swiftlang · owenv · Nov 16, 2025 · Nov 15, 2025 · Nov 15, 2025 · jakepetroules
@@ -331,7 +331,7 @@ public protocol TaskActionCreationDelegate
     func createLinkAssetCatalogTaskAction() -> any PlannedTaskAction
     func createLSRegisterURLTaskAction() -> any PlannedTaskAction
     func createODRAssetPackManifestTaskAction() -> any PlannedTaskAction
-    func createProcessProductEntitlementsTaskAction(scope: MacroEvaluationScope, mergedEntitlements: PropertyListItem, entitlementsVariant: EntitlementsVariant, destinationPlatformName: String, entitlementsFilePath: Path?, fs: any FSProxy) -> any PlannedTaskAction
+    func createProcessProductEntitlementsTaskAction(mergedEntitlements: PropertyListItem, entitlementsVariant: EntitlementsVariant, allowEntitlementsModification: Bool, entitlementsDestination: EntitlementsDestination, destinationPlatformName: String, entitlementsFilePath: Path?, fs: any FSProxy) -> any PlannedTaskAction
     func createProcessProductProvisioningProfileTaskAction() -> any PlannedTaskAction
     func createRegisterExecutionPolicyExceptionTaskAction() -> any PlannedTaskAction
     func createSwiftHeaderToolTaskAction() -> any PlannedTaskAction

@@ -2876,7 +2876,7 @@ public enum StickerSharingLevel: String, Equatable, Hashable, EnumerationMacroTy
 }
 
 /// Enumeration macro type for the value of the `ENTITLEMENTS_DESTINATION` build setting.
-public enum EntitlementsDestination: String, Equatable, Hashable, EnumerationMacroType {
+public enum EntitlementsDestination: String, Equatable, Hashable, EnumerationMacroType, Serializable {
     public static let defaultValue = EntitlementsDestination.none
 
     case codeSignature = "Signature"

@@ -169,7 +169,11 @@ public final class ProductPackagingToolSpec : GenericCommandLineToolSpec, SpecId
         }
 
         // Create the task action, and then the task.
-        let action = delegate.taskActionCreationDelegate.createProcessProductEntitlementsTaskAction(scope: cbc.scope, mergedEntitlements: entitlements, entitlementsVariant: entitlementsVariant, destinationPlatformName: platform.name, entitlementsFilePath: codeSignEntitlementsInput?.absolutePath, fs: fs)
+        let action = delegate.taskActionCreationDelegate.createProcessProductEntitlementsTaskAction(mergedEntitlements: entitlements, entitlementsVariant: entitlementsVariant, allowEntitlementsModification: cbc.scope.evaluate(BuiltinMacros.CODE_SIGN_ALLOW_ENTITLEMENTS_MODIFICATION), entitlementsDestination: cbc.scope.evaluate(BuiltinMacros.ENTITLEMENTS_DESTINATION), destinationPlatformName: platform.name, entitlementsFilePath: codeSignEntitlementsInput?.absolutePath, fs: fs)
+        // The action records a timestamp representing the last modification date of the entitlements file, so changes to the input must invalidate the build description.
+        if let path = codeSignEntitlementsInput?.absolutePath {
+            delegate.access(path: path)
+        }
 
         delegate.createTask(type: self, ruleInfo: ["ProcessProductPackaging", codeSignEntitlementsInput?.absolutePath.str ?? "", outputPath.str], commandLine: commandLine, additionalOutput: additionalOutput, environment: environmentFromSpec(cbc, delegate), workingDirectory: cbc.producer.defaultWorkingDirectory, inputs: inputs.map(\.absolutePath), outputs: [ outputPath ], action: action, execDescription: resolveExecutionDescription(cbc, delegate), enableSandboxing: enableSandboxing)
     }

@@ -857,8 +857,8 @@ extension BuildSystemTaskPlanningDelegate: TaskActionCreationDelegate {
         return LSRegisterURLTaskAction()
     }
 
-    func createProcessProductEntitlementsTaskAction(scope: MacroEvaluationScope, mergedEntitlements: PropertyListItem, entitlementsVariant: EntitlementsVariant, destinationPlatformName: String, entitlementsFilePath: Path?, fs: any FSProxy) -> any PlannedTaskAction {
-        return ProcessProductEntitlementsTaskAction(scope: scope, fs: fs, entitlements: mergedEntitlements, entitlementsVariant: entitlementsVariant, destinationPlatformName: destinationPlatformName, entitlementsFilePath: entitlementsFilePath)
+    func createProcessProductEntitlementsTaskAction(mergedEntitlements: PropertyListItem, entitlementsVariant: EntitlementsVariant, allowEntitlementsModification: Bool, entitlementsDestination: EntitlementsDestination, destinationPlatformName: String, entitlementsFilePath: Path?, fs: any FSProxy) -> any PlannedTaskAction {
+        return ProcessProductEntitlementsTaskAction(fs: fs, entitlements: mergedEntitlements, entitlementsVariant: entitlementsVariant, allowEntitlementsModification: allowEntitlementsModification, entitlementsDestination: entitlementsDestination, destinationPlatformName: destinationPlatformName, entitlementsFilePath: entitlementsFilePath)
     }
 
     func createProcessProductProvisioningProfileTaskAction() -> any PlannedTaskAction {

@@ -21,16 +21,19 @@ public import SWBMacro
 /// Concrete implementation of task for processing product entitlements.
 public final class ProcessProductEntitlementsTaskAction: TaskAction
 {
-    /// The scope the task should use to evaluate build settings.
-    let scope: MacroEvaluationScope
-
     /// The merged entitlements.
     let entitlements: PropertyListItem
 
     /// When performing a simulator build, we will have both signed and simulated entitlements; this enum indicates which variant of entitlements this task action is processing.
     /// macOS and device builds will normally have only signed entitlements.
     let entitlementsVariant: EntitlementsVariant
 
+    /// Whether unsafe modification of entitlements during the build should be allowed.
+    let allowEntitlementsModification: Bool
+
+    /// The destination of the processed entitlements.
+    let entitlementsDestination: EntitlementsDestination
+
     /// The platform we're building for.
     let destinationPlatformName: String
 
@@ -42,12 +45,12 @@ public final class ProcessProductEntitlementsTaskAction: TaskAction
     /// The timestamp of the latest modification of the entitlements on `init`
     let entitlementsModificationTimestamp: Result<Date, StubError>?
 
-    public init(scope: MacroEvaluationScope, fs: any FSProxy, entitlements: PropertyListItem, entitlementsVariant: EntitlementsVariant, destinationPlatformName: String, entitlementsFilePath: Path?)
+    public init(fs: any FSProxy, entitlements: PropertyListItem, entitlementsVariant: EntitlementsVariant, allowEntitlementsModification: Bool, entitlementsDestination: EntitlementsDestination, destinationPlatformName: String, entitlementsFilePath: Path?)
     {
-        self.scope = scope
-
         self.entitlements = entitlements
         self.entitlementsVariant = entitlementsVariant
+        self.allowEntitlementsModification = allowEntitlementsModification
+        self.entitlementsDestination = entitlementsDestination
         self.destinationPlatformName = destinationPlatformName
         self.entitlementsFilePath = entitlementsFilePath
         if let entitlementsFilePath, fs.exists(entitlementsFilePath) {
@@ -257,7 +260,7 @@ public final class ProcessProductEntitlementsTaskAction: TaskAction
         // Updating entitlements is not something that is actively encouraged or supported, however, this is a compatibility pain point for certain projects that we need to maintain some ability to do this. A better approach is to plumb this through the system so that we can track this as a proper dependency mechanism, potentially through our virtual task producers... however, until then, we enable this functionality for those existing clients.
 
         // Also, we never modify the signed entitlements when building for simulators and ENTITLEMENTS_DESTINATION is __entitlements, since those are only expected to contain get-task-allow; see rdar://55324156.
-        let entitlementsVariantToModify: EntitlementsVariant = scope.evaluate(BuiltinMacros.ENTITLEMENTS_DESTINATION) == .entitlementsSection ? .simulated : .signed
+        let entitlementsVariantToModify: EntitlementsVariant = entitlementsDestination == .entitlementsSection ? .simulated : .signed
         let allowEntitlementsModification = entitlementsVariantToModify == entitlementsVariant
 
         var userModifiedEntitlements: PropertyListItem?
@@ -279,7 +282,7 @@ public final class ProcessProductEntitlementsTaskAction: TaskAction
             }
 
             if originalModificationTimestamp != currentModificationTimestamp {
-                if scope.evaluate(BuiltinMacros.CODE_SIGN_ALLOW_ENTITLEMENTS_MODIFICATION) == false {
+                if !self.allowEntitlementsModification {
                     outputDelegate.emitError("Entitlements file \"\(entitlementsFilePath.basename)\" was modified during the build, which is not supported. You can disable this error by setting 'CODE_SIGN_ALLOW_ENTITLEMENTS_MODIFICATION' to 'YES', however this may cause the built product's code signature or provisioning profile to contain incorrect entitlements.")
                     return .failed
                 }
@@ -391,12 +394,13 @@ public final class ProcessProductEntitlementsTaskAction: TaskAction
 
     public override func serialize<T: Serializer>(to serializer: T)
     {
-        serializer.serializeAggregate(7)
+        serializer.serializeAggregate(8)
         {
-            serializer.serialize(scope)
             // FIXME: <rdar://problem/40036582> We have no way to handle any errors in PropertyListItem.asBytes() here.
             serializer.serialize(try? entitlements.asBytes(.binary))
             serializer.serialize(entitlementsVariant)
+            serializer.serialize(allowEntitlementsModification)
+            serializer.serialize(entitlementsDestination)
             serializer.serialize(destinationPlatformName)
             serializer.serialize(entitlementsFilePath)
             serializer.serialize(entitlementsModificationTimestamp)
@@ -406,10 +410,11 @@ public final class ProcessProductEntitlementsTaskAction: TaskAction
 
     public required init(from deserializer: any Deserializer) throws
     {
-        try deserializer.beginAggregate(7)
-        self.scope = try deserializer.deserialize()
+        try deserializer.beginAggregate(8)
         self.entitlements = try PropertyList.fromBytes(try deserializer.deserialize())
         self.entitlementsVariant = try deserializer.deserialize()
+        self.allowEntitlementsModification = try deserializer.deserialize()
+        self.entitlementsDestination = try deserializer.deserialize()
         self.destinationPlatformName = try deserializer.deserialize()
         self.entitlementsFilePath = try deserializer.deserialize()
         self.entitlementsModificationTimestamp = try deserializer.deserialize()

@@ -180,8 +180,8 @@ extension CapturingTaskGenerationDelegate: TaskActionCreationDelegate {
         return LSRegisterURLTaskAction()
     }
 
-    package func createProcessProductEntitlementsTaskAction(scope: MacroEvaluationScope, mergedEntitlements: PropertyListItem, entitlementsVariant: EntitlementsVariant, destinationPlatformName: String, entitlementsFilePath: Path?, fs: any FSProxy) -> any PlannedTaskAction {
-        return ProcessProductEntitlementsTaskAction(scope: scope, fs: fs, entitlements: mergedEntitlements, entitlementsVariant: entitlementsVariant, destinationPlatformName: destinationPlatformName, entitlementsFilePath: entitlementsFilePath)
+    package func createProcessProductEntitlementsTaskAction(mergedEntitlements: PropertyListItem, entitlementsVariant: EntitlementsVariant, allowEntitlementsModification: Bool, entitlementsDestination: EntitlementsDestination, destinationPlatformName: String, entitlementsFilePath: Path?, fs: any FSProxy) -> any PlannedTaskAction {
+        return ProcessProductEntitlementsTaskAction(fs: fs, entitlements: mergedEntitlements, entitlementsVariant: entitlementsVariant, allowEntitlementsModification: allowEntitlementsModification, entitlementsDestination: entitlementsDestination, destinationPlatformName: destinationPlatformName, entitlementsFilePath: entitlementsFilePath)
     }
 
     package func createProcessProductProvisioningProfileTaskAction() -> any PlannedTaskAction {

@@ -408,8 +408,8 @@ extension TestTaskPlanningDelegate: TaskActionCreationDelegate {
         return LSRegisterURLTaskAction()
     }
 
-    package func createProcessProductEntitlementsTaskAction(scope: MacroEvaluationScope, mergedEntitlements: PropertyListItem, entitlementsVariant: EntitlementsVariant, destinationPlatformName: String, entitlementsFilePath: Path?, fs: any FSProxy) -> any PlannedTaskAction {
-        return ProcessProductEntitlementsTaskAction(scope: scope, fs: fs, entitlements: mergedEntitlements, entitlementsVariant: entitlementsVariant, destinationPlatformName: destinationPlatformName, entitlementsFilePath: entitlementsFilePath)
+    package func createProcessProductEntitlementsTaskAction(mergedEntitlements: PropertyListItem, entitlementsVariant: EntitlementsVariant, allowEntitlementsModification: Bool, entitlementsDestination: EntitlementsDestination, destinationPlatformName: String, entitlementsFilePath: Path?, fs: any FSProxy) -> any PlannedTaskAction {
+        return ProcessProductEntitlementsTaskAction(fs: fs, entitlements: mergedEntitlements, entitlementsVariant: entitlementsVariant, allowEntitlementsModification: allowEntitlementsModification, entitlementsDestination: entitlementsDestination, destinationPlatformName: destinationPlatformName, entitlementsFilePath: entitlementsFilePath)
     }
 
     package func createProcessProductProvisioningProfileTaskAction() -> any PlannedTaskAction {