Preserve entitlements in MacOS signer

[jtschuster]

Testing CI to preserve entitlements in the managed MacOS signer

[dotnet-policy-service]

Tagging subscribers to this area: @vitek-karas, @agocke
See info in area-owners.md if you want to be subscribed.

[Copilot]

Pull Request Overview

This PR updates the MacOS signer to preserve entitlements in the code signature. Key changes include:

• Enabling nullable reference types and updating signature-related types to support optional code signature blobs.
• Incorporating entitlements and DER entitlements into signature creation with new size estimation logic.
• Removing the signature-presence check in bundle creation to allow signatures with entitlements.

Reviewed Changes

Copilot reviewed 22 out of 22 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
src/installer/managed/Microsoft.NET.HostModel/MachO/MachObjectFile.cs	Updated signature field types; added EmbeddedSignatureBlob getter; commented out a signature equivalence check.
src/installer/managed/Microsoft.NET.HostModel/MachO/MachObjectFile.CodeSignature.cs	Modified signature creation to include entitlements; updated size estimation logic.
src/installer/managed/Microsoft.NET.HostModel/MachO/BinaryFormat/SymbolTableLoadCommand.cs	Renamed structure usage from SymbolTableCommand to SymbolTableLoadCommand.
src/installer/managed/Microsoft.NET.HostModel/AppHost/HostWriter.cs	Removed existing signature check before bundling.
Other files	Adjusted or added blob handling to support entitlements and updated enums accordingly.

Comments suppressed due to low confidence (3)

src/installer/managed/Microsoft.NET.HostModel/MachO/MachObjectFile.CodeSignature.cs:279

• The switch from GetCodeSignatureSize to GetLargestSizeEstimate must be validated to ensure that the new estimation accurately reflects the additional size needed for entitlements and related blobs.

return CodeSignature.GetLargestSizeEstimate(fileSize, identifier) + (AlignUp(fileSize, CodeSignatureAlignment) - fileSize);

src/installer/managed/Microsoft.NET.HostModel/AppHost/HostWriter.cs:244

• The removal of the signature-presence check in HostWriter.cs should be reviewed to ensure that bypassing this validation does not allow unintended signed content into bundles.

if (machObjectFile.HasSignature)

src/installer/managed/Microsoft.NET.HostModel/MachO/MachObjectFile.cs:251

• Commenting out the equivalence check for the code signature blob may allow mismatched signatures to be treated as equivalent. Confirm that disabling this check is an intentional change for preserving entitlements.

// if (!CodeSignature.AreEquivalent(a._codeSignatureBlob, b._codeSignatureBlob))

[Copilot]

Pull Request Overview

This PR enhances the managed MacOS signing tool to preserve existing entitlements (and DER entitlements) when re-signing, adjusts signature sizing logic, and renames/refactors related types.

• Make the CodeSignature blob nullable and thread through the old signature to preserve entitlements
• Update CreateSignature, slot counts, and size estimates to include entitlements/DER entitlements
• Rename SymbolTableCommand to SymbolTableLoadCommand; remove obsolete signature‐present check in host bundling

Reviewed Changes

Copilot reviewed 23 out of 23 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
src/installer/managed/Microsoft.NET.HostModel/MachO/MachObjectFile.cs	Made _codeSignatureBlob nullable, threaded oldSignature, renamed symtab type, disabled signature equivalence
src/installer/managed/Microsoft.NET.HostModel/MachO/MachObjectFile.CodeSignature.cs	Added oldSignature overload, preserved entitlements, updated slot/hash logic, new GetSignatureSize
src/installer/managed/Microsoft.NET.HostModel/MachO/Enums/CodeDirectorySpecialSlot.cs	Added Entitlements and DerEntitlements slots
src/installer/managed/Microsoft.NET.HostModel/MachO/Enums/BlobMagic.cs	Added magic values for entitlements and DER entitlements
src/installer/managed/Microsoft.NET.HostModel/MachO/BinaryFormat/SymbolTableLoadCommand.cs	Renamed SymbolTableCommand to SymbolTableLoadCommand
src/installer/managed/Microsoft.NET.HostModel/AppHost/HostWriter.cs	Removed check that prevented bundling over existing signatures

Comments suppressed due to low confidence (2)

src/installer/managed/Microsoft.NET.HostModel/MachO/MachObjectFile.CodeSignature.cs:39

• The new entitlements preservation logic in CreateSignature and related size calculations lack targeted unit tests for both entitlements and DER entitlements. Adding tests to cover cases where oldSignature contains each blob will ensure correct slot ordering and hash computation.

internal static CodeSignature CreateSignature(MachObjectFile machObject, MemoryMappedViewAccessor file, string identifier, CodeSignature? oldSignature)

src/installer/managed/Microsoft.NET.HostModel/MachO/MachObjectFile.cs:251

• Disabling the CodeSignature.AreEquivalent check in AreEquivalent causes signature differences to be ignored, potentially marking non-equivalent binaries as equivalent. Consider restoring or updating this logic to compare entitlements and DER entitlements as part of equivalence.

// if (!CodeSignature.AreEquivalent(a._codeSignatureBlob, b._codeSignatureBlob))

[Copilot]

Using the null-forgiving operator here bypasses null-checks and may cause a NullReferenceException if newLength is unexpectedly null. Consider validating newLength before calling .Value or avoiding force-unwrapping.

Suggested change

	bundle.SetLength(newLength!.Value);
	if (newLength == null)
	{
	throw new InvalidOperationException("newLength cannot be null when resized is true.");
	}
	bundle.SetLength(newLength.Value);

[Copilot]

There are several large commented-out blocks and legacy code paths; consider removing or refactoring them to keep the codebase clean and maintainable.