Preserve entitlements in managed Mach-O signer

[jtschuster]

Preserves entitlements in the signature when signing with the managed signer. Works on regular apphost and singlefile apphost.

Adds EntitlementsBlob and DerEntitlementsBlob, and updates relevant code to include these blobs.
Adds an EmbeddedSignatureBlob to signing methods to preserve the entitlements from the previous signature.
Precalculates the maximum length required for the new apphost / bundle and allocates an memory-mapped file in memory, copies / modifies the file, then writes out the final length of the file.
Adds tests to ensure the inode of the apphost changes when CreateAppHost / GenerateBundle creates a new apphost/bundle to ensure the MacOS signature cache is dirtied.

[dotnet-policy-service]

Tagging subscribers to this area: @vitek-karas, @agocke
See info in area-owners.md if you want to be subscribed.

[Copilot]

Pull Request Overview

This PR introduces changes to preserve entitlements in the managed Mach‑O signer for macOS app hosts. Key changes include adjustments in the native CMake build file to conditionally include entitlements‐based signing; modifications to tests and signing utilities (e.g. Codesign, MachObjectFile, and related blobs) to support new EntitlementsBlob and DerEntitlementsBlob; and updates to the bundle and manifest code to accommodate the extended signature structure.

Reviewed Changes

Copilot reviewed 25 out of 25 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
src/native/corehost/apphost/static/CMakeLists.txt	Adds conditional invocation of adhoc_sign_with_entitlements on macOS.
src/installer/tests/*	Updates tests to use theory/member data for signing and rebundling; ensures signature cache clearing.
src/installer/managed/Microsoft.NET.HostModel/MachO/*	Introduces EntitlementsBlob and DerEntitlementsBlob support and updates signature creation logic.
src/installer/managed/Microsoft.NET.HostModel/Bundle/*	Adjusts bundle manifest and size calculations for new signature information.
src/installer/managed/Microsoft.NET.HostModel/AppHost/*	Updates host rewriting and signing routines to integrate Mach‑O signature updates.

Comments suppressed due to low confidence (3)

src/installer/managed/Microsoft.NET.HostModel/MachO/BinaryFormat/Blobs/CodeDirectoryBlob.cs:153

• The use of arithmetic on enum values (subtracting 1 from CodeDirectorySpecialSlot.DerEntitlements) to determine the array index may be fragile if the enum values are non‐sequential. Consider introducing an explicit mapping from enum values to array indices to improve maintainability.

            specialSlotHashes[(int)CodeDirectorySpecialSlot.DerEntitlements - 1] = hasher.ComputeHash(derStream.GetBuffer());

src/installer/managed/Microsoft.NET.HostModel/MachO/BinaryFormat/Blobs/CodeDirectoryBlob.cs:161

• Similarly, computing the array index by subtracting 1 from CodeDirectorySpecialSlot.Entitlements assumes a contiguous indexing scheme. A mapping structure would make the assignment clearer and more robust against future enum changes.

            specialSlotHashes[(int)CodeDirectorySpecialSlot.Entitlements - 1] = hasher.ComputeHash(entStream.GetBuffer());

src/installer/managed/Microsoft.NET.HostModel/MachO/BinaryFormat/Blobs/EmbeddedSignatureBlob.cs:43

• Consider adding an inline comment to clarify the intended blob ordering and how the additional entitlements blobs are factored into the blob count. This will help maintainers understand how changes to the signature structure affect the overall blob layout.

        int blobCount = 3 + (entitlementsBlob is not null ? 1 : 0) + (derEntitlementsBlob is not null ? 1 : 0);

[agocke]

LGTM