Preserve entitlements in MacOS signer

src/installer/managed/Microsoft.NET.HostModel/AppHost/AppHostExceptions.cs

@@ -25,8 +25,8 @@ public sealed class AppHostMachOFormatException : AppHostUpdateException
     {
         public readonly MachOFormatError Error;
 
-        internal AppHostMachOFormatException(MachOFormatError error)
-            : base($"Failed to process MachO file: {error}")
+        internal AppHostMachOFormatException(MachOFormatError error, string message = "")
+            : base($"Failed to process MachO file: {error}. {message}")
         {
             Error = error;
         }

src/installer/managed/Microsoft.NET.HostModel/AppHost/BinaryUtils.cs

@@ -11,7 +11,7 @@ public static class BinaryUtils
     {
         internal static unsafe void SearchAndReplace(
             MemoryMappedViewAccessor accessor,
-            byte[] searchPattern,
+            ReadOnlySpan<byte> searchPattern,
             byte[] patternToReplace,
             bool pad0s = true)
         {
@@ -48,7 +48,7 @@ internal static unsafe void SearchAndReplace(
             }
         }
 
-        private static unsafe void Pad0(byte[] searchPattern, byte[] patternToReplace, byte* bytes, int offset)
+        private static unsafe void Pad0(ReadOnlySpan<byte> searchPattern, byte[] patternToReplace, byte* bytes, int offset)
         {
             if (patternToReplace.Length < searchPattern.Length)
             {
@@ -92,7 +92,7 @@ public static unsafe int SearchInFile(string filePath, byte[] searchPattern)
         }
 
         // See: https://en.wikipedia.org/wiki/Knuth%E2%80%93Morris%E2%80%93Pratt_algorithm
-        private static int[] ComputeKMPFailureFunction(byte[] pattern)
+        private static int[] ComputeKMPFailureFunction(ReadOnlySpan<byte> pattern)
         {
             int[] table = new int[pattern.Length];
             if (pattern.Length >= 1)
@@ -128,7 +128,7 @@ private static int[] ComputeKMPFailureFunction(byte[] pattern)
         }
 
         // See: https://en.wikipedia.org/wiki/Knuth%E2%80%93Morris%E2%80%93Pratt_algorithm
-        private static unsafe int KMPSearch(byte[] pattern, byte* bytes, long bytesLength)
+        private static unsafe int KMPSearch(ReadOnlySpan<byte> pattern, byte* bytes, long bytesLength)
         {
             int m = 0;
             int i = 0;
@@ -162,18 +162,6 @@ private static unsafe int KMPSearch(byte[] pattern, byte* bytes, long bytesLengt
             return -1;
         }
 
-        public static void CopyFile(string sourcePath, string destinationPath)
-        {
-            var destinationDirectory = new FileInfo(destinationPath).Directory.FullName;
-            if (!Directory.Exists(destinationDirectory))
-            {
-                Directory.CreateDirectory(destinationDirectory);
-            }
-
-            // Copy file to destination path so it inherits the same attributes/permissions.
-            File.Copy(sourcePath, destinationPath, overwrite: true);
-        }
-
         internal static void WriteToStream(MemoryMappedViewAccessor sourceViewAccessor, FileStream fileStream, long length)
         {
             int pos = 0;

src/installer/managed/Microsoft.NET.HostModel/AppHost/HostWriter.cs

@@ -121,10 +121,10 @@ void RewriteAppHost(MemoryMappedFile mappedFile, MemoryMappedViewAccessor access
                 {
                     bool isMachOImage;
                     // MacOS requires a new inode to be created when updating a signed file, so we'll delete the file and create a new one.
-                    if (File.Exists(appHostDestinationFilePath))
+                    if (enableMacOSCodeSign && File.Exists(appHostDestinationFilePath))
                         File.Delete(appHostDestinationFilePath);
 
-                    using (FileStream appHostDestinationStream = new FileStream(appHostDestinationFilePath, FileMode.CreateNew, FileAccess.ReadWrite))
+                    using (FileStream appHostDestinationStream = new FileStream(appHostDestinationFilePath, FileMode.Create, FileAccess.ReadWrite))
                     {
                         using (FileStream appHostSourceStream = new(appHostSourceFilePath, FileMode.Open, FileAccess.Read, FileShare.Read, bufferSize: 1))
                         {
@@ -151,12 +151,13 @@ void RewriteAppHost(MemoryMappedFile mappedFile, MemoryMappedViewAccessor access
                             RewriteAppHost(memoryMappedFile, memoryMappedViewAccessor);
                             if (isMachOImage)
                             {
+                                var file = new MemoryMappedMachOViewAccessor(memoryMappedViewAccessor);
+                                MachObjectFile machObjectFile = MachObjectFile.Create(file);
                                 if (enableMacOSCodeSign)
                                 {
-                                    MachObjectFile machObjectFile = MachObjectFile.Create(memoryMappedViewAccessor);
-                                    appHostLength = machObjectFile.CreateAdHocSignature(memoryMappedViewAccessor, destinationFileName);
+                                    appHostLength = machObjectFile.AdHocSignFile(file, destinationFileName);
                                 }
-                                else if (MachObjectFile.RemoveCodeSignatureIfPresent(memoryMappedViewAccessor, out long? length))
+                                else if (machObjectFile.RemoveCodeSignatureIfPresent(file, out long? length))
                                 {
                                     appHostLength = length.Value;
                                 }
@@ -190,84 +191,6 @@ void RewriteAppHost(MemoryMappedFile mappedFile, MemoryMappedViewAccessor access
             }
         }
 
-        /// <summary>
-        /// Set the current AppHost as a single-file bundle.
-        /// </summary>
-        /// <param name="appHostPath">The path of Apphost template, which has the place holder</param>
-        /// <param name="bundleHeaderOffset">The offset to the location of bundle header</param>
-        /// <param name="macosCodesign">Whether to ad-hoc sign the bundle as a Mach-O executable</param>
-        public static void SetAsBundle(
-            string appHostPath,
-            long bundleHeaderOffset,
-            bool macosCodesign = false)
-        {
-            byte[] bundleHeaderPlaceholder = {
-                // 8 bytes represent the bundle header-offset
-                // Zero for non-bundle apphosts (default).
-                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-                // 32 bytes represent the bundle signature: SHA-256 for ".net core bundle"
-                0x8b, 0x12, 0x02, 0xb9, 0x6a, 0x61, 0x20, 0x38,
-                0x72, 0x7b, 0x93, 0x02, 0x14, 0xd7, 0xa0, 0x32,
-                0x13, 0xf5, 0xb9, 0xe6, 0xef, 0xae, 0x33, 0x18,
-                0xee, 0x3b, 0x2d, 0xce, 0x24, 0xb3, 0x6a, 0xae
-            };
-
-            // Re-write the destination apphost with the proper contents.
-            RetryUtil.RetryOnIOError(() =>
-            {
-                string tmpFile = null;
-                try
-                {
-                    // MacOS keeps a cache of file signatures. To avoid using the cached value,
-                    // we need to create a new inode with the contents of the old file, sign it,
-                    // and copy it the original file path.
-                    tmpFile = Path.GetTempFileName();
-                    using (FileStream newBundleStream = new FileStream(tmpFile, FileMode.Create, FileAccess.ReadWrite))
-                    {
-                        using (FileStream oldBundleStream = new FileStream(appHostPath, FileMode.Open, FileAccess.Read))
-                        {
-                            oldBundleStream.CopyTo(newBundleStream);
-                        }
-
-                        long bundleSize = newBundleStream.Length;
-                        long mmapFileSize = macosCodesign
-                            ? bundleSize + MachObjectFile.GetSignatureSizeEstimate((uint)bundleSize, Path.GetFileName(appHostPath))
-                            : bundleSize;
-                        using (MemoryMappedFile memoryMappedFile = MemoryMappedFile.CreateFromFile(newBundleStream, null, mmapFileSize, MemoryMappedFileAccess.ReadWrite, HandleInheritability.None, leaveOpen: true))
-                        using (MemoryMappedViewAccessor accessor = memoryMappedFile.CreateViewAccessor(0, 0, MemoryMappedFileAccess.ReadWrite))
-                        {
-                            BinaryUtils.SearchAndReplace(accessor,
-                                                        bundleHeaderPlaceholder,
-                                                        BitConverter.GetBytes(bundleHeaderOffset),
-                                                        pad0s: false);
-
-                            if (MachObjectFile.IsMachOImage(accessor))
-                            {
-                                var machObjectFile = MachObjectFile.Create(accessor);
-                                if (machObjectFile.HasSignature)
-                                    throw new AppHostMachOFormatException(MachOFormatError.SignNotRemoved);
-
-                                bool wasBundled = machObjectFile.TryAdjustHeadersForBundle((ulong)bundleSize, accessor);
-                                if (!wasBundled)
-                                    throw new InvalidOperationException("The single-file bundle was unable to be created. This is likely because the bundled content is too large.");
-
-                                if (macosCodesign)
-                                    bundleSize = machObjectFile.CreateAdHocSignature(accessor, Path.GetFileName(appHostPath));
-                            }
-                        }
-                        newBundleStream.SetLength(bundleSize);
-                    }
-                    File.Copy(tmpFile, appHostPath, overwrite: true);
-                    Chmod755(appHostPath);
-                }
-                finally
-                {
-                    if (tmpFile is not null)
-                        File.Delete(tmpFile);
-                }
-            });
-        }
-
         /// <summary>
         /// Check if the an AppHost is a single-file bundle
         /// </summary>
@@ -331,7 +254,7 @@ private static byte[] GetSearchOptionBytes(DotNetSearchOptions searchOptions)
             return searchOptionsBytes;
         }
 
-        private static void Chmod755(string pathName)
+        internal static void Chmod755(string pathName)
         {
             if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
                 return;

src/installer/managed/Microsoft.NET.HostModel/AppHost/PlaceHolderNotFoundInAppHostException.cs

@@ -16,5 +16,9 @@ public PlaceHolderNotFoundInAppHostException(byte[] pattern)
         {
             MissingPattern = pattern;
         }
+        public PlaceHolderNotFoundInAppHostException(ReadOnlySpan<byte> pattern)
+        {
+            MissingPattern = pattern.ToArray();
+        }
     }
 }

src/installer/managed/Microsoft.NET.HostModel/AssemblyAttributes.cs

@@ -14,3 +14,14 @@
         + "398c454307e8e33b8426143daec9f596"
         + "836f97c8f74750e5975c64e2189f45de"
         + "f46b2a2b1247adc3652bf5c308055da9")]
+[assembly: InternalsVisibleTo("HostActivation.Tests, PublicKey="
+        + "00240000048000009400000006020000"
+        + "00240000525341310004000001000100"
+        + "b5fc90e7027f67871e773a8fde8938c8"
+        + "1dd402ba65b9201d60593e96c492651e"
+        + "889cc13f1415ebb53fac1131ae0bd333"
+        + "c5ee6021672d9718ea31a8aebd0da007"
+        + "2f25d87dba6fc90ffd598ed4da35e44c"
+        + "398c454307e8e33b8426143daec9f596"
+        + "836f97c8f74750e5975c64e2189f45de"
+        + "f46b2a2b1247adc3652bf5c308055da9")]