-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use the managed signer to remove the code signature from singlefile bundles #110063
Conversation
Tagging subscribers to this area: @vitek-karas, @agocke |
Tagging subscribers to this area: @agocke, @vitek-karas, @VSadov |
Was it due to some unintentional refactoring? SingleFile was a no-diff in #108992 because it required follow-up work. I understand that ultimately we want to use managed codesign everywhere, just trying to understand do we know what went wrong? |
Nothing went wrong, we would only end up with an invalid signature if we merge the SDK PR (dotnet/sdk#45019) before this. HostWriter.CreateAppHost would create a signed SingleFile host on Windows or Linux, but then Bundler wouldn't remove it before creating the bundle, since it only does signing tasks with |
src/installer/managed/Microsoft.NET.HostModel/Bundle/Bundler.cs
Outdated
Show resolved
Hide resolved
src/installer/managed/Microsoft.NET.HostModel/Bundle/Bundler.cs
Outdated
Show resolved
Hide resolved
src/installer/tests/Microsoft.NET.HostModel.Tests/Bundle/BundlerConsistencyTests.cs
Show resolved
Hide resolved
- Add comment why single file hosts aren't signed on non-mac yet - Set length of file only if the signature is removed
src/installer/managed/Microsoft.NET.HostModel/Bundle/Bundler.cs
Outdated
Show resolved
Hide resolved
@@ -170,7 +170,7 @@ public static bool TryRemoveCodesign(MemoryMappedViewAccessor memoryMappedViewAc | |||
/// Removes the code signature load command and signature, and resizes the file if necessary. | |||
/// Returns true if the signature was removed, false otherwise. | |||
/// </summary> | |||
public static bool TryRemoveCodesign(FileStream bundle) | |||
public static void RemoveCodesign(FileStream bundle) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: this can be:
public static void RemoveCodesign(FileStream bundle)
{
// Windows doesn't allow a FileStream to be resized while the file is memory mapped, so we must dispose of the memory mapped file first.
using MemoryMappedFile mmap = MemoryMappedFile.CreateFromFile(bundle, null, 0, MemoryMappedFileAccess.ReadWrite, HandleInheritability.None, true);
using MemoryMappedViewAccessor accessor = mmap.CreateViewAccessor(0, 0, MemoryMappedFileAccess.ReadWrite);
if (TryRemoveCodesign(accessor, out long? newLength))
{
bundle.SetLength(newLength.Value);
}
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe in else
case, we should throw InvalidOperationException("Unable to remove Codesign from bundle.")
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was getting failures on Windows when trying to resize the file length while the memory mapped file was still open, so the SetLength has to come after the using
block.
The TryRemoveCodesign will only return false if the file isn't a Mach-O binary or there already isn't a signature present. We could throw if it's not a Mach-O, but I don't think it's a failure if the signature isn't present. Maybe we could rename both to RemoveSignatureIfExists
instead?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, alright. I think RemoveSignatureIfExists
makes sense. If algorithmically we can tell that there is going to be a signature before calling this method, then we can simply throw the exception when TryRemoveCodesign
fails (i.e. failure mode is something other than signature wasn't present).
…undles (dotnet#110063) Since the bundler uses `codesign` to remove the signature, we end up with an invalid signature for single file osx executables on non-Mac hosts rather than no signature at all. This PR updates the bundler to use the managed signer to remove the signature. Signing bundles requires a little more thought and effort since the headers/load commands need to be updated to include the bundle data in the file. This will be done in a separate PR.
When working on using the managed Mac signer in the SDK on non-mac hosts, I found that since the bundler uses codesign to remove the signature, we end up with an invalid signature for single file osx executables. This PR updates the bundler to use the managed signer to remove the signature.
Signing bundles requires a little more thought and effort since the headers/load commands need to be updated to include the bundle data in the file. This will be done in a separate PR.
Part of #110055.