[xm] Support UseHardenendRuntime in code signing (#5536)

- Solves SDK portion of https://github.com/xamarin/xamarin-macios/issues/4288
2019-02-22 09:06:58 -06:00 · 2019-02-22 09:06:58 -06:00 · 5680a39c77
--- a/msbuild/Xamarin.Mac.Tasks/Xamarin.Mac.Common.targets
+++ b/msbuild/Xamarin.Mac.Tasks/Xamarin.Mac.Common.targets
@ -249,6 +249,7 @@ Copyright (C) 2014 Xamarin. All rights reserved.
 			SigningKey="$(_CodeSigningKey)"
 			ExtraArgs="$(CodesignExtraArgs)"
 			IsAppExtension="$(IsAppExtension)"
+			UseHardenedRuntime="$(UseHardenedRuntime)"
 			>
 		</Codesign>
 	</Target>
--- a/msbuild/Xamarin.MacDev.Tasks.Core/Tasks/CodesignTaskBase.cs
+++ b/msbuild/Xamarin.MacDev.Tasks.Core/Tasks/CodesignTaskBase.cs
@ -45,6 +45,8 @@ namespace Xamarin.MacDev.Tasks

 		public bool IsAppExtension { get; set; }

+		public bool UseHardenedRuntime { get; set; }
+
 		public string ToolExe {
 			get { return toolExe ?? ToolName; }
 			set { toolExe = value; }
@ -93,6 +95,9 @@ namespace Xamarin.MacDev.Tasks
 			if (IsAppExtension)
 				args.Add ("--deep");

+			if (UseHardenedRuntime)
+				args.Add ("-o runtime");
+
 			args.Add ("--sign");
 			args.AddQuoted (SigningKey);

--- a/tests/common/mac/ProjectTestHelpers.cs
+++ b/tests/common/mac/ProjectTestHelpers.cs
@ -608,6 +608,14 @@ namespace TestCase
 				Assert.Fail ($"'nuget restore' failed for {project}");
 			}
 		}
+
+		public static bool InJenkins
+		{
+			get {
+				var buildRev = Environment.GetEnvironmentVariable ("BUILD_REVISION");
+				return !string.IsNullOrEmpty (buildRev) && buildRev == "jenkins";
+			}
+		}
 	}

 	static class PlatformHelpers
--- a/tests/mmptest/src/MMPTest.cs
+++ b/tests/mmptest/src/MMPTest.cs
@ -7,6 +7,7 @@ using System.Text;
 using NUnit.Framework;
 using System.Reflection;

+using Xamarin.Utils;
 using Xamarin.Tests;

 namespace Xamarin.MMP.Tests
@ -696,5 +697,42 @@ namespace Xamarin.MMP.Tests
 				Assert.True (buildOutput.Contains ("actool execution started with arguments"), $"Build after touching icon must run actool");
 			});
 		}
+
+		[Test]
+		public void HardenedRuntimeCodesignOption ()
+		{
+			// https://github.com/xamarin/xamarin-macios/issues/5653
+			if (TI.InJenkins)
+				Assert.Ignore ("Requires macOS entitlements on bots.");
+
+			RunMMPTest (tmpDir => {
+				TI.UnifiedTestConfig test = new TI.UnifiedTestConfig (tmpDir) {
+					CSProjConfig = "<EnableCodeSigning>true</EnableCodeSigning>"
+				};
+
+				Func<OutputText, string> findCodesign = o => o.BuildOutput.SplitLines ().Last (x => x.Contains ("Tool /usr/bin/codesign execution started with arguments"));
+
+				var baseOutput = TI.TestUnifiedExecutable (test);
+				string baseCodesign = findCodesign (baseOutput);
+				Assert.False (baseCodesign.Contains ("-o runtime"), "Base codesign");
+
+				test.CSProjConfig += "<UseHardenedRuntime>true</UseHardenedRuntime><CodeSignEntitlements>Entitlements.plist</CodeSignEntitlements>";
+
+				const string entitlementText = @"<?xml version=""1.0"" encoding=""UTF-8"" ?>
+<!DOCTYPE plist PUBLIC ""-//Apple//DTD PLIST 1.0//EN"" ""http://www.apple.com/DTDs/PropertyList-1.0.dtd"">
+<plist version=""1.0"">
+<dict>
+<key>com.apple.security.cs.allow-jit</key>
+<true/>
+</dict>
+</plist>";
+
+				File.WriteAllText (Path.Combine (tmpDir, "Entitlements.plist"), entitlementText);
+
+				var hardenedOutput = TI.TestUnifiedExecutable (test);
+				string hardenedCodesign = findCodesign (hardenedOutput);
+				Assert.True (hardenedCodesign.Contains ("-o runtime"), "Hardened codesign");
+			});
+		}
 	}
 }