xamarin-macios SkipCodesignItems does not work when the app bundle specified (not a single file)

Steps to Reproduce

Download signTest1.zip
Navigate to the folder with the solution file.
Build in the Release configuration: dotnet build -c Release
Check the signatures for main and helper app bundles:

codesign --verify --verbose ./Main/bin/Release/net6.0-macos/osx-x64/main.app
codesign --verify --verbose ./Main/bin/Release/net6.0-macos/osx-x64/main.app/Contents/SharedSupport/helper.app

Expected Behavior

Both bundles are signed, so output should be

~/Downloads/signTest1$ codesign --verify --verbose ./Main/bin/Release/net6.0-macos/osx-x64/main.app
./Main/bin/Release/net6.0-macos/osx-x64/main.app: valid on disk
./Main/bin/Release/net6.0-macos/osx-x64/main.app: satisfies its Designated Requirement
---------------------------------------------------------------------------------------------------------------------------------------------------

~/Downloads/signTest1$ codesign --verify --verbose ./Main/bin/Release/net6.0-macos/osx-x64/main.app/Contents/SharedSupport/helper.app
./Main/bin/Release/net6.0-macos/osx-x64/main.app/Contents/SharedSupport/helper.app: valid on disk
./Main/bin/Release/net6.0-macos/osx-x64/main.app/Contents/SharedSupport/helper.app: satisfies its Designated Requirement

Actual Behavior

The signature of the main app bundle is ok, but the signature of the embedded helper app bundle is broken:

~/Downloads/signTest1$ codesign --verify --verbose ./Main/bin/Release/net6.0-macos/osx-x64/main.app
./Main/bin/Release/net6.0-macos/osx-x64/main.app: valid on disk
./Main/bin/Release/net6.0-macos/osx-x64/main.app: satisfies its Designated Requirement
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

~/Downloads/signTest1$ codesign --verify --verbose ./Main/bin/Release/net6.0-macos/osx-x64/main.app/Contents/SharedSupport/helper.app
./Main/bin/Release/net6.0-macos/osx-x64/main.app/Contents/SharedSupport/helper.app: a sealed resource is missing or invalid
file modified: /Users/sergey/Downloads/signTest1/main/bin/Release/net6.0-macos/osx-x64/main.app/Contents/SharedSupport/helper.app/Contents/MonoBundle/libSystem.Native.dylib
file modified: /Users/sergey/Downloads/signTest1/main/bin/Release/net6.0-macos/osx-x64/main.app/Contents/SharedSupport/helper.app/Contents/MonoBundle/libcoreclr.dylib
file modified: /Users/sergey/Downloads/signTest1/main/bin/Release/net6.0-macos/osx-x64/main.app/Contents/SharedSupport/helper.app/Contents/MonoBundle/libSystem.IO.Compression.Native.dylib
file modified: /Users/sergey/Downloads/signTest1/main/bin/Release/net6.0-macos/osx-x64/main.app/Contents/SharedSupport/helper.app/Contents/MonoBundle/libSystem.Globalization.Native.dylib
file modified: /Users/sergey/Downloads/signTest1/main/bin/Release/net6.0-macos/osx-x64/main.app/Contents/SharedSupport/helper.app/Contents/MonoBundle/libSystem.Security.Cryptography.Native.Apple.dylib
file modified: /Users/sergey/Downloads/signTest1/main/bin/Release/net6.0-macos/osx-x64/main.app/Contents/SharedSupport/helper.app/Contents/MonoBundle/libSystem.Net.Security.Native.dylib
file modified: /Users/sergey/Downloads/signTest1/main/bin/Release/net6.0-macos/osx-x64/main.app/Contents/SharedSupport/helper.app/Contents/MonoBundle/libhostfxr.dylib
file modified: /Users/sergey/Downloads/signTest1/main/bin/Release/net6.0-macos/osx-x64/main.app/Contents/SharedSupport/helper.app/Contents/MonoBundle/libhostpolicy.dylib
file modified: /Users/sergey/Downloads/signTest1/main/bin/Release/net6.0-macos/osx-x64/main.app/Contents/SharedSupport/helper.app/Contents/MonoBundle/libSystem.Security.Cryptography.Native.OpenSsl.dylib
file modified: /Users/sergey/Downloads/signTest1/main/bin/Release/net6.0-macos/osx-x64/main.app/Contents/SharedSupport/helper.app/Contents/MonoBundle/libmscordaccore.dylib
file modified: /Users/sergey/Downloads/signTest1/main/bin/Release/net6.0-macos/osx-x64/main.app/Contents/SharedSupport/helper.app/Contents/MonoBundle/libmscordbi.dylib
file modified: /Users/sergey/Downloads/signTest1/main/bin/Release/net6.0-macos/osx-x64/main.app/Contents/SharedSupport/helper.app/Contents/MonoBundle/libdbgshim.dylib
file modified: /Users/sergey/Downloads/signTest1/main/bin/Release/net6.0-macos/osx-x64/main.app/Contents/SharedSupport/helper.app/Contents/MonoBundle/libclrjit.dylib

Environment

Version information

Visual Studio Professional 2022 for Mac
Version 17.6.5 (build 417)
Installation UUID: d19bbf74-d8b5-4bb1-8354-e54c9202ea1c

Runtime
.NET 7.0.3 (64-bit)
Architecture: X64
Microsoft.macOS.Sdk 13.1.1007; git-rev-head:8afca776a0a96613dfb7200e0917bb57f9ed5583; git-branch:release/7.0.1xx-xcode14.2

Roslyn (Language Service)
4.6.0-3.23180.6+99e956e42697a6dd886d1e12478ea2b27cceacfa

NuGet
Version: 6.4.0.117

.NET SDK (x64)
SDK: /usr/local/share/dotnet/sdk/7.0.309/Sdks
SDK Versions:
	7.0.309
	7.0.308
	7.0.307
	7.0.306
	7.0.304
	7.0.302
	6.0.415
	6.0.414
	6.0.413
	6.0.412
	6.0.410
	6.0.408
MSBuild SDKs: /Applications/Visual Studio.app/Contents/MonoBundle/MSBuild/Current/bin/Sdks

.NET Runtime (x64)
Runtime: /usr/local/share/dotnet/dotnet
Runtime Versions:
	7.0.12
	7.0.11
	7.0.10
	7.0.9
	7.0.7
	7.0.5
	6.0.23
	6.0.22
	6.0.21
	6.0.20
	6.0.18
	6.0.16

Xamarin.Profiler
Version: 1.8.0.49
Location: /Applications/Xamarin Profiler.app/Contents/MacOS/Xamarin Profiler

Updater
Version: 11

Apple Developer Tools
Xcode: 14.3 21812
Build: 14E222b

Xamarin.Mac
Version: 9.3.0.18 Visual Studio Professional
Hash: 9d266025e
Branch: xcode14.3
Build date: 2023-09-06 19:52:26-0400

Xamarin.iOS
Version: 16.4.0.18 Visual Studio Professional
Hash: 9d266025e
Branch: xcode14.3
Build date: 2023-09-06 19:52:27-0400

Xamarin Designer
Version: 17.6.3.9
Hash: 2648399ae8
Branch: remotes/origin/d17-6
Build date: 2023-10-04 18:09:14 UTC

Xamarin.Android
Version: 13.2.2.0 (Visual Studio Professional)
Commit: xamarin-android/d17-5/45b0e14
Android SDK: /Users/sergey/Library/Developer/Xamarin/android-sdk-macosx
	Supported Android versions:
		12.0 (API level 31)
		13.0 (API level 33)

SDK Command-line Tools Version: 7.0
SDK Platform Tools Version: 33.0.3
SDK Build Tools Version: 32.0.0

Build Information: 
Mono: d9a6e87
Java.Interop: xamarin/java.interop/d17-5@149d70fe
SQLite: xamarin/sqlite/3.40.1@68c69d8
Xamarin.Android Tools: xamarin/xamarin-android-tools/d17-5@ca1552d

Microsoft Build of OpenJDK
Java SDK: /Library/Java/JavaVirtualMachines/microsoft-11.jdk
11.0.16.1
Android Designer EPL code available here:
https://github.com/xamarin/AndroidDesigner.EPL

Eclipse Temurin JDK
Java SDK: /Library/Java/JavaVirtualMachines/temurin-8.jdk
1.8.0.302
Android Designer EPL code available here:
https://github.com/xamarin/AndroidDesigner.EPL

Android SDK Manager
Version: 17.6.0.50
Hash: a715dca
Branch: HEAD
Build date: 2023-10-04 18:09:20 UTC

Android Device Manager
Version: 0.0.0.1309
Hash: 06e3e77
Branch: HEAD
Build date: 2023-10-04 18:09:20 UTC

Build Information
Release ID: 1706050417
Git revision: 6d6585a706becbd4a5be3b0e99ace260dfdf5748
Build date: 2023-10-04 18:07:30+00
Build branch: release-17.6
Build lane: release-17.6

Operating System
Mac OS X 13.5.0
Darwin 22.6.0 Darwin Kernel Version 22.6.0
    Wed Jul  5 22:21:56 PDT 2023
    root:xnu-8796.141.3~6/RELEASE_X86_64 x86_64

Build Logs

msbuild.zip

Example Project (If Possible)

signTest1.zip

Additional details

This issue is a successor of the https://github.com/xamarin/xamarin-macios/issues/15594.

The task is the same - I need to embed the helper.app app bundle into the main.app and then somehow run it with the Process.Start. And all of this should be properly signed and notarized.

I copy the helper.app into the main.app using additional msbuild targets (see main.csproj). This works fine.

Since the helper.app is already signed when it is copied into the main.app, I used the SkipCodesignItems to prevent it from being re-signed (based on this sample from tests):

<ItemGroup>
    <SkipCodesignItems Include="Contents/SharedSupport/helper.app" />
</ItemGroup>

This does not work and gives the errors mentioned above. I can replace this with the list of all dylibs inside helper.app and the signature will be ok, but it's obviously not the best solution:

<!-- The following works, but is fragile as reuqires to list all dylibs, including standard and 3rd-party -->
<SkipCodesignItems Include="Contents/SharedSupport/helper.app/Contents/MonoBundle/libcoreclr.dylib"/>
<SkipCodesignItems Include="Contents/SharedSupport/helper.app/Contents/MonoBundle/libSystem.Native.dylib"/>
<SkipCodesignItems Include="Contents/SharedSupport/helper.app/Contents/MonoBundle/libSystem.IO.Compression.Native.dylib"/>
<SkipCodesignItems Include="Contents/SharedSupport/helper.app/Contents/MonoBundle/libSystem.Globalization.Native.dylib"/>
<SkipCodesignItems Include="Contents/SharedSupport/helper.app/Contents/MonoBundle/libSystem.Security.Cryptography.Native.Apple.dylib"/>
<SkipCodesignItems Include="Contents/SharedSupport/helper.app/Contents/MonoBundle/libSystem.Net.Security.Native.dylib"/>
<SkipCodesignItems Include="Contents/SharedSupport/helper.app/Contents/MonoBundle/libhostfxr.dylib"/>
<SkipCodesignItems Include="Contents/SharedSupport/helper.app/Contents/MonoBundle/libhostpolicy.dylib"/>
<SkipCodesignItems Include="Contents/SharedSupport/helper.app/Contents/MonoBundle/libmscordaccore.dylib"/>
<SkipCodesignItems Include="Contents/SharedSupport/helper.app/Contents/MonoBundle/libmscordbi.dylib"/>
<SkipCodesignItems Include="Contents/SharedSupport/helper.app/Contents/MonoBundle/libSystem.Security.Cryptography.Native.OpenSsl.dylib"/>
<SkipCodesignItems Include="Contents/SharedSupport/helper.app/Contents/MonoBundle/libdbgshim.dylib"/>
<SkipCodesignItems Include="Contents/SharedSupport/helper.app/Contents/MonoBundle/libclrjit.dylib"/>

Oct 16 '23 18:10 snechaev

You should be able to use a glob like this:

<SkipCodesignItems Include="Contents/SharedSupport/helper.app/Contents/MonoBundle/*.dylib"/>

that way you don't have to keep the list of files up-to-date.

Oct 17 '23 07:10 rolfbjarne

Unfortunately, the wildcard-based workaround works only partially and is not usable in production. It works for dotnet build when it is called from the folder, containing the solution. It does not work (file modified: errors for all dylibs inside helper.app) when I run Build/Rebuild from VSfM (by right-clicking the Main project and selecting Build or Rebuild from the context menu).

I understand that VSfM is EOL, but this inconsistent behavior may indicate some flaws inside the signing logic.

The explicit list of all dylibs work in both scenarios (but has its own disadvantages, mentioned above).

Oct 17 '23 16:10 snechaev

Additional note for those who coming here from Google - for net8 you may also need to add a libclrgc.dylib to the exclusion list:

 <SkipCodesignItems Include="Contents/SharedSupport/helper.app/Contents/MonoBundle//libclrgc.dylib"/>

Oct 17 '24 14:10 snechaev

xamarin-macios xamarin-macios copied to clipboard

SkipCodesignItems does not work when the app bundle specified (not a single file)

Steps to Reproduce

Expected Behavior

Actual Behavior

Environment

Build Logs

Example Project (If Possible)

Additional details

xamarin-macios
xamarin-macios copied to clipboard