From 0709c8882ff4102759b6c78b26ec713be7a8ac39 Mon Sep 17 00:00:00 2001 From: Sebastien Pouliot Date: Mon, 11 Jan 2021 16:05:35 -0500 Subject: [PATCH] [msbuild] Always codesign the framework directory, not what's inside (#10309) **Example #1.** Signing a framework binary is the **same** thing as signing the framework directory. ``` $ codesign -v --force --timestamp=none --sign - bin/iPhone/Release/xcf_ios.app//Frameworks/lame.framework/lame bin/iPhone/Release/xcf_ios.app//Frameworks/lame.framework/lame: replacing existing signature bin/iPhone/Release/xcf_ios.app//Frameworks/lame.framework/lame: signed bundle with Mach-O thin (arm64) [io.sourceforge.lame] $ codesign -v --force --timestamp=none --sign - bin/iPhone/Release/xcf_ios.app//Frameworks/lame.framework bin/iPhone/Release/xcf_ios.app//Frameworks/lame.framework: replacing existing signature bin/iPhone/Release/xcf_ios.app//Frameworks/lame.framework: signed bundle with Mach-O thin (arm64) [io.sourceforge.lame] ``` Nice right ? Pretty much until... **Example #2.** Signing a framework binary is **NOT** the **same** thing as signing the framework directory. ``` $ codesign -v --force --timestamp=none --sign - bin/iPhone/Release/xcf_ios.app//Frameworks/flac.framework/flac bin/iPhone/Release/xcf_ios.app//Frameworks/flac.framework/flac: replacing existing signature bin/iPhone/Release/xcf_ios.app//Frameworks/flac.framework/flac: signed Mach-O thin (arm64) [flac-55554944583d2f02282c33d8bfed082daa857e30] $ codesign -v --force --timestamp=none --sign - bin/iPhone/Release/xcf_ios.app//Frameworks/flac.framework bin/iPhone/Release/xcf_ios.app//Frameworks/flac.framework: replacing existing signature bin/iPhone/Release/xcf_ios.app//Frameworks/flac.framework: signed bundle with Mach-O thin (arm64) [org.xiph.flac] ``` In this case signing the binary `flac` does not produce the `_CodeSignature` directory and fails our msbuild Codesign task The fix is to detect if we're signing a framework like `A.framework/A` and change this to sign `A.framework` as this will always work. --- .../Tasks/CodesignTaskBase.cs | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/msbuild/Xamarin.MacDev.Tasks.Core/Tasks/CodesignTaskBase.cs b/msbuild/Xamarin.MacDev.Tasks.Core/Tasks/CodesignTaskBase.cs index 48da25cc8e..fff2cc95db 100644 --- a/msbuild/Xamarin.MacDev.Tasks.Core/Tasks/CodesignTaskBase.cs +++ b/msbuild/Xamarin.MacDev.Tasks.Core/Tasks/CodesignTaskBase.cs @@ -140,7 +140,16 @@ namespace Xamarin.MacDev.Tasks if (!string.IsNullOrEmpty (ExtraArgs)) args.Add (ExtraArgs); - args.Add (Path.GetFullPath (item.ItemSpec)); + // signing a framework and a file inside a framework is not *always* identical + // on macOS apps {item.ItemSpec} can be a symlink to `Versions/Current/{item.ItemSpec}` + // and `Current` also a symlink to `A`... and `_CodeSignature` will be found there + var path = PathUtils.ResolveSymbolicLinks (item.ItemSpec); + var parent = Path.GetDirectoryName (path); + + // so do not don't sign `A.framework/A`, sign `A.framework` which will always sign the *bundle* + if ((Path.GetExtension (parent) == ".framework") && (Path.GetFileName (path) == Path.GetFileNameWithoutExtension (parent))) + path = parent; + args.Add (Path.GetFullPath (path)); return args; } @@ -230,14 +239,6 @@ namespace Xamarin.MacDev.Tasks } } else if (File.Exists (item.ItemSpec)) { codesignedFiles.Add (item); - - // on macOS apps {item.ItemSpec} can be a symlink to `Versions/Current/{item.ItemSpec}` - // and `Current` also a symlink to `A`... and `_CodeSignature` will be found there - var path = PathUtils.ResolveSymbolicLinks (item.ItemSpec); - var dirName = Path.GetDirectoryName (path); - - if (Path.GetExtension (dirName) == ".framework") - codesignedFiles.AddRange (Directory.EnumerateFiles (Path.Combine (dirName, CodeSignatureDirName)).Select (x => new TaskItem (x))); } return codesignedFiles;