[msbuild] Sign simulator apps by default. Fixes #18469.

When building for the simulator:

* Signing is enabled by default.
* Any entitlements the app requests will be embedded in the native executable in
  an `__ents_der` Mach-O section.
* The actual app signature only demands the "com.apple.security.get-task-allow"
  entitlement.
* No provisioning profiles are used.

Also:

* Unify the code to detect signing identity, so that it's as equal as possible
  between our platforms.


Fixes #18469.

Author: rolfbjarne

docs/building-apps/build-properties.md

@@ -156,6 +156,25 @@ The path to the `codesign_allocate` tool.
 
 By default this value is auto-detected.
 
+## CodesignConfigureDependsOn
+
+This is an extension point for the build: a developer can add any targets to
+this property to execute those targets before the build looks at any of the
+codesigning properties.
+
+This can be used to 
+
+```xml
+<PropertyGroup>
+  <CodesignConfigureDependsOn>$(CodesignConfigureDependsOn);DisableCodesignInSimulator</CodesignConfigureDependsOn>
+</PropertyGroup>
+<Target Name="DisableCodesignInSimulator" Condition="'$(SdkIsSimulator)' == 'true'">
+  <PropertyGroup>
+    <EnableCodeSigning>false</EnableCodeSigning>
+  </PropertyGroup>
+</Target>
+```
+
 ## CodesignDependsOn
 
 This is an extension point for the build: a developer can add any targets to
@@ -832,6 +851,40 @@ only scan libraries with the `[LinkWith]` attribute for Objective-C classes:
 </PropertyGroup>
 ```
 
+## SdkIsSimulator
+
+This property is a read-only property (setting it will have no effect) that
+specifies whether we're building for a simulator or not.
+
+It is only set after [imports and
+properties](https://learn.microsoft.com/visualstudio/msbuild/build-process-overview#evaluate-imports-and-properties)
+have been evaluated. This means the property is not set while evaluating the
+properties in the project file, so this will _not_ work:
+
+```xml
+<PropertyGroup>
+  <EnableCodeSigning Condition="'$(SdkIsSimulator)'">false</EnableCodeSigning>
+</PropertyGroup>
+```
+
+However, the either of the following works:
+
+```xml
+<ItemGroup>
+  <!-- item groups (and their conditions) are evaluated after properties have been evaluated -->
+  <CustomEntitlements Condition="'$(SdkIsSimulator)' == 'true'" Include="com.apple.simulator-entitlement" Type="Boolean" Value="true" />
+  <CodesignConfigureDependsOn>$(CodesignConfigureDependsOn);ConfigureSimulatorSigning</CodesignConfigureDependsOn>
+</ItemGroup>
+<!-- targets are executed after properties have been evaluated -->
+<Target Name="ConfigureSimulatorSigning">
+  <PropertyGroup>
+    <EnableCodeSigning Condition="'$(SdkIsSimulator)'">false</EnableCodeSigning>
+  </PropertyGroup>
+</Target>
+```
+
+Note: this property will always be `false` on macOS and Mac Catalyst.
+
 ## SkipStaticLibraryValidation
 
 Hot Restart doesn't support linking with static libraries, so by default we'll

dotnet/targets/Xamarin.Shared.Sdk.props

@@ -134,6 +134,8 @@
 	<PropertyGroup>
 		<_SdkIsSimulator Condition="$(RuntimeIdentifier.Contains('simulator')) Or $(RuntimeIdentifiers.Contains('simulator'))">true</_SdkIsSimulator>
 		<_SdkIsSimulator Condition="'$(_SdkIsSimulator)' == ''">false</_SdkIsSimulator>
+		<!-- Set a public property that specifies if we're building for the simulator. -->
+		<SdkIsSimulator>$(_SdkIsSimulator)</SdkIsSimulator>
 	</PropertyGroup>
 
 	<PropertyGroup>

msbuild/Xamarin.MacDev.Tasks/Tasks/Codesign.cs

@@ -127,9 +127,12 @@ bool Validate (SignInfo info)
 		}
 
 		// 'sortedItems' is sorted by length of path, longest first.
-		bool NeedsCodesign (ITaskItem [] sortedItems, int index, string stampFileContents)
+		bool NeedsCodesign (ITaskItem? [] sortedItems, int index, string stampFileContents)
 		{
 			var item = sortedItems [index];
+			if (item is null)
+				return false;
+
 			var stampFile = GetCodesignStampFile (item);
 			if (!File.Exists (stampFile)) {
 				Log.LogMessage (MessageImportance.Low, "The stamp file '{0}' does not exist, so the item '{1}' needs to be codesigned.", stampFile, item.ItemSpec);
@@ -150,10 +153,11 @@ bool NeedsCodesign (ITaskItem [] sortedItems, int index, string stampFileContent
 				var resolvedStampFile = Path.GetFullPath (PathUtils.ResolveSymbolicLinks (stampFile));
 
 				for (var i = 0; i < index; i++) {
-					if (sortedItems [i] is null)
+					var sortedItem = sortedItems [i];
+					if (sortedItem is null)
 						continue; // this item does not need to be signed
-					if (sortedItems [i].ItemSpec.StartsWith (itemPath, StringComparison.OrdinalIgnoreCase)) {
-						Log.LogMessage (MessageImportance.Low, "The item '{0}' contains '{1}', which must be signed, which means that the item must be signed too.", item.ItemSpec, sortedItems [i].ItemSpec);
+					if (sortedItem.ItemSpec.StartsWith (itemPath, StringComparison.OrdinalIgnoreCase)) {
+						Log.LogMessage (MessageImportance.Low, "The item '{0}' contains '{1}', which must be signed, which means that the item must be signed too.", item.ItemSpec, sortedItem.ItemSpec);
 						return true; // there's an item inside this directory that needs to be signed, so this directory must be signed too
 					}
 				}
@@ -416,17 +420,22 @@ bool ExecuteUnsafe ()
 			}
 
 			// first sort all the items by path length, longest path first.
-			resourcesToSign = resourcesToSign.OrderBy (v => v.ItemSpec.Length).Reverse ().ToArray ();
+			ITaskItem?[] sortedResources = resourcesToSign.OrderBy (v => v.ItemSpec.Length).Reverse ().ToArray ();
 
 			// remove items that are up-to-date
 			var itemsToSign = new List<SignInfo> ();
-			for (var i = 0; i < resourcesToSign.Length; i++) {
-				var item = resourcesToSign [i];
+			for (var i = 0; i < sortedResources.Length; i++) {
+				var item = sortedResources [i];
+				if (item is null)
+					continue;
 				var info = new SignInfo (item);
 				if (!Validate (info))
 					continue;
-				if (NeedsCodesign (resourcesToSign, i, info.GetStampFileContents (this)))
+				if (NeedsCodesign (sortedResources, i, info.GetStampFileContents (this))) {
 					itemsToSign.Add (info);
+				} else {
+					sortedResources [i] = null;
+				}
 			}
 
 			if (Log.HasLoggedErrors)

msbuild/Xamarin.MacDev.Tasks/Tasks/CompileEntitlements.cs

@@ -137,6 +137,22 @@ protected string EntitlementBundlePath {
 			}
 		}
 
+		bool IsDeviceOrDesktop {
+			get {
+				switch (Platform) {
+				case ApplePlatform.iOS:
+				case ApplePlatform.TVOS:
+				case ApplePlatform.WatchOS:
+					return !SdkIsSimulator;
+				case ApplePlatform.MacOSX:
+				case ApplePlatform.MacCatalyst:
+					return true;
+				default:
+					throw new InvalidOperationException (string.Format (MSBStrings.InvalidPlatform, Platform));
+				}
+			}
+		}
+
 		PString MergeEntitlementString (PString pstr, MobileProvision? profile, bool expandWildcards, string? key)
 		{
 			string TeamIdentifierPrefix;
@@ -145,7 +161,7 @@ PString MergeEntitlementString (PString pstr, MobileProvision? profile, bool exp
 			if (string.IsNullOrEmpty (pstr.Value))
 				return (PString) pstr.Clone ();
 
-			if (profile is null) {
+			if (profile is null && IsDeviceOrDesktop) {
 				if (!warnedTeamIdentifierPrefix && pstr.Value.Contains ("$(TeamIdentifierPrefix)")) {
 					Log.LogWarning (null, null, null, Entitlements, 0, 0, 0, 0, MSBStrings.W0108b /* Cannot expand $(TeamIdentifierPrefix) in Entitlements.plist without a provisioning profile for key '{0}' with value '{1}' */, key, pstr.Value);
 					warnedTeamIdentifierPrefix = true;
@@ -455,7 +471,7 @@ public override bool Execute ()
 			MobileProvision? profile;
 			PDictionary template;
 			PDictionary compiled;
-			PDictionary archived;
+			PDictionary? archived = null;
 			string path;
 
 			switch (SdkPlatform) {
@@ -507,34 +523,50 @@ public override bool Execute ()
 
 			compiled = GetCompiledEntitlements (profile, template);
 
-			ValidateAppEntitlements (profile, compiled);
+			/* The path to the entitlements must be resolved to the full path, because we might want to reference it from a containing project that just references this project,
+			  * and in that case it becomes a bit complicated to resolve to a full path on disk when building remotely from Windows. Instead just resolve to a full path here,
+			  * and use that from now on. This has to be done from a task, so that we get the full path on the mac when executed remotely from Windows. */
+			var compiledEntitlementsFullPath = Path.GetFullPath (CompiledEntitlements!.ItemSpec);
+			var compiledEntitlementsFullPathItem = new TaskItem (compiledEntitlementsFullPath);
+
+			Directory.CreateDirectory (Path.GetDirectoryName (compiledEntitlementsFullPath));
+
+			if (SdkIsSimulator) {
+				// Any entitlements the app desires are stored inside the executable for simulator builds,
+				// and then the executable is signed with a placeholder signature ('-') + just a single
+				// entitlement (com.apple.security.get-task-allow). One consequence of storing entitlements
+				// this way is that no provisioning profile will be needed to sign the executable.
+				var simulatedEntitlements = compiled;
+				var simulatedXcent = Path.ChangeExtension (compiledEntitlementsFullPath, "").TrimEnd ('.') + "-Simulated.xcent";
+				try {
+					WriteXcent (simulatedEntitlements, simulatedXcent);
+				} catch (Exception ex) {
+					Log.LogError (MSBStrings.E0114, simulatedXcent, ex.Message);
+					return false;
+				}
+
+				EntitlementsInExecutable = new TaskItem (simulatedXcent);
 
-			archived = GetArchivedExpandedEntitlements (template, compiled);
+				// No matter what, I've only been able to make Xcode apply a single entitlement to simulator builds: com.apple.security.get-task-allow
+				compiled = new PDictionary ();
+				compiled.Add ("com.apple.security.get-task-allow", new PBoolean (true));
+			} else {
+				archived = GetArchivedExpandedEntitlements (template, compiled);
+			}
+
+			ValidateAppEntitlements (profile, compiled);
 
 			try {
-				Directory.CreateDirectory (Path.GetDirectoryName (CompiledEntitlements!.ItemSpec));
-				WriteXcent (compiled, CompiledEntitlements.ItemSpec);
+				WriteXcent (compiled, compiledEntitlementsFullPath);
 			} catch (Exception ex) {
-				Log.LogError (MSBStrings.E0114, CompiledEntitlements, ex.Message);
+				Log.LogError (MSBStrings.E0114, compiledEntitlementsFullPathItem, ex.Message);
 				return false;
 			}
 
-			SaveArchivedExpandedEntitlements (archived);
+			if (archived is not null)
+				SaveArchivedExpandedEntitlements (archived);
 
-			/* The path to the entitlements must be resolved to the full path, because we might want to reference it from a containing project that just references this project,
-			  * and in that case it becomes a bit complicated to resolve to a full path on disk when building remotely from Windows. Instead just resolve to a full path here,
-			  * and use that from now on. This has to be done from a task, so that we get the full path on the mac when executed remotely from Windows. */
-			var compiledEntitlementsFullPath = new TaskItem (Path.GetFullPath (CompiledEntitlements!.ItemSpec));
-
-			if (Platform == Utils.ApplePlatform.MacCatalyst) {
-				EntitlementsInSignature = compiledEntitlementsFullPath;
-			} else if (SdkIsSimulator) {
-				if (compiled.Count > 0) {
-					EntitlementsInExecutable = compiledEntitlementsFullPath;
-				}
-			} else {
-				EntitlementsInSignature = compiledEntitlementsFullPath;
-			}
+			EntitlementsInSignature = compiledEntitlementsFullPathItem;
 
 			return !Log.HasLoggedErrors;
 		}

msbuild/Xamarin.MacDev.Tasks/Tasks/DetectSigningIdentity.cs

@@ -588,88 +588,27 @@ bool ExecuteImpl ()
 			identity.BundleId = BundleIdentifier;
 			DetectedAppId = BundleIdentifier; // default value that can be changed below
 
+			// If a code signing key has been pre-detected, it overrides any custom detection on our side.
+			if (!string.IsNullOrEmpty (DetectedCodeSigningKey))
+				return !Log.HasLoggedErrors;
+
 			// If the developer chooses to use the placeholder codesigning key, accept that.
 			if (SigningKey == "-") {
 				DetectedCodeSigningKey = SigningKey;
 				return !Log.HasLoggedErrors;
 			}
 
-			if (Platform == ApplePlatform.MacOSX) {
-				if (!RequireCodeSigning || !string.IsNullOrEmpty (DetectedCodeSigningKey)) {
-					return !Log.HasLoggedErrors;
-				}
-			} else if (Platform == ApplePlatform.MacCatalyst) {
-				var doesNotNeedCodeSigningCertificate = !RequireCodeSigning || !string.IsNullOrEmpty (DetectedCodeSigningKey);
-				if (RequireProvisioningProfile)
-					doesNotNeedCodeSigningCertificate = false;
-				if (doesNotNeedCodeSigningCertificate) {
-					DetectedCodeSigningKey = "-";
-
-					return !Log.HasLoggedErrors;
-				}
-			} else {
-				// Framework is either iOS or tvOS
-				if (SdkIsSimulator) {
-					if (AppleSdkSettings.XcodeVersion.Major >= 8 && RequireProvisioningProfile) {
-						// Note: Starting with Xcode 8.0, we need to codesign iOS Simulator builds that enable Entitlements
-						// in order for them to run. The "-" key is a special value allowed by the codesign utility that
-						// allows us to get away with not having an actual codesign key.
-						DetectedCodeSigningKey = "-";
-
-						if (!IsAutoCodeSignProfile (ProvisioningProfile)) {
-							identity.Profile = MobileProvisionIndex.GetMobileProvision (platform, ProvisioningProfile);
-
-							if (identity.Profile is null) {
-								Log.LogError (MSBStrings.E0140, PlatformName, ProvisioningProfile);
-								return false;
-							}
-
-							identity.AppId = ConstructValidAppId (identity.Profile, identity.BundleId);
-							if (identity.AppId is null) {
-								Log.LogError (MSBStrings.E0141, identity.BundleId, ProvisioningProfile);
-								return false;
-							}
-
-							provisioningProfileName = identity.Profile.Name;
-
-							DetectedProvisioningProfile = identity.Profile.Uuid;
-							DetectedDistributionType = identity.Profile.DistributionType.ToString ();
-						} else {
-							certs = new X509Certificate2 [0];
-
-							if ((profiles = GetProvisioningProfiles (platform, type, identity, certs)) is null)
-								return false;
-
-							if ((pairs = GetCodeSignIdentityPairs (profiles, certs)) is null)
-								return false;
-
-							var match = GetBestMatch (pairs, identity);
-							identity.Profile = match.Profile;
-							identity.AppId = match.AppId;
-
-							if (identity.Profile is not null) {
-								DetectedDistributionType = identity.Profile.DistributionType.ToString ();
-								DetectedProvisioningProfile = identity.Profile.Uuid;
-								provisioningProfileName = identity.Profile.Name;
-							}
-
-							DetectedAppId = identity.AppId;
-						}
-					} else {
-						// Note: Do not codesign. Codesigning seems to break the iOS Simulator in older versions of Xcode.
-						DetectedCodeSigningKey = null;
-					}
-
-					return !Log.HasLoggedErrors;
-				}
-
-				if (!SdkIsSimulator && !RequireCodeSigning) {
-					// The "-" key is a special value allowed by the codesign utility that
-					// allows us to get away with not having an actual codesign key.
-					DetectedCodeSigningKey = "-";
+			// If no code signing is required and no provisioning profile is required, we can get away
+			// with using the placeholder codesign key.
+			if (!RequireCodeSigning && !RequireProvisioningProfile) {
+				DetectedCodeSigningKey = "-";
+				return !Log.HasLoggedErrors;
+			}
 
-					return !Log.HasLoggedErrors;
-				}
+			// If we're building for the simulator, always use the placeholder codesign key.
+			if (SdkIsSimulator) {
+				DetectedCodeSigningKey = "-";
+				return !Log.HasLoggedErrors;
 			}
 
 			// Note: if we make it this far, we absolutely need a codesigning certificate

msbuild/Xamarin.MacDev.Tasks/Tasks/LinkNativeCode.cs

@@ -202,7 +202,7 @@ bool ExecuteUnsafe ()
 				foreach (var obj in ObjectFiles)
 					arguments.Add (Path.GetFullPath (obj.ItemSpec));
 
-			arguments.AddRange (GetEmbedEntitlementsInExecutableLinkerFlags (EntitlementsInExecutable));
+			arguments.AddRange (GetEmbedEntitlementsWithDerInExecutableLinkerFlags (EntitlementsInExecutable));
 
 			arguments.Add ("-o");
 			arguments.Add (Path.GetFullPath (OutputFile));
@@ -242,6 +242,20 @@ bool ExecuteUnsafe ()
 			return !Log.HasLoggedErrors;
 		}
 
+		IEnumerable<string> GetEmbedEntitlementsWithDerInExecutableLinkerFlags (string entitlements)
+		{
+			var rv = GetEmbedEntitlementsInExecutableLinkerFlags (entitlements).ToList ();
+			if (rv.Count > 0) {
+				rv.AddRange (new string [] {
+					"-Xlinker", "-sectcreate",
+					"-Xlinker", "__TEXT",
+					"-Xlinker", "__ents_der",
+					"-Xlinker", ConvertEntitlementsToDerEntitlements (Path.GetFullPath (entitlements)),
+				});
+			}
+			return rv;
+		}
+
 		public static string [] GetEmbedEntitlementsInExecutableLinkerFlags (string entitlements)
 		{
 			if (string.IsNullOrEmpty (entitlements))
@@ -258,6 +272,21 @@ public static string [] GetEmbedEntitlementsInExecutableLinkerFlags (string enti
 			};
 		}
 
+		string ConvertEntitlementsToDerEntitlements (string entitlements)
+		{
+			var derEntitlements = entitlements + ".der";
+			var arguments = new List<string> () {
+				"derq",
+				"query",
+				"-f", "xml",
+				"-i", entitlements,
+				"-o", derEntitlements,
+				"--raw",
+			};
+			ExecuteAsync ("xcrun", arguments, sdkDevPath: SdkDevPath).Wait ();
+			return derEntitlements;
+		}
+
 		static bool EntitlementsRequireLinkerFlags (string path)
 		{
 			try {