
+                    .Be(shouldSign, $"The app host should have a valid Mach-O signature for {rid}.");
             }
         }
 
@@ -487,62 +447,5 @@ private static bool IsPE32(string path)
                 return reader.PEHeaders.PEHeader.Magic == PEMagic.PE32;
             }
         }
-
-        // Reads the Mach-O load commands and returns true if an LC_CODE_SIGNATURE command is found, otherwise returns false
-        static bool HasMachOSignatureLoadCommand(FileInfo file)
-        {
-            /* Mach-O files have the following structure:
-             * 32 byte header beginning with a magic number and info about the file and load commands
-             * A series of load commands with the following structure:
-             * - 4-byte command type
-             * - 4-byte command size
-             * - variable length command-specific data
-             */
-            const uint LC_CODE_SIGNATURE = 0x1D;
-            using (var stream = file.OpenRead())
-            {
-                // Read the MachO magic number to determine endianness
-                Span<byte> eightByteBuffer = stackalloc byte[8];
-                stream.ReadExactly(eightByteBuffer);
-                // Determine if the magic number is in the same or opposite endianness as the runtime
-                bool reverseEndinanness = BitConverter.ToUInt32(eightByteBuffer.Slice(0, 4)) switch
-                {
-                    0xFEEDFACF => false,
-                    0xCFFAEDFE => true,
-                    _ => throw new InvalidOperationException("Not a 64-bit Mach-O file")
-                };
-                // 4-byte value at offset 16 is the number of load commands
-                // 4-byte value at offset 20 is the size of the load commands
-                stream.Position = 16;
-                ReadUInts(stream, eightByteBuffer, out uint loadCommandsCount, out uint loadCommandsSize);
-                // Mach-0 64 byte headers are 32 bytes long, and the first load command will be right after
-                stream.Position = 32;
-                bool hasSignature = false;
-                for (int commandIndex = 0; commandIndex < loadCommandsCount; commandIndex++)
-                {
-                    ReadUInts(stream, eightByteBuffer, out uint commandType, out uint commandSize);
-                    if (commandType == LC_CODE_SIGNATURE)
-                    {
-                        hasSignature = true;
-                    }
-                    stream.Position += commandSize - eightByteBuffer.Length;
-                }
-                Debug.Assert(stream.Position == loadCommandsSize + 32);
-                return hasSignature;
-
-                void ReadUInts(Stream stream, Span<byte> buffer, out uint val1, out uint val2)
-                {
-                    stream.ReadExactly(buffer);
-                    val1 = BitConverter.ToUInt32(buffer.Slice(0, 4));
-                    val2 = BitConverter.ToUInt32(buffer.Slice(4, 4));
-                    if (reverseEndinanness)
-                    {
-                        val1 = BinaryPrimitives.ReverseEndianness(val1);
-                        val2 = BinaryPrimitives.ReverseEndianness(val2);
-                    }
-                }
-            }
-        }
-
     }
 }

test/Microsoft.NET.Publish.Tests/GivenThatWeWantToPublishASingleFileApp.cs

@@ -82,10 +82,10 @@ private string GetNativeDll(string baseName)
                    RuntimeInformation.RuntimeIdentifier.StartsWith("osx") ? "lib" + baseName + ".dylib" : "lib" + baseName + ".so";
         }
 
-        private DirectoryInfo GetPublishDirectory(PublishCommand publishCommand, string targetFramework = ToolsetInfo.CurrentTargetFramework)
+        private DirectoryInfo GetPublishDirectory(PublishCommand publishCommand, string targetFramework = ToolsetInfo.CurrentTargetFramework, string runtimeIdentifier = null)
         {
             return publishCommand.GetOutputDirectory(targetFramework: targetFramework,
-                                                     runtimeIdentifier: RuntimeInformation.RuntimeIdentifier);
+                                                     runtimeIdentifier: runtimeIdentifier ??  RuntimeInformation.RuntimeIdentifier);
         }
 
         [Fact]
@@ -1138,5 +1138,45 @@ static void VerifyPrepareForBundle(XDocument project)
                             new XAttribute("Condition", "'%(FilesToBundle.RelativePath)' == 'SingleFileTest.dll'"))));
             }
         }
+
+        [Theory]
+        [InlineData("osx-x64", true)]
+        [InlineData("osx-arm64", true)]
+        [InlineData("osx-x64", false)]
+        [InlineData("osx-arm64", false)]
+        public void It_codesigns_an_app_targeting_osx(string rid, bool enableMacOSCodeSign)
+        {
+            var targetFramework = ToolsetInfo.CurrentTargetFramework;
+            var testProject = new TestProject()
+            {
+                Name = "SingleFileTest",
+                TargetFrameworks = targetFramework,
+                IsExe = true,
+            };
+            testProject.AdditionalProperties.Add("SelfContained", $"true");
+
+            var testAsset = _testAssetsManager.CreateTestProject(
+                testProject,
+                identifier: $"{rid}_{enableMacOSCodeSign}");
+            var publishCommand = new PublishCommand(testAsset);
+
+            publishCommand.Execute(PublishSingleFile, $"/p:RuntimeIdentifier={rid}", $"/p:_EnableMacOSCodeSign={enableMacOSCodeSign}")
+                .Should()
+                .Pass();
+
+            var publishDir = GetPublishDirectory(publishCommand, targetFramework, runtimeIdentifier: rid).FullName;
+            var singleFilePath = Path.Combine(publishDir, $"{testProject.Name}{Constants.ExeSuffix}");
+
+            MachOSignature.HasMachOSignatureLoadCommand(new FileInfo(singleFilePath))
+                .Should()
+                .Be(enableMacOSCodeSign, $"The app host should {(enableMacOSCodeSign ? "" : "not ")}have a Mach-O signature load command.");
+
+            if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX))
+            {
+                MachOSignature.HasValidMachOSignature(new FileInfo(singleFilePath), Log)
+                    .Should()
+                    .Be(enableMacOSCodeSign, $"The app host should {(enableMacOSCodeSign ? "" : "not ")}have a valid Mach-O signature for {rid}.");
+            }
+        }
     }
 }

test/Microsoft.NET.TestFramework/Utilities/MachOSignature.cs

@@ -0,0 +1,78 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System.Runtime.Versioning;
+using System.Buffers.Binary;
+using System.Diagnostics;
+
+namespace Microsoft.NET.TestFramework.Utilities
+{
+    public static class MachOSignature
+    {
+#if NET
+        [SupportedOSPlatform("osx")]
+#endif
+        public static bool HasValidMachOSignature(FileInfo file, ITestOutputHelper log)
+        {
+            var codesignPath = @"/usr/bin/codesign";
+            return new RunExeCommand(log, codesignPath, "-v", file.FullName)
+                .Execute().ExitCode == 0;
+        }
+
+        // Reads the Mach-O load commands and returns true if an LC_CODE_SIGNATURE command is found, otherwise returns false
+        public static bool HasMachOSignatureLoadCommand(FileInfo file)
+        {
+            /* Mach-O files have the following structure:
+             * 32 byte header beginning with a magic number and info about the file and load commands
+             * A series of load commands with the following structure:
+             * - 4-byte command type
+             * - 4-byte command size
+             * - variable length command-specific data
+             */
+            const uint LC_CODE_SIGNATURE = 0x0000001D;
+            using (var stream = file.OpenRead())
+            {
+                // Read the MachO magic number to determine endianness
+                Span<byte> eightByteBuffer = stackalloc byte[8];
+                stream.ReadExactly(eightByteBuffer);
+                // Determine if the magic number is in the same or opposite endianness as the runtime
+                bool reverseEndinanness = BitConverter.ToUInt32(eightByteBuffer.Slice(0, 4)) switch
+                {
+                    0xFEEDFACF => false,
+                    0xCFFAEDFE => true,
+                    _ => throw new InvalidOperationException("Not a 64-bit Mach-O file")
+                };
+                // 4-byte value at offset 16 is the number of load commands
+                // 4-byte value at offset 20 is the size of the load commands
+                stream.Position = 16;
+                ReadUInts(stream, eightByteBuffer, out uint loadCommandsCount, out uint loadCommandsSize);
+                // Mach-0 64 byte headers are 32 bytes long, and the first load command will be right after
+                stream.Position = 32;
+                bool hasSignature = false;
+                for (int commandIndex = 0; commandIndex < loadCommandsCount; commandIndex++)
+                {
+                    ReadUInts(stream, eightByteBuffer, out uint commandType, out uint commandSize);
+                    if (commandType == LC_CODE_SIGNATURE)
+                    {
+                        hasSignature = true;
+                    }
+                    stream.Position += commandSize - eightByteBuffer.Length;
+                }
+                Debug.Assert(stream.Position == loadCommandsSize + 32);
+                return hasSignature;
+
+                void ReadUInts(Stream stream, Span<byte> buffer, out uint val1, out uint val2)
+                {
+                    stream.ReadExactly(buffer);
+                    val1 = BitConverter.ToUInt32(buffer.Slice(0, 4));
+                    val2 = BitConverter.ToUInt32(buffer.Slice(4, 4));
+                    if (reverseEndinanness)
+                    {
+                        val1 = BinaryPrimitives.ReverseEndianness(val1);
+                        val2 = BinaryPrimitives.ReverseEndianness(val2);
+                    }
+                }
+            }
+        }
+    }
+}