Add entitlements to roslyn apphosts#3052
Conversation
|
/backport to main |
|
Started backporting to main: https://github.com/dotnet/dotnet/actions/runs/18728375732 |
|
@jkoritzinsky backporting to "main" failed, the patch most likely resulted in conflicts: $ git am --3way --empty=keep --ignore-whitespace --keep-non-patch changes.patch
Applying: Add entitlements to roslyn apphosts
.git/rebase-apply/patch:37: trailing whitespace.
warning: 1 line adds whitespace errors.
Using index info to reconstruct a base tree...
M src/sdk/src/Layout/redist/targets/GenerateLayout.targets
Falling back to patching base and 3-way merge...
Auto-merging src/sdk/src/Layout/redist/targets/GenerateLayout.targets
CONFLICT (content): Merge conflict in src/sdk/src/Layout/redist/targets/GenerateLayout.targets
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config set advice.mergeConflict false"
Patch failed at 0001 Add entitlements to roslyn apphosts
Error: The process '/usr/bin/git' failed with exit code 128Please backport manually! |
|
/azp run dotnet-unified-build-full |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
Let's wait until the mac legs run on the unified-build-full pipeline before merging, just to be sure things are working right. |
|
/azp run dotnet-unified-build-full |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
I'm pretty sure this froze on both arm64 adn x64 before it even got past aspnetcore. No idea why. We aren't normally running the full build in the open so deserves investigation but I am going to merge for now. |
| EnableMacOSCodeSign="$(SharedFrameworkRid.StartsWith('osx'))" /> | ||
|
|
||
| <Exec Command="codesign --sign - --entitlements '$(MSBuildProjectDirectory)/roslyn-entitlements.plist' %(_RoslynAppHost.RootDir)%(_RoslynAppHost.Directory)%(_RoslynAppHost.Filename)$(ExeExtension)" | ||
| Condition="$(SharedFrameworkRid.StartsWith('osx'))" /> |
There was a problem hiding this comment.
How do other apphosts (like dotnet.exe) get the entitlements? Shouldn't CreateAppHost task take care of that?
There was a problem hiding this comment.
we add them during the dotnet/runtime build: https://github.com/dotnet/runtime/blob/9bcdd873eb4b93934ae34328845599f63253d32a/src/native/corehost/dotnet/CMakeLists.txt#L28-L30
but I just noticed this is missing the -f/--force option and the official build fails due to that
There was a problem hiding this comment.
Shouldn't CreateAppHost task take care of that?
Ideally yes (dotnet/runtime#113707), that's why it worked before, but we ran into issues: dotnet/runtime#119824
There was a problem hiding this comment.
we add them during the dotnet/runtime build:
That's for the dotnet apphost only, right? What about any other customer app which uses apphosts, wouldn't they need entitlements to work on macOS as well?
There was a problem hiding this comment.
Ideally yes (dotnet/runtime#113707), that's why it worked before, but we ran into issues: dotnet/runtime#119824
I see, thanks!
| <key>com.apple.security.cs.debugger</key> | ||
| <true/> | ||
| <key>com.apple.security.get-task-allow</key> | ||
| <true/> |
There was a problem hiding this comment.
@agocke @jkoritzinsky re-reading dotnet/runtime#119429 (comment) I'm a bit confused now whether the swift issue was because of com.apple.security.get-task-allow and if we'd hit the same in roslyn given we set this?
There was a problem hiding this comment.
This is what's on dotnet, so I think these should be fine:
[Dict]
[Key] com.apple.security.cs.allow-dyld-environment-variables
[Value]
[Bool] true
[Key] com.apple.security.cs.allow-jit
[Value]
[Bool] true
[Key] com.apple.security.cs.debugger
[Value]
[Bool] true
[Key] com.apple.security.cs.disable-library-validation
[Value]
[Bool] true
[Key] com.apple.security.get-task-allow
[Value]
[Bool] true
The build currently fails with: > /Users/runner/work/1/s/src/sdk/artifacts/bin/redist/Release/net10.0/Roslyn/bincore/csc: is already signed Follow-up to #3052 This makes the codesign command now match what we do in dotnet/runtime: https://github.com/dotnet/runtime/blob/9bcdd873eb4b93934ae34328845599f63253d32a/eng/native/functions.cmake#L736
We are entitled to these entitlements. |
|
@jkoritzinsky can you please port this and #3069 to main? thanks |
The build currently fails with: > /Users/runner/work/1/s/src/sdk/artifacts/bin/redist/Release/net10.0/Roslyn/bincore/csc: is already signed Follow-up to dotnet#3052 This makes the codesign command now match what we do in dotnet/runtime: https://github.com/dotnet/runtime/blob/9bcdd873eb4b93934ae34328845599f63253d32a/eng/native/functions.cmake#L736
Fixes dotnet/runtime#120967
This has the existing entitlements that Roslyn has always used.