dotnet · jkoritzinsky · Oct 10, 2023 · Oct 3, 2023 · Oct 4, 2023 · Oct 4, 2023
diff --git a/...ines/common/createdump-entitlements.plist → eng/native/createdump-entitlements.plist b/...ines/common/createdump-entitlements.plist → eng/native/createdump-entitlements.plist
diff --git a/eng/pipelines/common/entitlements.plist → eng/native/entitlements.plist b/eng/pipelines/common/entitlements.plist → eng/native/entitlements.plist
diff --git a/eng/pipelines/common/macos-sign-with-entitlements.yml b/eng/pipelines/common/macos-sign-with-entitlements.yml
@@ -11,9 +11,6 @@ steps:
       installationPath: '$(Agent.TempDirectory)/dotnet'
 
   - ${{ each file in parameters.filesToSign }}:
-    - script: codesign -s - -f --entitlements ${{ file.entitlementsFile }} ${{ file.path }}/${{ file.name }}
-      displayName: 'Add entitlements to ${{ file.name }}'
-
     - task: CopyFiles@2
       displayName: 'Copy entitled file ${{ file.name }}'
       inputs:
@@ -49,7 +46,7 @@ steps:
             "toolName": "sign",
             "toolVersion": "1.0"
           }
-        ]  
+        ]
       SessionTimeout: ${{ parameters.timeoutInMinutes }}
       MaxConcurrency: '50'
       MaxRetryAttempts: '5'

diff --git a/eng/pipelines/coreclr/templates/build-job.yml b/eng/pipelines/coreclr/templates/build-job.yml
@@ -197,10 +197,8 @@ jobs:
             filesToSign:
             - name: createdump
               path: $(buildProductRootFolderPath)
-              entitlementsFile: $(Build.SourcesDirectory)/eng/pipelines/common/createdump-entitlements.plist
             - name: corerun
               path: $(buildProductRootFolderPath)
-              entitlementsFile: $(Build.SourcesDirectory)/eng/pipelines/common/entitlements.plist
 
         - task: CopyFiles@2
           displayName: 'Copy signed createdump to sharedFramework'

diff --git a/eng/pipelines/installer/jobs/build-job.yml b/eng/pipelines/installer/jobs/build-job.yml
@@ -357,10 +357,8 @@ jobs:
               filesToSign:
               - name: dotnet
                 path: $(Build.SourcesDirectory)/artifacts/bin/osx-${{ parameters.archType }}.$(_BuildConfig)/corehost
-                entitlementsFile: $(Build.SourcesDirectory)/eng/pipelines/common/entitlements.plist
               - name: apphost
                 path: $(Build.SourcesDirectory)/artifacts/bin/osx-${{ parameters.archType }}.$(_BuildConfig)/corehost
-                entitlementsFile: $(Build.SourcesDirectory)/eng/pipelines/common/entitlements.plist
 
         - script: $(BaseJobBuildCommand) -subset host.pkg+host.tools+host.pretest+host.tests+packs
           displayName: Build and Package

diff --git a/src/coreclr/debug/createdump/CMakeLists.txt b/src/coreclr/debug/createdump/CMakeLists.txt
@@ -106,4 +106,14 @@ endif(CLR_CMAKE_HOST_OSX)
 
 endif(CLR_CMAKE_HOST_WIN32)
 
+if (CLR_CMAKE_HOST_APPLE)
+    # Add a dependency on the entitlements file to ensure that createdump is rebuilt if only the entitlements file changes.
+    set_source_files_properties(main.cpp PROPERTIES OBJECT_DEPENDS ${CLR_ENG_NATIVE_DIR}/createdump-entitlements.plist)
+
+    add_custom_command(
+        TARGET createdump
+        POST_BUILD
+        COMMAND codesign -s - -f --entitlements ${CLR_ENG_NATIVE_DIR}/createdump-entitlements.plist $<TARGET_FILE:createdump>)
+endif()
+
 install_clr(TARGETS createdump DESTINATIONS . sharedFramework COMPONENT runtime)
diff --git a/src/coreclr/hosts/corerun/CMakeLists.txt b/src/coreclr/hosts/corerun/CMakeLists.txt
@@ -38,9 +38,19 @@ else(CLR_CMAKE_HOST_WIN32)
     endif()
 endif(CLR_CMAKE_HOST_WIN32)
 
+if (CLR_CMAKE_HOST_APPLE)
+    # Add a dependency on the entitlements file to ensure that corerun is rebuilt if only the entitlements file changes.
+    set_source_files_properties(corerun.cpp PROPERTIES OBJECT_DEPENDS ${CLR_ENG_NATIVE_DIR}/entitlements.plist)
+
+    add_custom_command(
+        TARGET corerun
+        POST_BUILD
+        COMMAND codesign -s - -f --entitlements ${CLR_ENG_NATIVE_DIR}/entitlements.plist $<TARGET_FILE:corerun>)
+endif()
+
 install_clr(TARGETS corerun DESTINATIONS . COMPONENT hosts)
 
 # If there's a dynamic ASAN runtime, then install it in the directory where we put our executable.
 if (NOT "${ASAN_RUNTIME}" STREQUAL "")
     install(FILES ${ASAN_RUNTIME} DESTINATION .)
-endif()
+endif()
diff --git a/src/libraries/sendtohelixhelp.proj b/src/libraries/sendtohelixhelp.proj
@@ -261,6 +261,14 @@
       </HelixPostCommands>
     </PropertyGroup>
 
+    <!-- ad-hoc sign createdump on the helix machine to allow us to collect dumps -->
+    <PropertyGroup Condition="'$(RuntimeFlavor)' == 'CoreCLR' and '$(TargetOS)' == 'osx'">
+      <HelixPreCommands>
+        $(HelixPreCommands);
+        find $HELIX_CORRELATION_PAYLOAD -name createdump | xargs -n 1 codesign -s - -f --preserve-metadata=entitlements
+      </HelixPreCommands>
+    </PropertyGroup>
+
     <Error Condition="'$(NeedsWorkload)' == 'true' and '$(TestUsingWorkloads)' == 'true' and ('$(SdkWithWorkloadForTestingPath)' == '' or !Exists($(SdkWithWorkloadForTestingPath)))"
            Text="Could not find workload at %24(SdkWithWorkloadForTestingPath)=$(SdkWithWorkloadForTestingPath)" />
 

diff --git a/src/native/corehost/apphost/standalone/CMakeLists.txt b/src/native/corehost/apphost/standalone/CMakeLists.txt
@@ -52,3 +52,13 @@ endif()
 if (CLR_CMAKE_TARGET_WIN32 AND CLR_CMAKE_TARGET_ARCH_ARM64)
     target_link_libraries(apphost PRIVATE shell32.lib)
 endif()
+
+if (CLR_CMAKE_HOST_APPLE)
+    # Add a dependency on the entitlements file to ensure that apphost is rebuilt if only the entitlements file changes.
+    set_source_files_properties(hostfxr_resolver.cpp PROPERTIES OBJECT_DEPENDS ${CLR_ENG_NATIVE_DIR}/entitlements.plist)
+
+    add_custom_command(
+        TARGET apphost
+        POST_BUILD
+        COMMAND codesign -s - -f --entitlements ${CLR_ENG_NATIVE_DIR}/entitlements.plist $<TARGET_FILE:apphost>)
+endif()
diff --git a/src/native/corehost/dotnet/CMakeLists.txt b/src/native/corehost/dotnet/CMakeLists.txt
@@ -15,3 +15,13 @@ list(APPEND SOURCES
 )
 
 include(../exe.cmake)
+
+if (CLR_CMAKE_HOST_APPLE)
+    # Add a dependency on the entitlements file to ensure that dotnet is rebuilt if only the entitlements file changes.
+    set_source_files_properties(../apphost/standalone/hostfxr_resolver.cpp PROPERTIES OBJECT_DEPENDS ${CLR_ENG_NATIVE_DIR}/entitlements.plist)
+
+    add_custom_command(
+        TARGET dotnet
+        POST_BUILD
+        COMMAND codesign -s - -f --entitlements ${CLR_ENG_NATIVE_DIR}/entitlements.plist $<TARGET_FILE:dotnet>)
+endif()
diff --git a/src/tests/Common/helixpublishwitharcade.proj b/src/tests/Common/helixpublishwitharcade.proj
@@ -875,6 +875,11 @@
     </ItemGroup>
   </Target>
 
+  <!-- Adhoc-sign createdump so we can use it in our tests -->
+  <PropertyGroup Condition="'$(RuntimeFlavor)' == 'CoreCLR' and '$(TargetOS)' == 'osx'">
+    <HelixPreCommands>$(HelixPreCommands);codesign -s - -f --preserve-metadata=entitlements $HELIX_CORRELATION_PAYLOAD/createdump</HelixPreCommands>
+  </PropertyGroup>
+
   <PropertyGroup>
     <SigningCommand Condition="'$(TargetOS)' == 'iOS' or '$(TargetOS)' == 'tvOS'">
     <![CDATA[