Getting native binaries and executables entitled for notarization

[jcagme]

As per the "Getting .NET Core ready for Mac OS Catalina" email we need to add a flag and entitlements to native binaries and executables to get them ready for notarization.

The steps needed are:

1. Add a plist which sets CSFlags to 65536. This is used to preserve the codesign flag “-o runtime” when codesign is called on it. We’d need to do “ld -sectcreate _TEXT __info_plist plist_name.plist”. This is what the Edge team did.
2. Add entitlements. “codesign –entitlements ”. Here we need two things:
   a. Define what entitlements are needed. This enumerates all the supported options. From what I saw I think we need something like: (to be verified by the product teams)

    <key>com.apple.security.cs.allow-jit</key>
    <true/>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>

b. Determine what binaries need to be entitled

ETA for this work is November when we release 3.1

fyi: @wfurt @danmosemsft

[wfurt]

what exactly this does? Do we have any plans for self-contained applications? (at least docs)

This may be related to behavior seen in #30426.

[jcagme]

This issue is only around Notarization. We need all the native binaries and runtimes packed into the dotnet SDK and runtime pkgs to have entitlements so when we sign them they are hardened. Having assets signed and hardened is a requirement to get the pkgs notarized so when they are downloaded they are not flagged as malware and users can install them without a problem.

This seems unrelated to #30426 which is more of the internals on how we deal with security (I think?)

[wfurt]

thanks for explanation and links @jcagme

[safern]

Marking as 3.0 as this is high PRI. I’ll be OOF starting Thursday so I think it would be good for someone else to take this one.

cc: @ericstj @ViktorHofer

[ViktorHofer]

@jcagme we discussed that in our infra stand-up and we aren't sure what the action for corefx is here. Can you please provide more details? Thanks

[ericstj]

Ping @jcagme can you please clarify what you need CoreFx to do for this? Is there work that needs to happen in CoreFx or is this just tracking changes to the signing infrastructure that we need to ingest into corefx and use in our builds. Thanks!

[jcagme]

It was created with corefx adding entitlements in mind but it looks like that won't be needed and the only work will be on the infra side to get things in the runtime and sdk signed and ready for notarization. I'm closing this now and open a new one in case more work on your side is needed.