Use the managed signer to remove the code signature from singlefile bundles #110063
Conversation
|
Tagging subscribers to this area: @vitek-karas, @agocke |
|
Tagging subscribers to this area: @agocke, @vitek-karas, @VSadov |
Was it due to some unintentional refactoring? SingleFile was a no-diff in #108992 because it required follow-up work. I understand that ultimately we want to use managed codesign everywhere, just trying to understand do we know what went wrong? |
Nothing went wrong, we would only end up with an invalid signature if we merge the SDK PR (dotnet/sdk#45019) before this. HostWriter.CreateAppHost would create a signed SingleFile host on Windows or Linux, but then Bundler wouldn't remove it before creating the bundle, since it only does signing tasks with |
src/installer/managed/Microsoft.NET.HostModel/Bundle/Bundler.cs
Outdated
Show resolved
Hide resolved
src/installer/managed/Microsoft.NET.HostModel/Bundle/Bundler.cs
Outdated
Show resolved
Hide resolved
src/installer/tests/Microsoft.NET.HostModel.Tests/Bundle/BundlerConsistencyTests.cs
Show resolved
Hide resolved
- Add comment why single file hosts aren't signed on non-mac yet - Set length of file only if the signature is removed
src/installer/managed/Microsoft.NET.HostModel/Bundle/Bundler.cs
Outdated
Show resolved
Hide resolved
| @@ -170,7 +170,7 @@ public static bool TryRemoveCodesign(MemoryMappedViewAccessor memoryMappedViewAc | |||
| /// Removes the code signature load command and signature, and resizes the file if necessary. | |||
| /// Returns true if the signature was removed, false otherwise. | |||
| /// </summary> | |||
| public static bool TryRemoveCodesign(FileStream bundle) | |||
| public static void RemoveCodesign(FileStream bundle) | |||
There was a problem hiding this comment.
nit: this can be:
public static void RemoveCodesign(FileStream bundle)
{
// Windows doesn't allow a FileStream to be resized while the file is memory mapped, so we must dispose of the memory mapped file first.
using MemoryMappedFile mmap = MemoryMappedFile.CreateFromFile(bundle, null, 0, MemoryMappedFileAccess.ReadWrite, HandleInheritability.None, true);
using MemoryMappedViewAccessor accessor = mmap.CreateViewAccessor(0, 0, MemoryMappedFileAccess.ReadWrite);
if (TryRemoveCodesign(accessor, out long? newLength))
{
bundle.SetLength(newLength.Value);
}
}There was a problem hiding this comment.
Maybe in else case, we should throw InvalidOperationException("Unable to remove Codesign from bundle.").
There was a problem hiding this comment.
I was getting failures on Windows when trying to resize the file length while the memory mapped file was still open, so the SetLength has to come after the using block.
The TryRemoveCodesign will only return false if the file isn't a Mach-O binary or there already isn't a signature present. We could throw if it's not a Mach-O, but I don't think it's a failure if the signature isn't present. Maybe we could rename both to RemoveSignatureIfExists instead?
There was a problem hiding this comment.
Ah, alright. I think RemoveSignatureIfExists makes sense. If algorithmically we can tell that there is going to be a signature before calling this method, then we can simply throw the exception when TryRemoveCodesign fails (i.e. failure mode is something other than signature wasn't present).
When working on using the managed Mac signer in the SDK on non-mac hosts, I found that since the bundler uses codesign to remove the signature, we end up with an invalid signature for single file osx executables. This PR updates the bundler to use the managed signer to remove the signature.
Signing bundles requires a little more thought and effort since the headers/load commands need to be updated to include the bundle data in the file. This will be done in a separate PR.
Part of #110055.