[release/10.0.1xx] [msbuild] Fix DetectSigningIdentity with entitlements in the simulator. Fixes #24032. (#24077)

* Always sign with the placeholder certificate '-' in the simulator.
* We still need to find a provisioning profile (if required), and pass it on to the CompileEntitlements task, so that the CompileEntitlements task can adjust the entitlements (appending the team identifier for instance) before embedding them into the executable.

Fixes #24032.
Backport of #24059.

Author: rolfbjarne

msbuild/Xamarin.MacDev.Tasks/Tasks/CompileEntitlements.cs

@@ -576,9 +576,8 @@ public override bool Execute ()
 
 				EntitlementsInExecutable = new TaskItem (simulatedXcent);
 
-				// No matter what, I've only been able to make Xcode apply a single entitlement to simulator builds: com.apple.security.get-task-allow
+				// No matter what, I haven't been able to make Xcode apply any entitlements to the when signing simulator apps
 				compiled = new PDictionary ();
-				compiled.Add ("com.apple.security.get-task-allow", new PBoolean (true));
 			} else {
 				archived = GetArchivedExpandedEntitlements (templates, compiled);
 			}

msbuild/Xamarin.MacDev.Tasks/Tasks/DetectSigningIdentity.cs

@@ -597,8 +597,8 @@ bool ExecuteImpl ()
 				return !Log.HasLoggedErrors;
 			}
 
-			// If we're building for the simulator, always use the placeholder codesign key.
-			if (SdkIsSimulator) {
+			// If we're building for the simulator, and we don't require a provisioning profile, we can just use the placeholder key.
+			if (SdkIsSimulator && !RequireProvisioningProfile) {
 				DetectedCodeSigningKey = "-";
 				return !Log.HasLoggedErrors;
 			}
@@ -661,7 +661,10 @@ bool ExecuteImpl ()
 					return false;
 				}
 
-				if (identity.SigningKey is not null) {
+				if (SdkIsSimulator) {
+					// Always sign using the placeholder when when building for the simulator
+					DetectedCodeSigningKey = "-";
+				} else if (identity.SigningKey is not null) {
 					codesignCommonName = SecKeychain.GetCertificateCommonName (identity.SigningKey);
 					DetectedCodeSigningKey = identity.SigningKey.Thumbprint;
 				}
@@ -684,10 +687,15 @@ bool ExecuteImpl ()
 			identity = GetBestMatch (pairs, identity);
 
 			if (identity.Profile is not null && identity.AppId is not null) {
-				codesignCommonName = identity.SigningKey is not null ? SecKeychain.GetCertificateCommonName (identity.SigningKey) : null;
 				provisioningProfileName = identity.Profile.Name;
 
-				DetectedCodeSigningKey = identity.SigningKey?.Thumbprint ?? "";
+				if (SdkIsSimulator) {
+					// Always sign using the placeholder when when building for the simulator
+					DetectedCodeSigningKey = "-";
+				} else {
+					codesignCommonName = identity.SigningKey is not null ? SecKeychain.GetCertificateCommonName (identity.SigningKey) : null;
+					DetectedCodeSigningKey = identity.SigningKey?.Thumbprint ?? "";
+				}
 				DetectedProvisioningProfile = identity.Profile.Uuid;
 				DetectedAppId = identity.AppId;
 			} else {

tests/msbuild/Xamarin.MacDev.Tasks.Tests/TaskTests/CompileEntitlementsTaskTests.cs

@@ -347,6 +347,35 @@ public void TeamIdentifierPrefix ()
 			Assert.That (archivedKag, Is.EqualTo ("Z8CSQKJE7R.org.xamarin"), "archived value 1");
 		}
 
+		[Test]
+		public void TeamIdentifierPrefix_Simulator ()
+		{
+			var customEntitlements = new TaskItem [] {
+				new TaskItem ("keychain-access-groups", new Dictionary<string, string> { {  "Type", "String" }, { "Value", "$(TeamIdentifierPrefix)org.xamarin" } }),
+			};
+			var task = CreateEntitlementsTask ("EmptyEntitlements.plist", out var compiledEntitlements, out var archivedEntitlements);
+			task.TargetFrameworkMoniker = ".NETCoreApp,Version=v6.0,Profile=ios";
+			task.CustomEntitlements = customEntitlements;
+			task.SdkIsSimulator = true;
+			ExecuteTask (task);
+
+			Assert.Multiple (() => {
+				Assert.That (archivedEntitlements, Does.Not.Exist, "archived");
+
+				var inExecutable = PDictionary.FromFile (task.EntitlementsInExecutable!.ItemSpec)!;
+				Assert.That (inExecutable.Count, Is.EqualTo (4), $"in executable count");
+				Assert.IsFalse (inExecutable.ContainsKey (EntitlementKeys.AllowExecutionOfJitCode), "#1");
+				Assert.IsTrue (inExecutable.ContainsKey ("keychain-access-groups"), "in executable");
+				Assert.That (((PString?) inExecutable ["keychain-access-groups"])?.Value, Is.EqualTo ("Z8CSQKJE7R.org.xamarin"), "in executable value 1");
+
+				Assert.IsFalse (inExecutable.ContainsKey ("com.apple.security.get-task-allow"), "in executable com.apple.security.get-task-allow");
+				Assert.IsTrue (inExecutable.ContainsKey ("get-task-allow"), $"in executable get-task-allow");
+
+				var inSignature = PDictionary.FromFile (task.EntitlementsInSignature!.ItemSpec)!;
+				Assert.That (inSignature.Count, Is.EqualTo (0), $"in signature count");
+			});
+		}
+
 		[Test]
 		[TestCase (EntitlementsMode.InCustomEntitlements)]
 		[TestCase (EntitlementsMode.InFile)]

tests/msbuild/Xamarin.MacDev.Tasks.Tests/TaskTests/DetectSigningIdentityTaskTests.cs

@@ -83,6 +83,7 @@ public class EntitlementTestCase {
 			public bool Required;
 			public bool IsSimulator;
 			public bool? CodesignRequireProvisioningProfile;
+			public bool? ExpectedProvisioningProfile;
 
 			public override string ToString ()
 			{
@@ -99,7 +100,7 @@ static EntitlementTestCase [] GetEntitlementsTestCases ()
 				new EntitlementTestCase { Name = nameof (EmptyEntitlements2), Entitlements = EmptyEntitlements2, IsSimulator = true },
 				new EntitlementTestCase { Name = nameof (EmptyEntitlements3), Entitlements = EmptyEntitlements3, IsSimulator = true },
 				new EntitlementTestCase { Name = nameof (EmptyEntitlements4), Entitlements = EmptyEntitlements4, IsSimulator = true },
-				new EntitlementTestCase { Name = nameof (NonEmptyEntitlements1), Entitlements = NonEmptyEntitlements1, IsSimulator = true },
+				new EntitlementTestCase { Name = nameof (NonEmptyEntitlements1), Entitlements = NonEmptyEntitlements1, IsSimulator = true, ExpectedProvisioningProfile = true },
 				new EntitlementTestCase { Name = nameof (EmptyEntitlements1) + "_Required", Entitlements = EmptyEntitlements1, IsSimulator = true, CodesignRequireProvisioningProfile = true },
 				new EntitlementTestCase { Name = nameof (NonEmptyEntitlements1) + "_NotRequired", Entitlements = NonEmptyEntitlements1, IsSimulator = true, CodesignRequireProvisioningProfile = false },
 				// device
@@ -109,7 +110,7 @@ static EntitlementTestCase [] GetEntitlementsTestCases ()
 				new EntitlementTestCase { Name = nameof (EmptyEntitlements4) + "_Device", Entitlements = EmptyEntitlements4, IsSimulator = false },
 				new EntitlementTestCase { Name = nameof (NonEmptyEntitlements1) + "_Device", Entitlements = NonEmptyEntitlements1, IsSimulator = false },
 				new EntitlementTestCase { Name = nameof (EmptyEntitlements1) + "_Required_Device", Entitlements = EmptyEntitlements1, IsSimulator = false, CodesignRequireProvisioningProfile = true },
-				new EntitlementTestCase { Name = nameof (NonEmptyEntitlements1) + "_NotRequired_Device", Entitlements = NonEmptyEntitlements1, IsSimulator = false, CodesignRequireProvisioningProfile = false },
+				new EntitlementTestCase { Name = nameof (NonEmptyEntitlements1) + "_NotRequired_Device", Entitlements = NonEmptyEntitlements1, IsSimulator = false, CodesignRequireProvisioningProfile = false, ExpectedProvisioningProfile = false },
 			};
 		}
 
@@ -130,26 +131,26 @@ public void EmptyEntitlements (EntitlementTestCase testCase)
 
 			ExecuteTask (task);
 
-			if (testCase.IsSimulator) {
+			bool requiresProvisioningProfile;
+			if (testCase.ExpectedProvisioningProfile.HasValue) {
+				requiresProvisioningProfile = testCase.ExpectedProvisioningProfile.Value;
+			} else {
+				requiresProvisioningProfile = testCase.CodesignRequireProvisioningProfile == true || !testCase.IsSimulator;
+			}
+
+			if (requiresProvisioningProfile) {
+				Assert.That (task.DetectedAppId, Does.EndWith (".com.tests.emptyentitlements"), "DetectedAppId");
+				Assert.That (task.DetectedProvisioningProfile, Is.Not.Null.And.Not.Empty, "DetectedProvisioningProfile");
+			} else {
 				Assert.AreEqual ("com.tests.emptyentitlements", task.DetectedAppId, "DetectedAppId");
+				Assert.That (task.DetectedProvisioningProfile, Is.Null.Or.Empty, "DetectedProvisioningProfile");
+			}
+			if (testCase.IsSimulator || !requiresProvisioningProfile) {
 				Assert.AreEqual ("-", task.DetectedCodeSigningKey, "DetectedCodeSigningKey");
 				Assert.That (task.DetectedDistributionType, Is.EqualTo ("Any"), "DetectedDistributionType");
-				Assert.That (task.DetectedProvisioningProfile, Is.Null.Or.Empty, "DetectedProvisioningProfile");
 			} else {
-				if (testCase.CodesignRequireProvisioningProfile != false) {
-					Assert.That (task.DetectedAppId, Does.EndWith (".com.tests.emptyentitlements"), "DetectedAppId");
-				} else {
-					Assert.AreEqual ("com.tests.emptyentitlements", task.DetectedAppId, "DetectedAppId");
-				}
-				if (testCase.CodesignRequireProvisioningProfile != false) {
-					Assert.That (task.DetectedCodeSigningKey, Has.Length.EqualTo ("20D63576DE3EA7BE419C18997CF948D759B43D53".Length), "DetectedCodeSigningKey");
-					Assert.That (task.DetectedDistributionType, Is.EqualTo ("Development").Or.EqualTo ("AppStore").Or.EqualTo ("Any"), "DetectedDistributionType");
-					Assert.That (task.DetectedProvisioningProfile, Is.Not.Null.And.Not.Empty, "DetectedProvisioningProfile");
-				} else {
-					Assert.That (task.DetectedCodeSigningKey, Has.Length.EqualTo ("-".Length), "DetectedCodeSigningKey");
-					Assert.That (task.DetectedDistributionType, Is.EqualTo ("Any"), "DetectedDistributionType");
-					Assert.That (task.DetectedProvisioningProfile, Is.Null.Or.Empty, "DetectedProvisioningProfile");
-				}
+				Assert.That (task.DetectedCodeSigningKey, Has.Length.EqualTo ("20D63576DE3EA7BE419C18997CF948D759B43D53".Length), "DetectedCodeSigningKey");
+				Assert.That (task.DetectedDistributionType, Is.EqualTo ("Development").Or.EqualTo ("AppStore").Or.EqualTo ("Any"), "DetectedDistributionType");
 			}
 			Assert.AreEqual ($"{Xamarin.Tests.Configuration.XcodeLocation}/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate", task.DetectedCodesignAllocate, "DetectedCodesignAllocate");
 		}
@@ -162,12 +163,32 @@ public void CustomEntitlements ()
 			task.CustomEntitlements = new ITaskItem [] { new TaskItem ("keychain-access-group") };
 			ExecuteTask (task);
 
-			Assert.That (task.DetectedAppId, Is.Null.Or.Empty, "DetectedAppId");
+			Assert.That (task.DetectedAppId, Is.Not.Null.And.Not.Empty, "DetectedAppId");
 			Assert.AreEqual ("-", task.DetectedCodeSigningKey, "DetectedCodeSigningKey");
 			Assert.AreEqual ($"{Xamarin.Tests.Configuration.XcodeLocation}/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate", task.DetectedCodesignAllocate, "DetectedCodesignAllocate");
 			Assert.AreEqual ("Any", task.DetectedDistributionType, "DetectedDistributionType");
-			Assert.That (task.DetectedProvisioningProfile, Is.Null.Or.Empty, "DetectedProvisioningProfile");
+			Assert.That (task.DetectedProvisioningProfile, Is.Not.Null.And.Not.Empty, "DetectedProvisioningProfile");
 			Assert.IsTrue (task.HasEntitlements, "HasEntitlements");
 		}
+
+		[Test]
+		public void Simulator ()
+		{
+			var dir = Cache.CreateTemporaryDirectory ();
+			var task = CreateTask (dir);
+			task.BundleIdentifier = "com.xamarin.simulatortest";
+			task.SdkIsSimulator = true;
+			task.CustomEntitlements = new ITaskItem [] { new TaskItem ("keychain-access-group") };
+			ExecuteTask (task);
+
+			Assert.Multiple (() => {
+				Assert.That (task.DetectedAppId, Does.EndWith ("." + task.BundleIdentifier), "DetectedAppId");
+				Assert.AreEqual ("-", task.DetectedCodeSigningKey, "DetectedCodeSigningKey");
+				Assert.AreEqual ($"{Xamarin.Tests.Configuration.XcodeLocation}/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate", task.DetectedCodesignAllocate, "DetectedCodesignAllocate");
+				Assert.AreEqual ("Any", task.DetectedDistributionType, "DetectedDistributionType");
+				Assert.That (task.DetectedProvisioningProfile, Is.Not.Null.And.Not.Empty, "DetectedProvisioningProfile");
+				Assert.IsTrue (task.HasEntitlements, "HasEntitlements");
+			});
+		}
 	}
 }