Revert Entitlement related changes from #116659 #119824
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There was a problem hiding this comment.
Pull Request Overview
This PR reverts entitlement-related functionality from #116659 to improve security by not preserving entitlements by default in macOS code signing. The changes focus on removing entitlement blob support from the MachO signing infrastructure.
Key Changes
- Removes entitlement preservation logic from macOS code signing operations
- Eliminates entitlement-specific blob classes and enum values
- Simplifies signature size calculations by removing entitlement considerations
Reviewed Changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| src/native/corehost/apphost/static/CMakeLists.txt | Removes entitlements from single file host signing |
| src/installer/tests/Microsoft.NET.HostModel.Tests/MachObjectSigning/SigningTests.cs | Removes entitlement-related tests and helper methods |
| src/installer/managed/Microsoft.NET.HostModel/MachO/MachObjectFile.cs | Simplifies signing API by removing entitlement parameters |
| src/installer/managed/Microsoft.NET.HostModel/MachO/Enums/CodeDirectorySpecialSlot.cs | Removes entitlement enum values |
| src/installer/managed/Microsoft.NET.HostModel/MachO/Enums/BlobMagic.cs | Removes entitlement magic constants |
| src/installer/managed/Microsoft.NET.HostModel/MachO/BinaryFormat/Blobs/EntitlementsBlob.cs | Deletes entire entitlements blob class |
| src/installer/managed/Microsoft.NET.HostModel/MachO/BinaryFormat/Blobs/EmbeddedSignatureBlob.cs | Removes entitlement blob handling from signature creation |
| src/installer/managed/Microsoft.NET.HostModel/MachO/BinaryFormat/Blobs/DerEntitlementsBlob.cs | Deletes entire DER entitlements blob class |
| src/installer/managed/Microsoft.NET.HostModel/MachO/BinaryFormat/Blobs/CodeDirectoryBlob.cs | Removes entitlement hash calculations |
| src/installer/managed/Microsoft.NET.HostModel/MachO/BinaryFormat/Blobs/BlobParser.cs | Removes entitlement blob parsing cases |
| src/installer/managed/Microsoft.NET.HostModel/Bundle/Bundler.cs | Updates bundle signing to not pass entitlement parameters |
|
Tagging subscribers to this area: @vitek-karas, @agocke |
agocke
reviewed
Sep 19, 2025
jkotas
approved these changes
Sep 19, 2025
|
/backport to release/10.0 |
|
Started backporting to release/10.0: https://github.com/dotnet/runtime/actions/runs/17871893425 |
4 tasks
xtqqczze
pushed a commit
to xtqqczze/dotnet-runtime
that referenced
this pull request
Sep 20, 2025
* Revert Entitlements related changes from dotnet#116659 * Re-add entitlements to singlefilehost * Typo --------- Co-authored-by: Andy Gocke <[email protected]>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Context: #119429
The entitlements for the apphost were preserved after #116659 for the reasons outlined in #113707. The primary reason was that when signing a Mac app with the hardened runtime setting, it wasn't clear that the entitlements needed to be reapplied. However, preserving the entitlements by default may keep more entitlements than is necessary, which is not the most secure default, and it can lead to issues like what was addressed in #119429. We should instead avoid preserving entitlements and add better documentation describing how to sign with the required entitlements.
This PR removes the Entitlements and DerEntitlements blobs, and removes reference to the entitlements blobs from all size calculations and equality operations. It is not a simple revert of #116659 because there were some other performance changes and tests not specific to the entitlements blobs in that PR.