Use the managed signer to remove the code signature from singlefile bundles (#110063)

Since the bundler uses `codesign` to remove the signature, we end up with an invalid signature for single file osx executables on non-Mac hosts rather than no signature at all. This PR updates the bundler to use the managed signer to remove the signature.

Signing bundles requires a little more thought and effort since the headers/load commands need to be updated to include the bundle data in the file. This will be done in a separate PR.

Author: jtschuster

src/installer/managed/Microsoft.NET.HostModel/AppHost/HostWriter.cs

@@ -153,7 +153,7 @@ void RewriteAppHost(MemoryMappedFile mappedFile, MemoryMappedViewAccessor access
                                     MachObjectFile machObjectFile = MachObjectFile.Create(memoryMappedViewAccessor);
                                     appHostLength = machObjectFile.CreateAdHocSignature(memoryMappedViewAccessor, fileName);
                                 }
-                                else if (MachObjectFile.TryRemoveCodesign(memoryMappedViewAccessor, out long? length))
+                                else if (MachObjectFile.RemoveCodeSignatureIfPresent(memoryMappedViewAccessor, out long? length))
                                 {
                                     appHostLength = length.Value;
                                 }

src/installer/managed/Microsoft.NET.HostModel/Bundle/Bundler.cs

@@ -6,11 +6,14 @@
 using System.Diagnostics;
 using System.IO;
 using System.IO.Compression;
+using System.IO.MemoryMappedFiles;
 using System.Linq;
 using System.Reflection.PortableExecutable;
 using System.Runtime.InteropServices;
+using System.Text;
 using Microsoft.DotNet.CoreSetup;
 using Microsoft.NET.HostModel.AppHost;
+using Microsoft.NET.HostModel.MachO;
 
 namespace Microsoft.NET.HostModel.Bundle
 {
@@ -92,7 +95,7 @@ private bool ShouldCompress(FileType type)
         /// startOffset: offset of the start 'file' within 'bundle'
         /// compressedSize: size of the compressed data, if entry was compressed, otherwise 0
         /// </returns>
-        private (long startOffset, long compressedSize) AddToBundle(Stream bundle, FileStream file, FileType type)
+        private (long startOffset, long compressedSize) AddToBundle(FileStream bundle, FileStream file, FileType type)
         {
             long startOffset = bundle.Position;
             if (ShouldCompress(type))
@@ -273,22 +276,20 @@ public string GenerateBundle(IReadOnlyList<FileSpec> fileSpecs)
 
             BinaryUtils.CopyFile(hostSource, bundlePath);
 
-            if (_target.IsOSX && RuntimeInformation.IsOSPlatform(OSPlatform.OSX) && Codesign.IsAvailable)
-            {
-                Codesign.Run("--remove-signature", bundlePath);
-            }
-
             // Note: We're comparing file paths both on the OS we're running on as well as on the target OS for the app
             // We can't really make assumptions about the file systems (even on Linux there can be case insensitive file systems
             // and vice versa for Windows). So it's safer to do case sensitive comparison everywhere.
             var relativePathToSpec = new Dictionary<string, FileSpec>(StringComparer.Ordinal);
 
             long headerOffset = 0;
-            using (BinaryWriter writer = new BinaryWriter(File.OpenWrite(bundlePath)))
+            using (FileStream bundle = File.Open(bundlePath, FileMode.Open, FileAccess.ReadWrite))
+            using (BinaryWriter writer = new BinaryWriter(bundle, Encoding.Default, leaveOpen: true))
             {
-                Stream bundle = writer.BaseStream;
+                if (_target.IsOSX)
+                {
+                    MachObjectFile.RemoveCodeSignatureIfPresent(bundle);
+                }
                 bundle.Position = bundle.Length;
-
                 foreach (var fileSpec in fileSpecs)
                 {
                     string relativePath = fileSpec.BundleRelativePath;

src/installer/managed/Microsoft.NET.HostModel/MachO/MachObjectFile.cs

@@ -143,7 +143,7 @@ public static bool IsMachOImage(string filePath)
     /// <param name="memoryMappedViewAccessor">The file to remove the signature from.</param>
     /// <param name="newLength">The new length of the file if the signature is remove and the method returns true</param>
     /// <returns>True if a signature was present and removed, false otherwise</returns>
-    public static bool TryRemoveCodesign(MemoryMappedViewAccessor memoryMappedViewAccessor, out long? newLength)
+    public static bool RemoveCodeSignatureIfPresent(MemoryMappedViewAccessor memoryMappedViewAccessor, out long? newLength)
     {
         newLength = null;
         if (!IsMachOImage(memoryMappedViewAccessor))
@@ -166,6 +166,25 @@ public static bool TryRemoveCodesign(MemoryMappedViewAccessor memoryMappedViewAc
         return true;
     }
 
+    /// <summary>
+    /// Removes the code signature load command and signature, and resizes the file if necessary.
+    /// </summary>
+    public static void RemoveCodeSignatureIfPresent(FileStream bundle)
+    {
+        long? newLength;
+        bool resized;
+        // Windows doesn't allow a FileStream to be resized while the file is memory mapped, so we must dispose of the memory mapped file first.
+        using (MemoryMappedFile mmap = MemoryMappedFile.CreateFromFile(bundle, null, 0, MemoryMappedFileAccess.ReadWrite, HandleInheritability.None, true))
+        using (MemoryMappedViewAccessor accessor = mmap.CreateViewAccessor(0, 0, MemoryMappedFileAccess.ReadWrite))
+        {
+            resized = RemoveCodeSignatureIfPresent(accessor, out newLength);
+        }
+        if (resized)
+        {
+            bundle.SetLength(newLength.Value);
+        }
+    }
+
     /// <summary>
     /// Returns true if the two signed MachObjectFiles are equivalent.
     /// Since the entire file isn't store in the object, the code signature is required.

src/installer/tests/Microsoft.NET.HostModel.Tests/AppHost/CreateAppHost.cs

@@ -485,12 +485,23 @@ private void ResourceWithUnknownLanguage()
             }
         }
 
-        private static readonly byte[] s_placeholderData = AppBinaryPathPlaceholderSearchValue.Concat(DotNetSearchPlaceholderValue).ToArray();
+        private static readonly byte[] s_apphostPlaceholderData = AppBinaryPathPlaceholderSearchValue.Concat(DotNetSearchPlaceholderValue).ToArray();
+        private static readonly byte[] s_singleFileApphostPlaceholderData = {
+            // 8 bytes represent the bundle header-offset
+            // Zero for non-bundle apphosts (default).
+            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+            // 32 bytes represent the bundle signature: SHA-256 for ".net core bundle"
+            0x8b, 0x12, 0x02, 0xb9, 0x6a, 0x61, 0x20, 0x38,
+            0x72, 0x7b, 0x93, 0x02, 0x14, 0xd7, 0xa0, 0x32,
+            0x13, 0xf5, 0xb9, 0xe6, 0xef, 0xae, 0x33, 0x18,
+            0xee, 0x3b, 0x2d, 0xce, 0x24, 0xb3, 0x6a, 0xae
+        };
+
         /// <summary>
         /// Prepares a mock executable file with the AppHost placeholder embedded in it.
         /// This file will not run, but can be used to test HostWriter and signing process.
         /// </summary>
-        public static string PrepareMockMachAppHostFile(string directory)
+        public static string PrepareMockMachAppHostFile(string directory, bool singleFile = false)
         {
             string fileName = "MockAppHost.mach.o";
             string outputFilePath = Path.Combine(directory, fileName);
@@ -501,7 +512,7 @@ public static string PrepareMockMachAppHostFile(string directory)
                 // Add the placeholder - it just needs to exist somewhere in the image
                 // We'll put it at 4096 bytes into the file - this should be in the middle of the __TEXT segment
                 managedSignFile.Position = 4096;
-                managedSignFile.Write(s_placeholderData);
+                managedSignFile.Write(singleFile ? s_singleFileApphostPlaceholderData : s_apphostPlaceholderData);
             }
             return outputFilePath;
         }

src/installer/tests/Microsoft.NET.HostModel.Tests/Bundle/BundlerConsistencyTests.cs

@@ -9,7 +9,11 @@
 
 using FluentAssertions;
 using Microsoft.DotNet.Cli.Build.Framework;
+using Microsoft.DotNet.CoreSetup;
 using Microsoft.DotNet.CoreSetup.Test;
+using Microsoft.NET.HostModel.AppHost.Tests;
+using Microsoft.NET.HostModel.MachO;
+using Microsoft.NET.HostModel.MachO.CodeSign.Tests;
 using Xunit;
 
 namespace Microsoft.NET.HostModel.Bundle.Tests
@@ -24,8 +28,8 @@ public BundlerConsistencyTests(SharedTestState fixture)
         }
 
         private static string BundlerHostName = Binaries.GetExeName(SharedTestState.AppName);
-        private Bundler CreateBundlerInstance(BundleOptions bundleOptions = BundleOptions.None, Version version = null, bool macosCodesign = true)
-            => new Bundler(BundlerHostName, sharedTestState.App.GetUniqueSubdirectory("bundle"), bundleOptions, targetFrameworkVersion: version, macosCodesign: macosCodesign);
+        private Bundler CreateBundlerInstance(BundleOptions bundleOptions = BundleOptions.None, Version version = null, bool macosCodesign = true, OSPlatform? targetOS = null)
+            => new Bundler(BundlerHostName, sharedTestState.App.GetUniqueSubdirectory("bundle"), bundleOptions, targetFrameworkVersion: version, macosCodesign: macosCodesign, targetOS: targetOS);
 
         [Fact]
         public void EnableCompression_Before60_Fails()
@@ -313,34 +317,38 @@ public void AssemblyAlignment()
         [Theory]
         [InlineData(true)]
         [InlineData(false)]
-        [PlatformSpecific(TestPlatforms.OSX)]
-        public void Codesign(bool shouldCodesign)
+        public void MacOSBundleIsCodeSigned(bool shouldCodesign)
         {
             TestApp app = sharedTestState.App;
             FileSpec[] fileSpecs = new FileSpec[]
             {
-                new FileSpec(Binaries.AppHost.FilePath, BundlerHostName),
+                new FileSpec(CreateAppHost.PrepareMockMachAppHostFile(app.Location, singleFile: true), BundlerHostName),
                 new FileSpec(app.AppDll, Path.GetRelativePath(app.Location, app.AppDll)),
                 new FileSpec(app.DepsJson, Path.GetRelativePath(app.Location, app.DepsJson)),
                 new FileSpec(app.RuntimeConfigJson, Path.GetRelativePath(app.Location, app.RuntimeConfigJson)),
             };
 
-            Bundler bundler = CreateBundlerInstance(macosCodesign: shouldCodesign);
+            Bundler bundler = CreateBundlerInstance(targetOS: OSPlatform.OSX, macosCodesign: shouldCodesign);
             string bundledApp = bundler.GenerateBundle(fileSpecs);
 
-            // Check if the file is signed
-            CommandResult result = Command.Create("codesign", $"-v {bundledApp}")
-                .CaptureStdErr()
-                .CaptureStdOut()
-                .Execute(expectedToFail: !shouldCodesign);
+            if (!RuntimeInformation.IsOSPlatform(OSPlatform.OSX))
+            {
+                // SingleFile is still only signed on MacOS with codesign
+                SigningTests.IsSigned(bundledApp).Should().BeFalse();
+                return;
+            }
 
+            // Check if the file is signed
+            var result = Codesign.Run("-v", bundledApp);
             if (shouldCodesign)
             {
-                result.Should().Pass();
+                result.ExitCode.Should().Be(0);
             }
             else
             {
-                result.Should().Fail();
+                result.ExitCode.Should().NotBe(0);
+                // Ensure we can sign it again
+                Codesign.Run("-s -", bundledApp).ExitCode.Should().Be(0);
             }
         }
 

src/installer/tests/Microsoft.NET.HostModel.Tests/MachObjectSigning/SigningTests.cs

@@ -228,13 +228,7 @@ internal static void RemoveSignature(string originalFilePath, string removedSign
                 var destinationFileName = Path.GetFileName(removedSignaturePath);
                 var appHostSignedLength = appHostLength + MachObjectFile.GetSignatureSizeEstimate((uint)appHostLength, destinationFileName);
 
-                using (MemoryMappedFile memoryMappedFile = MemoryMappedFile.CreateFromFile(appHostDestinationStream, null, appHostSignedLength, MemoryMappedFileAccess.ReadWrite, HandleInheritability.None, true))
-                using (MemoryMappedViewAccessor memoryMappedViewAccessor = memoryMappedFile.CreateViewAccessor(0, appHostSignedLength, MemoryMappedFileAccess.ReadWrite))
-                {
-                    if (MachObjectFile.TryRemoveCodesign(memoryMappedViewAccessor, out long? newLength))
-                        appHostLength = newLength.Value;
-                }
-                appHostDestinationStream.SetLength(appHostLength);
+                MachObjectFile.RemoveCodeSignatureIfPresent(appHostDestinationStream);
             }
         }
     }