Skip to content

Use managed signer for bundles #110417

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 19 commits into from
Apr 2, 2025
Merged

Use managed signer for bundles #110417

merged 19 commits into from
Apr 2, 2025

Conversation

jtschuster
Copy link
Member

@jtschuster jtschuster commented Dec 4, 2024
edited
Loading

Updates the single-file bundler to use the managed Mach-O signer. Adds the SymbolTable load command to the MachObjectFile class and adds a method to extend the symbol table to include the bundled data. Adds validation when creating a MachObjectFile from a file on disk.

Now that we don't use codesign for signing, it looks like the executables are sometimes getting killed by antivirus when tests try to run them immediately after they are modified, leading to flaky tests (locally at least). I'm looking into either retrying or running codesign -v before running the apps on Mac.
The issue wasn't AV, it was due to an issue with signature caching on Mac. The way to work around this is to create a new file with a new inode when modifying and resigning a file on disk. Basic host signing didn't run into this issue because it modifies and signs the executable in the same step, so no re-signing happened. For singlefile bundles, we previously would modify the apphost, close the file, then in a separate step, bundle the files and re-sign it. After this PR we create a new file every time we need to re-sign the host, then replace the old host with the new one.

Fixes #110055

@ghost ghost added the area-HostModel Microsoft.NET.HostModel issues label Dec 4, 2024
@jtschuster jtschuster added the NO-REVIEW Experimental/testing PR, do NOT review it label Dec 4, 2024
@jtschuster
Fix tests and write out symtab
0555c08 
- Write out the updated symtab command when writing Mach-O file
- Pass macosCodesign through to test CreateAppHost methods
- Remove redundant `codesign` checks
- Warn when bundler is told to sign the bundle for a non-macos target
@build-analysis build-analysis bot mentioned this pull request Dec 5, 2024
Closed
3 tasks
@jtschuster jtschuster removed the NO-REVIEW Experimental/testing PR, do NOT review it label Dec 9, 2024
Copilot
Copilot AI reviewed Dec 9, 2024
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 5 out of 12 changed files in this pull request and generated 2 suggestions.

Files not reviewed (7)
  • src/installer/managed/Microsoft.NET.HostModel/AppHost/MachOUtils.cs: Evaluated as low risk
  • src/installer/managed/Microsoft.NET.HostModel/AppHost/HostWriter.cs: Evaluated as low risk
  • src/installer/tests/TestUtils/TestApp.cs: Evaluated as low risk
  • src/installer/managed/Microsoft.NET.HostModel/MachO/MachOFormatError.cs: Evaluated as low risk
  • src/installer/tests/Microsoft.NET.HostModel.Tests/AppHost/CreateAppHost.cs: Evaluated as low risk
  • src/installer/managed/Microsoft.NET.HostModel/Bundle/Bundler.cs: Evaluated as low risk
  • src/installer/tests/TestUtils/SingleFileTestApp.cs: Evaluated as low risk
Comments skipped due to low confidence (2)

src/installer/managed/Microsoft.NET.HostModel/MachO/MachObjectFile.cs:22

  • There is an extra semicolon at the end of the line.
uint csSize = CodeSignature.GetCodeSignatureSize(GetSignatureStart(), identifier);;

src/installer/tests/Microsoft.NET.HostModel.Tests/MachObjectSigning/SigningTests.cs:33

  • The 'MemoryMappedFileAccess.CopyOnWrite' might not be necessary for a read-only check. Consider using 'MemoryMappedFileAccess.Read' instead.
using (var managedSignedAccessor = memoryMappedFile.CreateViewAccessor(0, 0, MemoryMappedFileAccess.CopyOnWrite))

@jtschuster jtschuster marked this pull request as ready for review December 9, 2024 17:08
@jtschuster jtschuster changed the title CI test: Use managed signer for bundles Use managed signer for bundles Dec 10, 2024
elinor-fung
elinor-fung reviewed Dec 12, 2024
View reviewed changes
Copy link
Member

@elinor-fung elinor-fung left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now that we don't use codesign for signing, it looks like the executables are sometimes getting killed by antivirus when tests try to run them immediately after they are modified, leading to flaky tests (locally at least). I'm looking into either retrying or running codesign -v before running the apps on Mac.

What was the end result here? Could a product scenario hit the same thing with running immediately after publish with signing?

@jtschuster
PR Feedback: Fomatting and comments
ec5b478
@jtschuster
PR feedback:
5c381c7 
- Use the same memory-mapped file instance for placeholder replacement
  and signing
- formatting changes
@jtschuster
Copy link
Member Author

What was the end result here?

It looks like the issue is probably related to modifying the exe in place: https://developer.apple.com/documentation/security/updating-mac-software#Update-Files-that-Include-Signed-Code

I'll update the code to use CopyOnWrite memory-mapped files, write a new file, then replace the old one.

@elinor-fung
Copy link
Member

What was the end result here?

It looks like the issue is probably related to modifying the exe in place: https://developer.apple.com/documentation/security/updating-mac-software#Update-Files-that-Include-Signed-Code

Ah, does it cache once the file is created? I had thought it would only cache when it is first run.

I'll update the code to use CopyOnWrite memory-mapped files, write a new file, then replace the old one.

I guess doing the inode check with codesign shows it replaces with an entirely new file? Matching that seems good.

@elinor-fung elinor-fung mentioned this pull request Dec 13, 2024
Merged
@jtschuster
Copy link
Member Author

What was the end result here?

It looks like the issue is probably related to modifying the exe in place: https://developer.apple.com/documentation/security/updating-mac-software#Update-Files-that-Include-Signed-Code

Ah, does it cache once the file is created? I had thought it would only cache when it is first run.

I'll update the code to use CopyOnWrite memory-mapped files, write a new file, then replace the old one.

I guess doing the inode check with codesign shows it replaces with an entirely new file? Matching that seems good.

It was still broken after changing the behavior to create a new inode. I had forgotten to update the VMSize field of the __LINKEDIT segment when creating the signature. The file size was larger than the VMSize, and that was causing sporadic crashes, but I only noticed it in the larger bundles with larger signatures. I left in the "copy to a temp file, edit, then replace" behavior anyway to make sure we match codesign's behavior.

@jtschuster jtschuster requested a review from elinor-fung January 3, 2025 17:51
elinor-fung
elinor-fung approved these changes Jan 7, 2025
View reviewed changes
@jtschuster jtschuster mentioned this pull request Jan 14, 2025
Closed
@am11 am11 mentioned this pull request Mar 26, 2025
Open
elinor-fung
elinor-fung approved these changes Mar 28, 2025
View reviewed changes
@jtschuster jtschuster merged commit edb0a06 into dotnet:main Apr 2, 2025
77 checks passed
@akoeplinger akoeplinger mentioned this pull request Apr 6, 2025
Open
@github-actions github-actions bot locked and limited conversation to collaborators May 3, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

Copilot code review Copilot Copilot left review comments

@elinor-fung elinor-fung elinor-fung approved these changes

Assignees

@jtschuster jtschuster

Labels

area-HostModel Microsoft.NET.HostModel issues

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SingleFile Bundler should use the managed Mach-O signer

2 participants

@jtschuster @elinor-fung