[msbuild] Enable signing by default for all platforms. Fixes #18469.

Enable signing by default for all platforms, because that's what Xcode does.

This fixes an issue for simulator builds, where certain features don't work unless
the app is signed (#18469).

It also simplifies and unifies our code to detect signing identities, so that it's
much more shared/equal beteween platforms.

However, simulator builds have a few peculiarities:

* The placeholder code signing certificate ("-", or what Xcode calls "Sign to
  Run Locally") is always used.
* Any entitlements the app requests will be embedded in the native executable in
  a Mach-O section named `__ents_der`.
* The actual app signature only demands the
  "com.apple.security.get-task-allow" entitlement (which seems to be allowed
  without a provisioning profile when using the placeholder code signing
  certificate).
* No provisioning profiles are used.

In order to provide a fairly decent way of restoring old behavior (not signing simulator
builds), I created a public property to determine whether we're building for the
simulator (SdkIsSimulator), and added documentation on how to use this new property
to disable code signing.

Fixes #18469.

Author: rolfbjarne

docs/building-apps/build-properties.md

@@ -156,6 +156,25 @@ The path to the `codesign_allocate` tool.
 
 By default this value is auto-detected.
 
+## CodesignConfigureDependsOn
+
+This is an extension point for the build: a developer can add any targets to
+this property to execute those targets before the build looks at any of the
+codesigning properties.
+
+This can for instance be used to disable code signing for simulator builds:
+
+```xml
+<PropertyGroup>
+  <CodesignConfigureDependsOn>$(CodesignConfigureDependsOn);DisableCodesignInSimulator</CodesignConfigureDependsOn>
+</PropertyGroup>
+<Target Name="DisableCodesignInSimulator" Condition="'$(SdkIsSimulator)' == 'true'">
+  <PropertyGroup>
+    <EnableCodeSigning>false</EnableCodeSigning>
+  </PropertyGroup>
+</Target>
+```
+
 ## CodesignDependsOn
 
 This is an extension point for the build: a developer can add any targets to
@@ -295,8 +314,7 @@ Default: true
 
 If code signing is enabled.
 
-Typically the build will automatically determine whether code signing is
-required; this automatic detection can be overridden with this property.
+Code signing is enabled by default for all platforms; this can be overridden with this property.
 
 ## EnableDefaultCodesignEntitlements
 
@@ -832,6 +850,40 @@ only scan libraries with the `[LinkWith]` attribute for Objective-C classes:
 </PropertyGroup>
 ```
 
+## SdkIsSimulator
+
+This property is a read-only property (setting it will have no effect) that
+specifies whether we're building for a simulator or not.
+
+It is only set after [imports and
+properties](https://learn.microsoft.com/visualstudio/msbuild/build-process-overview#evaluate-imports-and-properties)
+have been evaluated. This means the property is not set while evaluating the
+properties in the project file, so this will _not_ work:
+
+```xml
+<PropertyGroup>
+  <EnableCodeSigning Condition="'$(SdkIsSimulator)' == 'true'">false</EnableCodeSigning>
+</PropertyGroup>
+```
+
+However, the either of the following works:
+
+```xml
+<ItemGroup>
+  <!-- item groups (and their conditions) are evaluated after properties have been evaluated -->
+  <CustomEntitlements Condition="'$(SdkIsSimulator)' == 'true'" Include="com.apple.simulator-entitlement" Type="Boolean" Value="true" />
+  <CodesignConfigureDependsOn>$(CodesignConfigureDependsOn);ConfigureSimulatorSigning</CodesignConfigureDependsOn>
+</ItemGroup>
+<!-- targets are executed after properties have been evaluated -->
+<Target Name="ConfigureSimulatorSigning">
+  <PropertyGroup>
+    <EnableCodeSigning Condition="'$(SdkIsSimulator) == 'true'">false</EnableCodeSigning>
+  </PropertyGroup>
+</Target>
+```
+
+Note: this property will always be `false` on macOS and Mac Catalyst.
+
 ## SkipStaticLibraryValidation
 
 Hot Restart doesn't support linking with static libraries, so by default we'll

dotnet/targets/Xamarin.Shared.Sdk.props

@@ -134,6 +134,8 @@
 	<PropertyGroup>
 		<_SdkIsSimulator Condition="$(RuntimeIdentifier.Contains('simulator')) Or $(RuntimeIdentifiers.Contains('simulator'))">true</_SdkIsSimulator>
 		<_SdkIsSimulator Condition="'$(_SdkIsSimulator)' == ''">false</_SdkIsSimulator>
+		<!-- Set a public property that specifies if we're building for the simulator. -->
+		<SdkIsSimulator>$(_SdkIsSimulator)</SdkIsSimulator>
 	</PropertyGroup>
 
 	<PropertyGroup>

dotnet/targets/Xamarin.Shared.Sdk.targets

@@ -2004,7 +2004,7 @@
 	<Target Name="_ComputeCodesignItems"
 		Outputs="$(_CodesignItemsPath)"
 		>
-		<ItemGroup Condition="'$(_RequireCodeSigning)' == 'true' And '$(BundleCreateDump)' == 'true'">
+		<ItemGroup Condition="'$(EnableCodeSigning)' == 'true' And '$(BundleCreateDump)' == 'true'">
 			<!-- The 'createdump' executable must be signed. -->
 			<!-- Ref: https://github.com/dotnet/macios/issues/13417 -->
 			<_CreateDumpExecutableToSign Include="@(_CreateDumpExecutable -> '$(_DylibPublishDir)%(RelativePath)')" KeepMetadata="false">

msbuild/Xamarin.MacDev.Tasks/Tasks/Codesign.cs

@@ -127,9 +127,12 @@ bool Validate (SignInfo info)
 		}
 
 		// 'sortedItems' is sorted by length of path, longest first.
-		bool NeedsCodesign (ITaskItem [] sortedItems, int index, string stampFileContents)
+		bool NeedsCodesign (ITaskItem? [] sortedItems, int index, string stampFileContents)
 		{
 			var item = sortedItems [index];
+			if (item is null)
+				return false;
+
 			var stampFile = GetCodesignStampFile (item);
 			if (!File.Exists (stampFile)) {
 				Log.LogMessage (MessageImportance.Low, "The stamp file '{0}' does not exist, so the item '{1}' needs to be codesigned.", stampFile, item.ItemSpec);
@@ -150,10 +153,11 @@ bool NeedsCodesign (ITaskItem [] sortedItems, int index, string stampFileContent
 				var resolvedStampFile = Path.GetFullPath (PathUtils.ResolveSymbolicLinks (stampFile));
 
 				for (var i = 0; i < index; i++) {
-					if (sortedItems [i] is null)
+					var sortedItem = sortedItems [i];
+					if (sortedItem is null)
 						continue; // this item does not need to be signed
-					if (sortedItems [i].ItemSpec.StartsWith (itemPath, StringComparison.OrdinalIgnoreCase)) {
-						Log.LogMessage (MessageImportance.Low, "The item '{0}' contains '{1}', which must be signed, which means that the item must be signed too.", item.ItemSpec, sortedItems [i].ItemSpec);
+					if (sortedItem.ItemSpec.StartsWith (itemPath, StringComparison.OrdinalIgnoreCase)) {
+						Log.LogMessage (MessageImportance.Low, "The item '{0}' contains '{1}', which must be signed, which means that the item must be signed too.", item.ItemSpec, sortedItem.ItemSpec);
 						return true; // there's an item inside this directory that needs to be signed, so this directory must be signed too
 					}
 				}
@@ -416,17 +420,22 @@ bool ExecuteUnsafe ()
 			}
 
 			// first sort all the items by path length, longest path first.
-			resourcesToSign = resourcesToSign.OrderBy (v => v.ItemSpec.Length).Reverse ().ToArray ();
+			ITaskItem?[] sortedResources = resourcesToSign.OrderBy (v => v.ItemSpec.Length).Reverse ().ToArray ();
 
 			// remove items that are up-to-date
 			var itemsToSign = new List<SignInfo> ();
-			for (var i = 0; i < resourcesToSign.Length; i++) {
-				var item = resourcesToSign [i];
+			for (var i = 0; i < sortedResources.Length; i++) {
+				var item = sortedResources [i];
+				if (item is null)
+					continue;
 				var info = new SignInfo (item);
 				if (!Validate (info))
 					continue;
-				if (NeedsCodesign (resourcesToSign, i, info.GetStampFileContents (this)))
+				if (NeedsCodesign (sortedResources, i, info.GetStampFileContents (this))) {
 					itemsToSign.Add (info);
+				} else {
+					sortedResources [i] = null;
+				}
 			}
 
 			if (Log.HasLoggedErrors)

msbuild/Xamarin.MacDev.Tasks/Tasks/CompileEntitlements.cs

@@ -137,6 +137,21 @@ protected string EntitlementBundlePath {
 			}
 		}
 
+		bool IsDeviceOrDesktop {
+			get {
+				switch (Platform) {
+				case ApplePlatform.iOS:
+				case ApplePlatform.TVOS:
+					return !SdkIsSimulator;
+				case ApplePlatform.MacOSX:
+				case ApplePlatform.MacCatalyst:
+					return true;
+				default:
+					throw new InvalidOperationException (string.Format (MSBStrings.InvalidPlatform, Platform));
+				}
+			}
+		}
+
 		PString MergeEntitlementString (PString pstr, MobileProvision? profile, bool expandWildcards, string? key)
 		{
 			string TeamIdentifierPrefix;
@@ -145,7 +160,7 @@ PString MergeEntitlementString (PString pstr, MobileProvision? profile, bool exp
 			if (string.IsNullOrEmpty (pstr.Value))
 				return (PString) pstr.Clone ();
 
-			if (profile is null) {
+			if (profile is null && IsDeviceOrDesktop) {
 				if (!warnedTeamIdentifierPrefix && pstr.Value.Contains ("$(TeamIdentifierPrefix)")) {
 					Log.LogWarning (null, null, null, Entitlements, 0, 0, 0, 0, MSBStrings.W0108b /* Cannot expand $(TeamIdentifierPrefix) in Entitlements.plist without a provisioning profile for key '{0}' with value '{1}' */, key, pstr.Value);
 					warnedTeamIdentifierPrefix = true;
@@ -455,7 +470,7 @@ public override bool Execute ()
 			MobileProvision? profile;
 			PDictionary template;
 			PDictionary compiled;
-			PDictionary archived;
+			PDictionary? archived = null;
 			string path;
 
 			switch (SdkPlatform) {
@@ -507,34 +522,50 @@ public override bool Execute ()
 
 			compiled = GetCompiledEntitlements (profile, template);
 
-			ValidateAppEntitlements (profile, compiled);
+			/* The path to the entitlements must be resolved to the full path, because we might want to reference it from a containing project that just references this project,
+			  * and in that case it becomes a bit complicated to resolve to a full path on disk when building remotely from Windows. Instead just resolve to a full path here,
+			  * and use that from now on. This has to be done from a task, so that we get the full path on the mac when executed remotely from Windows. */
+			var compiledEntitlementsFullPath = Path.GetFullPath (CompiledEntitlements!.ItemSpec);
+			var compiledEntitlementsFullPathItem = new TaskItem (compiledEntitlementsFullPath);
+
+			Directory.CreateDirectory (Path.GetDirectoryName (compiledEntitlementsFullPath));
+
+			if (SdkIsSimulator) {
+				// Any entitlements the app desires are stored inside the executable for simulator builds,
+				// and then the executable is signed with a placeholder signature ('-') + just a single
+				// entitlement (com.apple.security.get-task-allow). One consequence of storing entitlements
+				// this way is that no provisioning profile will be needed to sign the executable.
+				var simulatedEntitlements = compiled;
+				var simulatedXcent = Path.ChangeExtension (compiledEntitlementsFullPath, "").TrimEnd ('.') + "-Simulated.xcent";
+				try {
+					WriteXcent (simulatedEntitlements, simulatedXcent);
+				} catch (Exception ex) {
+					Log.LogError (MSBStrings.E0114, simulatedXcent, ex.Message);
+					return false;
+				}
+
+				EntitlementsInExecutable = new TaskItem (simulatedXcent);
 
-			archived = GetArchivedExpandedEntitlements (template, compiled);
+				// No matter what, I've only been able to make Xcode apply a single entitlement to simulator builds: com.apple.security.get-task-allow
+				compiled = new PDictionary ();
+				compiled.Add ("com.apple.security.get-task-allow", new PBoolean (true));
+			} else {
+				archived = GetArchivedExpandedEntitlements (template, compiled);
+			}
+
+			ValidateAppEntitlements (profile, compiled);
 
 			try {
-				Directory.CreateDirectory (Path.GetDirectoryName (CompiledEntitlements!.ItemSpec));
-				WriteXcent (compiled, CompiledEntitlements.ItemSpec);
+				WriteXcent (compiled, compiledEntitlementsFullPath);
 			} catch (Exception ex) {
-				Log.LogError (MSBStrings.E0114, CompiledEntitlements, ex.Message);
+				Log.LogError (MSBStrings.E0114, compiledEntitlementsFullPathItem, ex.Message);
 				return false;
 			}
 
-			SaveArchivedExpandedEntitlements (archived);
+			if (archived is not null)
+				SaveArchivedExpandedEntitlements (archived);
 
-			/* The path to the entitlements must be resolved to the full path, because we might want to reference it from a containing project that just references this project,
-			  * and in that case it becomes a bit complicated to resolve to a full path on disk when building remotely from Windows. Instead just resolve to a full path here,
-			  * and use that from now on. This has to be done from a task, so that we get the full path on the mac when executed remotely from Windows. */
-			var compiledEntitlementsFullPath = new TaskItem (Path.GetFullPath (CompiledEntitlements!.ItemSpec));
-
-			if (Platform == Utils.ApplePlatform.MacCatalyst) {
-				EntitlementsInSignature = compiledEntitlementsFullPath;
-			} else if (SdkIsSimulator) {
-				if (compiled.Count > 0) {
-					EntitlementsInExecutable = compiledEntitlementsFullPath;
-				}
-			} else {
-				EntitlementsInSignature = compiledEntitlementsFullPath;
-			}
+			EntitlementsInSignature = compiledEntitlementsFullPathItem;
 
 			return !Log.HasLoggedErrors;
 		}

msbuild/Xamarin.MacDev.Tasks/Tasks/ComputeCodesignItems.cs

@@ -67,11 +67,13 @@ public override bool Execute ()
 
 			// Add the app bundles themselves
 			foreach (var bundle in CodesignBundle) {
-				// An app bundle is signed if either 'RequireCodeSigning' is true
+				// An app bundle is signed if either 'EnableCodeSigning' is true
 				// or a 'CodesignSigningKey' has been provided.
-				var requireCodeSigning = bundle.GetMetadata ("RequireCodeSigning");
+				var enableCodeSigning = bundle.GetMetadata ("EnableCodeSigning");
+				if (string.IsNullOrEmpty (enableCodeSigning))
+					enableCodeSigning = bundle.GetMetadata ("RequireCodeSigning");
 				var codesignSigningKey = bundle.GetMetadata ("CodesignSigningKey");
-				if (!string.Equals (requireCodeSigning, "true") && string.IsNullOrEmpty (codesignSigningKey))
+				if (!string.Equals (enableCodeSigning, "true") && string.IsNullOrEmpty (codesignSigningKey))
 					continue;
 
 				// Create a new item for the app bundle, and copy any metadata over.