Preserve entitlements in managed Mach-O signer #116659
Conversation
|
Tagging subscribers to this area: @vitek-karas, @agocke |
There was a problem hiding this comment.
Pull Request Overview
This PR introduces support for preserving entitlements in the managed Mach‑O signer. Key changes include adding new blob types (EntitlementsBlob and DerEntitlementsBlob), updating signature‐generation methods to optionally reuse the existing entitlements, and extending test coverage to validate that both apphost and bundled files correctly preserve entitlements.
Reviewed Changes
Copilot reviewed 23 out of 23 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| src/installer/tests/.../MachObjectTests.cs | Adds tests for verifying signatures, including entitlements preservation. |
| src/installer/managed/Microsoft.NET.HostModel/MachO/MachObjectFile.cs | Updates signature routines to optionally preserve existing entitlements. |
| src/installer/managed/Microsoft.NET.HostModel/MachO/BinaryFormat/Blobs/*.cs | Introduces new blob types and updates signature size calculations for entitlements. |
| src/installer/managed/Microsoft.NET.HostModel/Bundle/* | Adjustments for bundle generation and header replacement in light of updated signing logic. |
| src/installer/managed/Microsoft.NET.HostModel/AppHost/* | Updates apphost creation, signing and resource updating to incorporate new entitlements recording. |
Comments suppressed due to low confidence (1)
src/installer/managed/Microsoft.NET.HostModel/AppHost/PlaceHolderNotFoundInAppHostException.cs:19
- This constructor is currently empty; consider delegating to the existing constructor or providing a meaningful error message that includes details about the missing pattern.
public PlaceHolderNotFoundInAppHostException(ReadOnlySpan<byte> pattern)
| { | ||
| using var derStream = new MemoryStreamWriter((int)derEntitlementsBlob.Size); | ||
| derEntitlementsBlob.Write(derStream, 0); | ||
| specialSlotHashes[(int)CodeDirectorySpecialSlot.DerEntitlements - 1] = hasher.ComputeHash(derStream.GetBuffer()); |
There was a problem hiding this comment.
Consider creating a helper method to convert a CodeDirectorySpecialSlot value into a zero-based index rather than subtracting one directly, as this may be error‑prone if enum values change in the future.
| specialSlotHashes[(int)CodeDirectorySpecialSlot.DerEntitlements - 1] = hasher.ComputeHash(derStream.GetBuffer()); | |
| specialSlotHashes[GetSpecialSlotIndex(CodeDirectorySpecialSlot.DerEntitlements)] = hasher.ComputeHash(derStream.GetBuffer()); |
Copilot uses AI. Check for mistakes.
…serveEntitlementsInMachSigner
…/jtschuster/runtime into PreserveEntitlementsInMachSigner
…/jtschuster/runtime into PreserveEntitlementsInMachSigner
Preserves entitlements in the signature when signing with the managed signer. Works on regular apphost and singlefile apphost.
Adds EntitlementsBlob and DerEntitlementsBlob, and updates relevant code to include these blobs.
Adds an EmbeddedSignatureBlob to signing methods to preserve the entitlements from the previous signature.
Precalculates the maximum length required for the new apphost / bundle and allocates an memory-mapped file in memory, copies / modifies the file, then writes out the final length of the file.
Adds tests to ensure the inode of the apphost changes when CreateAppHost / GenerateBundle creates a new apphost/bundle to ensure the MacOS signature cache is dirtied.