[msbuild] Sign simulator apps by default. Fixes #18469.

Fixes #18469.

Author: rolfbjarne

msbuild/Xamarin.MacDev.Tasks/Tasks/Codesign.cs

@@ -45,7 +45,7 @@ public class Codesign : XamarinParallelTask, ITaskCallback, ICancelableTask {
 		public string Keychain { get; set; } = string.Empty;
 
 		[Required]
-		public ITaskItem [] Resources { get; set; } = Array.Empty<ITaskItem> ();
+		public ITaskItem? [] Resources { get; set; } = Array.Empty<ITaskItem> ();
 
 		// Can also be specified per resource using the 'CodesignResourceRules' metadata
 		public string ResourceRules { get; set; } = string.Empty;
@@ -127,9 +127,12 @@ bool Validate (SignInfo info)
 		}
 
 		// 'sortedItems' is sorted by length of path, longest first.
-		bool NeedsCodesign (ITaskItem [] sortedItems, int index, string stampFileContents)
+		bool NeedsCodesign (ITaskItem? [] sortedItems, int index, string stampFileContents)
 		{
 			var item = sortedItems [index];
+			if (item is null)
+				return false;
+
 			var stampFile = GetCodesignStampFile (item);
 			if (!File.Exists (stampFile)) {
 				Log.LogMessage (MessageImportance.Low, "The stamp file '{0}' does not exist, so the item '{1}' needs to be codesigned.", stampFile, item.ItemSpec);
@@ -150,10 +153,11 @@ bool NeedsCodesign (ITaskItem [] sortedItems, int index, string stampFileContent
 				var resolvedStampFile = Path.GetFullPath (PathUtils.ResolveSymbolicLinks (stampFile));
 
 				for (var i = 0; i < index; i++) {
-					if (sortedItems [i] is null)
+					var sortedItem = sortedItems [i];
+					if (sortedItem is null)
 						continue; // this item does not need to be signed
-					if (sortedItems [i].ItemSpec.StartsWith (itemPath, StringComparison.OrdinalIgnoreCase)) {
-						Log.LogMessage (MessageImportance.Low, "The item '{0}' contains '{1}', which must be signed, which means that the item must be signed too.", item.ItemSpec, sortedItems [i].ItemSpec);
+					if (sortedItem.ItemSpec.StartsWith (itemPath, StringComparison.OrdinalIgnoreCase)) {
+						Log.LogMessage (MessageImportance.Low, "The item '{0}' contains '{1}', which must be signed, which means that the item must be signed too.", item.ItemSpec, sortedItem.ItemSpec);
 						return true; // there's an item inside this directory that needs to be signed, so this directory must be signed too
 					}
 				}
@@ -402,7 +406,7 @@ bool ExecuteUnsafe ()
 			// All this makes it easier to sort and split the input files into buckets that can be codesigned together,
 			// while also not codesigning directories before files inside them.
 			foreach (var res in resourcesToSign) {
-				var path = res.ItemSpec;
+				var path = res!.ItemSpec;
 				var parent = Path.GetDirectoryName (path);
 
 				// so do not don't sign `A.framework/A`, sign `A.framework` which will always sign the *bundle*
@@ -416,17 +420,22 @@ bool ExecuteUnsafe ()
 			}
 
 			// first sort all the items by path length, longest path first.
-			resourcesToSign = resourcesToSign.OrderBy (v => v.ItemSpec.Length).Reverse ().ToArray ();
+			resourcesToSign = resourcesToSign.OrderBy (v => v!.ItemSpec.Length).Reverse ().ToArray ();
 
 			// remove items that are up-to-date
 			var itemsToSign = new List<SignInfo> ();
 			for (var i = 0; i < resourcesToSign.Length; i++) {
 				var item = resourcesToSign [i];
+				if (item is null)
+					continue;
 				var info = new SignInfo (item);
 				if (!Validate (info))
 					continue;
-				if (NeedsCodesign (resourcesToSign, i, info.GetStampFileContents (this)))
+				if (NeedsCodesign (resourcesToSign, i, info.GetStampFileContents (this))) {
 					itemsToSign.Add (info);
+				} else {
+					resourcesToSign [i] = new TaskItem ("");
+				}
 			}
 
 			if (Log.HasLoggedErrors)

msbuild/Xamarin.MacDev.Tasks/Tasks/CompileEntitlements.cs

@@ -137,6 +137,22 @@ protected string EntitlementBundlePath {
 			}
 		}
 
+		bool IsDeviceOrDesktop {
+			get {
+				switch (Platform) {
+				case ApplePlatform.iOS:
+				case ApplePlatform.TVOS:
+				case ApplePlatform.WatchOS:
+					return !SdkIsSimulator;
+				case ApplePlatform.MacOSX:
+				case ApplePlatform.MacCatalyst:
+					return true;
+				default:
+					throw new InvalidOperationException (string.Format (MSBStrings.InvalidPlatform, Platform));
+				}
+			}
+		}
+
 		PString MergeEntitlementString (PString pstr, MobileProvision? profile, bool expandWildcards, string? key)
 		{
 			string TeamIdentifierPrefix;
@@ -145,7 +161,7 @@ PString MergeEntitlementString (PString pstr, MobileProvision? profile, bool exp
 			if (string.IsNullOrEmpty (pstr.Value))
 				return (PString) pstr.Clone ();
 
-			if (profile is null) {
+			if (profile is null && IsDeviceOrDesktop) {
 				if (!warnedTeamIdentifierPrefix && pstr.Value.Contains ("$(TeamIdentifierPrefix)")) {
 					Log.LogWarning (null, null, null, Entitlements, 0, 0, 0, 0, MSBStrings.W0108b /* Cannot expand $(TeamIdentifierPrefix) in Entitlements.plist without a provisioning profile for key '{0}' with value '{1}' */, key, pstr.Value);
 					warnedTeamIdentifierPrefix = true;
@@ -455,7 +471,7 @@ public override bool Execute ()
 			MobileProvision? profile;
 			PDictionary template;
 			PDictionary compiled;
-			PDictionary archived;
+			PDictionary? archived = null;
 			string path;
 
 			switch (SdkPlatform) {
@@ -509,7 +525,26 @@ public override bool Execute ()
 
 			ValidateAppEntitlements (profile, compiled);
 
-			archived = GetArchivedExpandedEntitlements (template, compiled);
+			Directory.CreateDirectory (Path.GetDirectoryName (CompiledEntitlements!.ItemSpec));
+
+			if (SdkIsSimulator) {
+				var simulatedEntitlements = compiled;
+				var simulatedXcent = Path.ChangeExtension (CompiledEntitlements.ItemSpec, "").TrimEnd ('.') + "-Simulated.xcent";
+				try {
+					WriteXcent (simulatedEntitlements, simulatedXcent);
+				} catch (Exception ex) {
+					Log.LogError (MSBStrings.E0114, simulatedXcent, ex.Message);
+					return false;
+				}
+
+				EntitlementsInExecutable = new TaskItem (simulatedXcent);
+
+				// No matter what, I've only been able to make Xcode apply a single entitlement to simulator builds: com.apple.security.get-task-allow
+				compiled = new PDictionary ();
+				compiled.Add ("com.apple.security.get-task-allow", new PBoolean (true));
+			} else {
+				archived = GetArchivedExpandedEntitlements (template, compiled);
+			}
 
 			try {
 				Directory.CreateDirectory (Path.GetDirectoryName (CompiledEntitlements!.ItemSpec));
@@ -519,22 +554,10 @@ public override bool Execute ()
 				return false;
 			}
 
-			SaveArchivedExpandedEntitlements (archived);
-
-			/* The path to the entitlements must be resolved to the full path, because we might want to reference it from a containing project that just references this project,
-			  * and in that case it becomes a bit complicated to resolve to a full path on disk when building remotely from Windows. Instead just resolve to a full path here,
-			  * and use that from now on. This has to be done from a task, so that we get the full path on the mac when executed remotely from Windows. */
-			var compiledEntitlementsFullPath = new TaskItem (Path.GetFullPath (CompiledEntitlements!.ItemSpec));
+			if (archived is not null)
+				SaveArchivedExpandedEntitlements (archived);
 
-			if (Platform == Utils.ApplePlatform.MacCatalyst) {
-				EntitlementsInSignature = compiledEntitlementsFullPath;
-			} else if (SdkIsSimulator) {
-				if (compiled.Count > 0) {
-					EntitlementsInExecutable = compiledEntitlementsFullPath;
-				}
-			} else {
-				EntitlementsInSignature = compiledEntitlementsFullPath;
-			}
+			EntitlementsInSignature = CompiledEntitlements;
 
 			return !Log.HasLoggedErrors;
 		}

msbuild/Xamarin.MacDev.Tasks/Tasks/DetectSigningIdentity.cs

@@ -608,62 +608,7 @@ bool ExecuteImpl ()
 					return !Log.HasLoggedErrors;
 				}
 			} else {
-				// Framework is either iOS or tvOS
-				if (SdkIsSimulator) {
-					if (AppleSdkSettings.XcodeVersion.Major >= 8 && RequireProvisioningProfile) {
-						// Note: Starting with Xcode 8.0, we need to codesign iOS Simulator builds that enable Entitlements
-						// in order for them to run. The "-" key is a special value allowed by the codesign utility that
-						// allows us to get away with not having an actual codesign key.
-						DetectedCodeSigningKey = "-";
-
-						if (!IsAutoCodeSignProfile (ProvisioningProfile)) {
-							identity.Profile = MobileProvisionIndex.GetMobileProvision (platform, ProvisioningProfile);
-
-							if (identity.Profile is null) {
-								Log.LogError (MSBStrings.E0140, PlatformName, ProvisioningProfile);
-								return false;
-							}
-
-							identity.AppId = ConstructValidAppId (identity.Profile, identity.BundleId);
-							if (identity.AppId is null) {
-								Log.LogError (MSBStrings.E0141, identity.BundleId, ProvisioningProfile);
-								return false;
-							}
-
-							provisioningProfileName = identity.Profile.Name;
-
-							DetectedProvisioningProfile = identity.Profile.Uuid;
-							DetectedDistributionType = identity.Profile.DistributionType.ToString ();
-						} else {
-							certs = new X509Certificate2 [0];
-
-							if ((profiles = GetProvisioningProfiles (platform, type, identity, certs)) is null)
-								return false;
-
-							if ((pairs = GetCodeSignIdentityPairs (profiles, certs)) is null)
-								return false;
-
-							var match = GetBestMatch (pairs, identity);
-							identity.Profile = match.Profile;
-							identity.AppId = match.AppId;
-
-							if (identity.Profile is not null) {
-								DetectedDistributionType = identity.Profile.DistributionType.ToString ();
-								DetectedProvisioningProfile = identity.Profile.Uuid;
-								provisioningProfileName = identity.Profile.Name;
-							}
-
-							DetectedAppId = identity.AppId;
-						}
-					} else {
-						// Note: Do not codesign. Codesigning seems to break the iOS Simulator in older versions of Xcode.
-						DetectedCodeSigningKey = null;
-					}
-
-					return !Log.HasLoggedErrors;
-				}
-
-				if (!SdkIsSimulator && !RequireCodeSigning) {
+				if (SdkIsSimulator || !RequireCodeSigning) {
 					// The "-" key is a special value allowed by the codesign utility that
 					// allows us to get away with not having an actual codesign key.
 					DetectedCodeSigningKey = "-";

msbuild/Xamarin.MacDev.Tasks/Tasks/LinkNativeCode.cs

@@ -202,7 +202,7 @@ bool ExecuteUnsafe ()
 				foreach (var obj in ObjectFiles)
 					arguments.Add (Path.GetFullPath (obj.ItemSpec));
 
-			arguments.AddRange (GetEmbedEntitlementsInExecutableLinkerFlags (EntitlementsInExecutable));
+			arguments.AddRange (GetEmbedEntitlementsWithDerInExecutableLinkerFlags (EntitlementsInExecutable));
 
 			arguments.Add ("-o");
 			arguments.Add (Path.GetFullPath (OutputFile));
@@ -242,6 +242,20 @@ bool ExecuteUnsafe ()
 			return !Log.HasLoggedErrors;
 		}
 
+		IEnumerable<string> GetEmbedEntitlementsWithDerInExecutableLinkerFlags (string entitlements)
+		{
+			var rv = GetEmbedEntitlementsInExecutableLinkerFlags (entitlements).ToList ();
+			if (rv.Count > 0) {
+				rv.AddRange (new string [] {
+					"-Xlinker", "-sectcreate",
+					"-Xlinker", "__TEXT",
+					"-Xlinker", "__ents_der",
+					"-Xlinker", ConvertEntitlementsToDerEntitlements (Path.GetFullPath (entitlements)),
+				});
+			}
+			return rv;
+		}
+
 		public static string [] GetEmbedEntitlementsInExecutableLinkerFlags (string entitlements)
 		{
 			if (string.IsNullOrEmpty (entitlements))
@@ -258,6 +272,21 @@ public static string [] GetEmbedEntitlementsInExecutableLinkerFlags (string enti
 			};
 		}
 
+		string ConvertEntitlementsToDerEntitlements (string entitlements)
+		{
+			var derEntitlements = entitlements + ".der";
+			var arguments = new List<string> () {
+				"derq",
+				"query",
+				"-f", "xml",
+				"-i", entitlements,
+				"-o", derEntitlements,
+				"--raw",
+			};
+			ExecuteAsync ("xcrun", arguments, sdkDevPath: SdkDevPath).Wait ();
+			return derEntitlements;
+		}
+
 		static bool EntitlementsRequireLinkerFlags (string path)
 		{
 			try {

msbuild/Xamarin.Shared/Xamarin.Shared.props

@@ -135,14 +135,12 @@ Copyright (C) 2020 Microsoft. All rights reserved.
 	</PropertyGroup>
 
 	<!-- RequireCodeSigning -->
-	<!-- iOS/watchOS/tvOS is simple: device builds require code signing, simulator builds do not. This is a big lie, for some simulator builds need to be signed, but the _DetectCodeSigning task handles those cases. -->
+	<!-- iOS/watchOS/tvOS is simple: device builds require code signing, simulator builds technically don't even though some important features won't work unless the app is signed (launch screen won't show for instance) -->
 	<PropertyGroup Condition="'$(_PlatformName)' != 'macOS' And '$(_PlatformName)' != 'MacCatalyst'">
 		<!-- Make it possible to override the default logic by setting EnableCodeSigning -->
 		<_RequireCodeSigning Condition="'$(_RequireCodeSigning)' == ''">$(EnableCodeSigning)</_RequireCodeSigning>
-		<!-- Device builds must be signed -->
-		<_RequireCodeSigning Condition="'$(_RequireCodeSigning)' == '' And '$(ComputedPlatform)' == 'iPhone'">true</_RequireCodeSigning>
-		<!-- Otherwise code signing is disabled by default (simulator builds)-->
-		<_RequireCodeSigning Condition="'$(_RequireCodeSigning)' == ''">false</_RequireCodeSigning>
+		<!-- Device builds must be signed, and some features won't work in the simulator if the app isn't signed (launch screen for instance), so default to always sign -->
+		<_RequireCodeSigning Condition="'$(_RequireCodeSigning)' == ''">true</_RequireCodeSigning>
 	</PropertyGroup>
 	<!-- macOS is a bit more complicated:
 		* 'EnableCodeSigning' specifies whether the app is signed or not, and this defaults to false if it's not set.

tests/dotnet/UnitTests/BundleStructureTest.cs

@@ -595,7 +595,7 @@ public enum CodeSignature {
 		[Test]
 		// Debug
 		[TestCase (ApplePlatform.iOS, "ios-arm64", CodeSignature.All, "Debug")]
-		[TestCase (ApplePlatform.iOS, "iossimulator-x64", CodeSignature.Frameworks, "Debug")]
+		[TestCase (ApplePlatform.iOS, "iossimulator-x64", CodeSignature.All, "Debug")]
 		[TestCase (ApplePlatform.MacCatalyst, "maccatalyst-x64", CodeSignature.All, "Debug")]
 		[TestCase (ApplePlatform.MacCatalyst, "maccatalyst-x64;maccatalyst-arm64", CodeSignature.All, "Debug")]
 		[TestCase (ApplePlatform.MacOSX, "osx-x64", CodeSignature.Frameworks, "Debug")]

tests/monotouch-test/dotnet/shared.csproj

@@ -16,6 +16,9 @@
     <!-- Don't remove native symbols, because it makes debugging native crashes harder -->
     <MtouchNoSymbolStrip>true</MtouchNoSymbolStrip>
 
+    <CodesignEntitlements Condition="$([MSBuild]::GetTargetPlatformIdentifier('$(TargetFramework)')) == 'iOS' ">$(MonoTouchTestDirectory)\Entitlements.plist</CodesignEntitlements>
+    <CodesignEntitlements Condition="$([MSBuild]::GetTargetPlatformIdentifier('$(TargetFramework)')) == 'tvOS'">$(MonoTouchTestDirectory)\Entitlements.plist</CodesignEntitlements>
+
     <DefineConstants Condition="'$(Configuration)' == 'Debug'">$(DefineConstants);DEBUG</DefineConstants>
 
     <!-- warning CA1422: This call site is reachable on: '...': we use APIs that aren't available on a certain OS platform all the time (in some cases to verify any broken behavior), so ignore such warnings -->