Enable Unpacking, repacking, signing, and notarization of .pkg files and .app bundles

Arcade.sln

@@ -97,8 +97,6 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.DotNet.Build.Task
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.DotNet.RemoteExecutor.Tests", "src\Microsoft.DotNet.RemoteExecutor\tests\Microsoft.DotNet.RemoteExecutor.Tests.csproj", "{D6AC20A4-1719-49FE-B112-B2AB564496F8}"
 EndProject
-Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "TestProjects", "TestProjects", "{6F517597-E9E2-43B2-B7E2-757132EA525C}"
-EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.DotNet.Build.Tasks.Archives", "src\Microsoft.DotNet.Build.Tasks.Archives\Microsoft.DotNet.Build.Tasks.Archives.csproj", "{5579768A-CC07-477C-ACE4-06FE9B0686A7}"
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.DotNet.SourceBuild.Tasks", "src\Microsoft.DotNet.SourceBuild\tasks\Microsoft.DotNet.SourceBuild.Tasks.csproj", "{F9D72AF5-9320-43C8-A24F-CBE294FCED0A}"
@@ -129,10 +127,6 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.DotNet.Build.Task
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.DotNet.Build.Tasks.Templating.Tests", "src\Microsoft.DotNet.Build.Tasks.Templating\test\Microsoft.DotNet.Build.Tasks.Templating.Tests.csproj", "{FB4168D5-6EA6-4777-AD4F-95758C177FE8}"
 EndProject
-Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "src", "src", "{6DA9F58A-34D5-45A6-998E-5D2B8037C3FE}"
-EndProject
-Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Microsoft.DotNet.XUnitAssert", "Microsoft.DotNet.XUnitAssert", "{3C542789-2576-48C8-9772-C9D7575F7E42}"
-EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.DotNet.XUnitAssert", "src\Microsoft.DotNet.XUnitAssert\src\Microsoft.DotNet.XUnitAssert.csproj", "{AB8D5F86-60FA-416A-B047-83B1E9118425}"
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.DotNet.XUnitAssert.Tests", "src\Microsoft.DotNet.XUnitAssert\tests\Microsoft.DotNet.XUnitAssert.Tests.csproj", "{14462553-E4E1-4F67-B954-4BF24B1DAAFE}"
@@ -151,9 +145,9 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.DotNet.Internal.S
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.DotNet.ArcadeAzureIntegration", "src\Microsoft.DotNet.ArcadeAzureIntegration\Microsoft.DotNet.ArcadeAzureIntegration.csproj", "{CA159C84-CD7D-4364-9121-3842F97D4B60}"
 EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.DotNet.MacOsPkg", "src\Microsoft.DotNet.MacOsPkg\Microsoft.DotNet.MacOsPkg.csproj", "{CE0FAEB2-4B8A-4A37-840D-7FF88ECB42A0}"
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.DotNet.MacOsPkg", "src\Microsoft.DotNet.MacOsPkg\Microsoft.DotNet.MacOsPkg.csproj", "{CE0FAEB2-4B8A-4A37-840D-7FF88ECB42A0}"
 EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.DotNet.MacOsPkg.Tests", "src\Microsoft.DotNet.MacOsPkg.Tests\Microsoft.DotNet.MacOsPkg.Tests.csproj", "{1F5118A8-A5C5-4D18-AF34-FFB60FECCD45}"
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.DotNet.MacOsPkg.Tests", "src\Microsoft.DotNet.MacOsPkg.Tests\Microsoft.DotNet.MacOsPkg.Tests.csproj", "{1F5118A8-A5C5-4D18-AF34-FFB60FECCD45}"
 EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
@@ -1009,13 +1003,10 @@ Global
 		{B5E9D9D8-59E0-49F8-9C3C-75138A2D452C} = {C53DD924-C212-49EA-9BC4-1827421361EF}
 		{0B5D3C20-EB58-4A82-A3AA-2E626A17B35D} = {C53DD924-C212-49EA-9BC4-1827421361EF}
 		{FB4168D5-6EA6-4777-AD4F-95758C177FE8} = {C53DD924-C212-49EA-9BC4-1827421361EF}
-		{3C542789-2576-48C8-9772-C9D7575F7E42} = {6DA9F58A-34D5-45A6-998E-5D2B8037C3FE}
-		{AB8D5F86-60FA-416A-B047-83B1E9118425} = {3C542789-2576-48C8-9772-C9D7575F7E42}
-		{14462553-E4E1-4F67-B954-4BF24B1DAAFE} = {3C542789-2576-48C8-9772-C9D7575F7E42}
+		{14462553-E4E1-4F67-B954-4BF24B1DAAFE} = {C53DD924-C212-49EA-9BC4-1827421361EF}
 		{650B7526-7B8A-45B5-B14E-C16D828891B2} = {C53DD924-C212-49EA-9BC4-1827421361EF}
 		{6BA81447-C61D-4F91-BF0F-5B17AF4CFFAC} = {C53DD924-C212-49EA-9BC4-1827421361EF}
-		{CE0FAEB2-4B8A-4A37-840D-7FF88ECB42A0} = {6DA9F58A-34D5-45A6-998E-5D2B8037C3FE}
-		{1F5118A8-A5C5-4D18-AF34-FFB60FECCD45} = {6DA9F58A-34D5-45A6-998E-5D2B8037C3FE}
+		{1F5118A8-A5C5-4D18-AF34-FFB60FECCD45} = {C53DD924-C212-49EA-9BC4-1827421361EF}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {32B9C883-432E-4FC8-A1BF-090EB033DD5B}

src/Microsoft.DotNet.Arcade.Sdk/tools/Sign.proj

@@ -20,6 +20,7 @@
   </PropertyGroup>
 
   <Import Project="BuildStep.props" />
+  <Import Project="TargetFrameworkDefaults.props" />
 
   <Import Project="$(NuGetPackageRoot)microsoft.dotnet.signtool\$(MicrosoftDotNetSignToolVersion)\build\Microsoft.DotNet.SignTool.props" />
 
@@ -57,6 +58,9 @@
 
       <!-- SN is only available on Windows -->
       <SNBinaryPath Condition="$([MSBuild]::IsOSPlatform('Windows'))">$(NuGetPackageRoot)sn\$(SNVersion)\sn.exe</SNBinaryPath>
+
+      <!-- .pkgs and .app bundle tooling is only available on MacOS -->
+      <PkgToolPath Condition="$([MSBuild]::IsOSPlatform('OSX'))">$(NuGetPackageRoot)microsoft.dotnet.macospkg\$(MicrosoftDotNetMacOsPkgVersion)\tools\$(NetToolCurrent)\any\Microsoft.Dotnet.MacOsPkg.dll</PkgToolPath>
     </PropertyGroup>
 
     <Error Condition="'$(AllowEmptySignList)' != 'true' AND '@(ItemsToSign)' == ''" 
@@ -83,7 +87,8 @@
         SNBinaryPath="$(SNBinaryPath)"
         MicroBuildCorePath="$(NuGetPackageRoot)microbuild.core\$(MicroBuildCoreVersion)"
         WixToolsPath="$(WixInstallPath)"
-        TarToolPath="$(NuGetPackageRoot)microsoft.dotnet.tar\$(MicrosoftDotNetSignToolVersion)\tools\net10.0\any\Microsoft.Dotnet.Tar.dll"
+        TarToolPath="$(NuGetPackageRoot)microsoft.dotnet.tar\$(MicrosoftDotNetTarVersion)\tools\$(NetToolCurrent)\any\Microsoft.Dotnet.Tar.dll"
+        PkgToolPath="$(PkgToolPath)"
         RepackParallelism="$(SignToolRepackParallelism)"
         MaximumParallelFileSize="$(SignToolRepackMaximumParallelFileSize)" />
   </Target>

src/Microsoft.DotNet.Arcade.Sdk/tools/Sign.props

@@ -18,11 +18,14 @@
   <ItemGroup>
     <!--
       This is intended to hold information about the certificates used for signing.
-      For now the only information required is whether or not the certificate can be
-      used for signing already signed files - DualSigningAllowed==true.
     -->
     <CertificatesSignInfo Include="3PartyDual" DualSigningAllowed="true" />
     <CertificatesSignInfo Include="3PartySHA2" DualSigningAllowed="true" />
+    <!-- This signing information indicates certificates that represent a sign and notarize operation. -->
+    <CertificatesSignInfo Include="MacDeveloperHardenWithNotarization" MacCertificate="MacDeveloperHarden" MacNotarizationAppName="dotnet" />
+    <CertificatesSignInfo Include="MacDeveloperWithNotarization" MacCertificate="MacDeveloper" MacNotarizationAppName="dotnet" />
+    <CertificatesSignInfo Include="MacDeveloperVNextWithNotarization" MacCertificate="MacDeveloperVNext" MacNotarizationAppName="dotnet" />
+    <CertificatesSignInfo Include="MacDeveloperVNextHardenWithNotarization" MacCertificate="MacDeveloperVNextHarden" MacNotarizationAppName="dotnet" />
   </ItemGroup>
 
   <ItemGroup Condition="'$(EnableDefaultArtifacts)' == 'true'">
@@ -60,6 +63,13 @@
     <FileExtensionSignInfo Include=".zip" CertificateName="None" />
     <FileExtensionSignInfo Include=".tgz" CertificateName="None" />
     <FileExtensionSignInfo Include=".tar.gz" CertificateName="None" />
+    <!-- Note, these can only be unpack/repacked on Mac. They can be signed on a non-Mac -->
+    <FileExtensionSignInfo Include=".pkg" CertificateName="MacDeveloper" />
+    <!-- .app bundles are technically directories, but the Microsoft.DotNet.MacOsPkg
+    tool packs these bundles into zips when unpacking .pkgs -->
+    <FileExtensionSignInfo Include=".app" CertificateName="MacDeveloper" />
+    <!-- Runtime hardening is required for notarization. -->
+    <FileExtensionSignInfo Include=".dylib" CertificateName="MacDeveloperHarden" />
   </ItemGroup>
 
   <!-- The name of the .NET specific certificate, which is a general replacement for Microsoft400

src/Microsoft.DotNet.Build.Tasks.Feed.Tests/BuildModelFactoryTests.cs

@@ -393,6 +393,11 @@ public void RoundTripFromTaskItemsToFileToXml()
                 new TaskItem("MyOtherCert", new Dictionary<string, string>()
                 {
                     { "DualSigningAllowed", "true" }
+                }),
+                new TaskItem("MySpecialCert", new Dictionary<string, string>()
+                {
+                    { "MacCertificate", "MacMac" },
+                    { "MacNotarizationAppName", "dotnet" }
                 })
             };
 
@@ -522,11 +527,22 @@ public void RoundTripFromTaskItemsToFileToXml()
                     {
                         item.Include.Should().Be("MyCert");
                         item.DualSigningAllowed.Should().Be(false);
+                        item.MacCertificate.Should().BeNullOrEmpty();
+                        item.MacNotarizationAppName.Should().BeNullOrEmpty();
                     },
                     item =>
                     {
                         item.Include.Should().Be("MyOtherCert");
                         item.DualSigningAllowed.Should().Be(true);
+                        item.MacCertificate.Should().BeNullOrEmpty();
+                        item.MacNotarizationAppName.Should().BeNullOrEmpty();
+                    },
+                    item =>
+                    {
+                        item.Include.Should().Be("MySpecialCert");
+                        item.DualSigningAllowed.Should().Be(false);
+                        item.MacCertificate.Should().Be("MacMac");
+                        item.MacNotarizationAppName.Should().Be("dotnet");
                     });
                 modelFromFile.SigningInformation.FileExtensionSignInfo.Should().SatisfyRespectively(
                     item =>

src/Microsoft.DotNet.Build.Tasks.Feed/src/SigningInformationModelFactory.cs

@@ -4,6 +4,7 @@
 using Microsoft.Build.Framework;
 using Microsoft.Build.Utilities;
 using Microsoft.DotNet.VersionTools.BuildManifest.Model;
+using Microsoft.DotNet.VersionTools.Util;
 using System;
 using System.Collections.Generic;
 using System.IO;
@@ -101,7 +102,11 @@ public SigningInformationModel CreateSigningInformationModelFromItems(
                 foreach (var signInfo in certificatesSignInfo)
                 {
                     var attributes = signInfo.CloneCustomMetadata() as IDictionary<string, string>;
-                    parsedCertificatesSignInfoModel.Add(new CertificatesSignInfoModel { Include = signInfo.ItemSpec, DualSigningAllowed = bool.Parse(attributes["DualSigningAllowed"]) });
+                    parsedCertificatesSignInfoModel.Add(new CertificatesSignInfoModel { Include = signInfo.ItemSpec,
+                                                                                        DualSigningAllowed = bool.Parse(attributes.GetOrDefault("DualSigningAllowed") ?? "false"),
+                                                                                        MacCertificate = attributes.GetOrDefault("MacCertificate"),
+                                                                                        MacNotarizationAppName = attributes.GetOrDefault("MacNotarizationAppName"),
+                    });
                 }
             }
 

src/Microsoft.DotNet.MacOsPkg/AppBundle.cs

@@ -1,10 +1,49 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+using System;
+using System.Diagnostics;
+using System.IO;
+
 namespace Microsoft.DotNet.MacOsPkg
 {
     internal static class AppBundle
     {
+        /// <summary>
+        /// Determine whether a path is an app bundle.
+        /// 
+        /// A path an app bundle if:
+        /// - It's a directory and ends in .app and contains a Contents directory and that contains an Info.plist file.
+        /// - It's a file and ends in .app.
+        /// </summary>
+        /// <param name="path">Path to check</param>
+        /// <returns>True if this is an app bundle, false otherwise</returns>
+        internal static bool IsBundle(string path)
+        {
+            if (Directory.Exists(path))
+            {
+                // Case sensitive check for .app extension is intentional.
+                if (Path.GetExtension(path) == ".app")
+                {
+                    bool containsAppBundleContents = Directory.Exists(Path.Combine(path, "Contents")) &&
+                        File.Exists(Path.Combine(path, "Contents", "Info.plist"));
+                    if (!containsAppBundleContents)
+                    {
+                        // If we hit this, and it is a valid app bundle, then we should adjust the logic above.
+                        // If we never hit this (likely), then remove.
+                        throw new Exception("Unexpected .app directory structure. Please contact dnceng.");
+                    }
+                    return containsAppBundleContents;
+                }
+            }
+            else
+            {
+                return Path.GetExtension(path) == ".app";
+            }
+
+            return false;
+        }
+
         internal static void Unpack(string inputPath, string outputPath)
         {
             string args = $"-V -xk {inputPath} {outputPath}";
@@ -16,5 +55,14 @@ internal static void Pack(string inputPath, string outputPath)
             string args = $"-c -k --sequesterRsrc {inputPath} {outputPath}";
             ExecuteHelper.Run("ditto", args);
         }
+
+        internal static void VerifySignature(string inputPath)
+        {
+            string output = ExecuteHelper.Run("codesign", $"--verify --verbose {inputPath}");
+            if (output.Contains("is not signed at all"))
+            {
+                throw new Exception("No signature found in app bundle");
+            }
+        }
     }
 }

src/Microsoft.DotNet.MacOsPkg/Microsoft.DotNet.MacOsPkg.csproj

@@ -12,6 +12,10 @@
     <DevelopmentDependency>false</DevelopmentDependency>
   </PropertyGroup>
 
+  <ItemGroup>
+    <PackageReference Include="System.CommandLine" />
+  </ItemGroup>
+
   <PropertyGroup Condition="'$(TargetFramework)' == '$(NetToolCurrent)'">
     <PackAsTool>true</PackAsTool>
     <ToolCommandName>dotnet-macos-pkg</ToolCommandName>

src/Microsoft.DotNet.MacOsPkg/Package.cs

@@ -69,12 +69,37 @@ private static void UnpackInstallerPackage(string dstPath, string distribution)
             }
         }
 
+        /// <summary>
+        /// Unpack the payload of the .pkg, and package up .app directories as .zips
+        /// </summary>
+        /// <param name="dstPath"></param>
+        /// <remarks>
+        /// In a pkg, the .app bundles are represented by directories with a standard file structure.
+        /// The directory is typically marked with a .app extension, though apparently this is not required.
+        /// The important part is that the .app bundle is viewed by the system as a single entity and is signed as such.
+        /// This means that signtool needs to view the .app as a signable file and not as a directory. To achieve this,
+        /// After unpacking the payload, we zip the .app directories so that signtool can properly track them, unpack them recursively again,
+        /// and sign them.
+        /// 
+        /// There's one other important element to this. We need to recognize whether the .app directory is in fact
+        /// a .app bundle and not, say "Microsoft.NetCore.App". To do this, we apply some heuristics.
+        /// If:
+        /// - Extension should be lower case ".app"
+        /// - A directory named "Contents" under the .app directory.
+        /// - An Info.plist in this "Contents" directory.
+        /// 
+        /// If these conditions are met, the file is re-zipped and treated like a bundle.
+        /// 
+        /// NOTE: I believe that there are very no circumstances where the first condition is met but the other two
+        /// will NOT be met. For now, this method will throw an exception in this case so that further examination can be
+        /// made.
+        /// </remarks>
         private static void UnpackComponentPackage(string dstPath)
         {
             UnpackPayload(dstPath);
 
             // Zip the nested app bundles
-            IEnumerable<string> nestedApps = Directory.GetDirectories(dstPath, "*.app", SearchOption.AllDirectories);
+            IEnumerable<string> nestedApps = Directory.GetDirectories(dstPath, "*.app", SearchOption.AllDirectories).Where(app => AppBundle.IsBundle(app));
             foreach (string app in nestedApps)
             {
                 string tempDest = $"{app}.zip";
@@ -117,7 +142,7 @@ private static void PackInstallerPackage(string srcPath, string dstPath, string
         private static void PackComponentPackage(string srcPath, string dstPath, string packageInfo)
         {
             // Unzip the nested app bundles
-            IEnumerable<string> zippedNestedApps = Directory.GetFiles(srcPath, "*.app", SearchOption.AllDirectories);
+            IEnumerable<string> zippedNestedApps = Directory.GetFiles(srcPath, "*.app", SearchOption.AllDirectories).Where(app => AppBundle.IsBundle(app));
             foreach (string appZip in zippedNestedApps)
             {
                 // Unzip the .app directory
@@ -175,5 +200,17 @@ private static void ExpandPackage(string srcPath, string dstPath) =>
 
         private static string GetPackageInfoAttribute(XElement pkgInfo, string elementName) =>
             pkgInfo.Attribute(elementName)?.Value ?? throw new Exception($"{elementName} is required in PackageInfo");
+
+        internal static void VerifySignature(string inputPath)
+        {
+            Console.WriteLine($"Verifying signature of {inputPath}");
+            string full_path = Path.GetFullPath(inputPath);
+            string output = ExecuteHelper.Run("pkgutil", $"--check-signature {full_path}");
+            Console.WriteLine(output);
+            if (output.Contains("Status: no signature"))
+            {
+                throw new Exception("No signature found in package");
+            }
+        }
     }
 }