Consider adding `allow-jit` entitlement by default for macOS project built in release

[snechaev]

Note: the problem looks the pretty much the same as #13417, but I can't comment/reopen there.

Steps to Reproduce

1. Create new net6 cocoa app or use dylibSignTest.zip

2. Configure codesign for Release configuration

   • to check the "can't run" problem the development key is ok (already done in attached sample project).

       <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
         <UseSGen>false</UseSGen>
         <EnableCodeSigning>true</EnableCodeSigning>
         <CodeSignEntitlements>Entitlements.plist</CodeSignEntitlements>
         <CodeSigningKey>Mac Developer</CodeSigningKey>
         <CodeSignProvision></CodeSignProvision>
         <UseHardenedRuntime>true</UseHardenedRuntime>
       </PropertyGroup>
     

   • to check the notarization problem the full-featured distribution key and valid provisional profile will be needed.

3. Build in the Release configuration

4. Try to run

5. Try to send to the notarization

Expected Behavior

• the signed app bundle run successfully on the developer machine
• notarization is passed successfully

Actual Behavior

• the signed app bundle can't run with the following error

  Termination Reason:    Namespace DYLD, Code 1 Library missing
  Library not loaded: '@executable_path/../MonoBundle/libSystem.IO.Compression.Native.dylib'
  Referenced from: '/Users/USER/*/dylibSignTest.app/Contents/MacOS/dylibSignTest'
  Reason: tried: '' (code signature in <FE36D47D-FEC6-319A-AB51-06CAC4C0055E> '' not valid for use in process: mapped file has no Team ID and is not a platform binary (signed with custom identity or adhoc?)), '' (no such file)
  (terminated at launch; ignore backtrace)
  

  The libSystem.IO.Compression.Native.dylib is exists on the location mentioned in the error message.

• the notarization (when signed with full-featured distribution key and with appropriate provisional profile) will fail with the following errors

  "message": "The signature does not include a secure timestamp.",
  "message": "The executable does not have the hardened runtime enabled.",
  "message": "The binary is not signed with a valid Developer ID certificate.",
  

  Full detailed issues list

    "issues": [
      {
        "severity": "error",
        "code": null,
        "path": "dylibSignTest.app.zip/dylibSignTest.app/Contents/MonoBundle/createdump",
        "message": "The signature does not include a secure timestamp.",
        "docUrl": null,
        "architecture": "x86_64"
      },
      {
        "severity": "error",
        "code": null,
        "path": "dylibSignTest.app.zip/dylibSignTest.app/Contents/MonoBundle/createdump",
        "message": "The executable does not have the hardened runtime enabled.",
        "docUrl": null,
        "architecture": "x86_64"
      },
      {
        "severity": "error",
        "code": null,
        "path": "dylibSignTest.app.zip/dylibSignTest.app/Contents/MonoBundle/libcoreclr.dylib",
        "message": "The binary is not signed with a valid Developer ID certificate.",
        "docUrl": null,
        "architecture": "x86_64"
      },
      {
        "severity": "error",
        "code": null,
        "path": "dylibSignTest.app.zip/dylibSignTest.app/Contents/MonoBundle/libcoreclr.dylib",
        "message": "The signature does not include a secure timestamp.",
        "docUrl": null,
        "architecture": "x86_64"
      },
      {
        "severity": "error",
        "code": null,
        "path": "dylibSignTest.app.zip/dylibSignTest.app/Contents/MonoBundle/libSystem.Native.dylib",
        "message": "The binary is not signed with a valid Developer ID certificate.",
        "docUrl": null,
        "architecture": "x86_64"
      },
      {
        "severity": "error",
        "code": null,
        "path": "dylibSignTest.app.zip/dylibSignTest.app/Contents/MonoBundle/libSystem.Native.dylib",
        "message": "The signature does not include a secure timestamp.",
        "docUrl": null,
        "architecture": "x86_64"
      },
      {
        "severity": "error",
        "code": null,
        "path": "dylibSignTest.app.zip/dylibSignTest.app/Contents/MonoBundle/libSystem.IO.Compression.Native.dylib",
        "message": "The binary is not signed with a valid Developer ID certificate.",
        "docUrl": null,
        "architecture": "x86_64"
      },
      {
        "severity": "error",
        "code": null,
        "path": "dylibSignTest.app.zip/dylibSignTest.app/Contents/MonoBundle/libSystem.IO.Compression.Native.dylib",
        "message": "The signature does not include a secure timestamp.",
        "docUrl": null,
        "architecture": "x86_64"
      },
      {
        "severity": "error",
        "code": null,
        "path": "dylibSignTest.app.zip/dylibSignTest.app/Contents/MonoBundle/libSystem.Globalization.Native.dylib",
        "message": "The binary is not signed with a valid Developer ID certificate.",
        "docUrl": null,
        "architecture": "x86_64"
      },
      {
        "severity": "error",
        "code": null,
        "path": "dylibSignTest.app.zip/dylibSignTest.app/Contents/MonoBundle/libSystem.Globalization.Native.dylib",
        "message": "The signature does not include a secure timestamp.",
        "docUrl": null,
        "architecture": "x86_64"
      },
      {
        "severity": "error",
        "code": null,
        "path": "dylibSignTest.app.zip/dylibSignTest.app/Contents/MonoBundle/libSystem.Security.Cryptography.Native.Apple.dylib",
        "message": "The binary is not signed with a valid Developer ID certificate.",
        "docUrl": null,
        "architecture": "x86_64"
      },
      {
        "severity": "error",
        "code": null,
        "path": "dylibSignTest.app.zip/dylibSignTest.app/Contents/MonoBundle/libSystem.Security.Cryptography.Native.Apple.dylib",
        "message": "The signature does not include a secure timestamp.",
        "docUrl": null,
        "architecture": "x86_64"
      },
      {
        "severity": "error",
        "code": null,
        "path": "dylibSignTest.app.zip/dylibSignTest.app/Contents/MonoBundle/libmscordaccore.dylib",
        "message": "The binary is not signed with a valid Developer ID certificate.",
        "docUrl": null,
        "architecture": "x86_64"
      },
      {
        "severity": "error",
        "code": null,
        "path": "dylibSignTest.app.zip/dylibSignTest.app/Contents/MonoBundle/libmscordaccore.dylib",
        "message": "The signature does not include a secure timestamp.",
        "docUrl": null,
        "architecture": "x86_64"
      },
      {
        "severity": "error",
        "code": null,
        "path": "dylibSignTest.app.zip/dylibSignTest.app/Contents/MonoBundle/libhostfxr.dylib",
        "message": "The binary is not signed with a valid Developer ID certificate.",
        "docUrl": null,
        "architecture": "x86_64"
      },
      {
        "severity": "error",
        "code": null,
        "path": "dylibSignTest.app.zip/dylibSignTest.app/Contents/MonoBundle/libhostfxr.dylib",
        "message": "The signature does not include a secure timestamp.",
        "docUrl": null,
        "architecture": "x86_64"
      },
      {
        "severity": "error",
        "code": null,
        "path": "dylibSignTest.app.zip/dylibSignTest.app/Contents/MonoBundle/libSystem.Net.Security.Native.dylib",
        "message": "The binary is not signed with a valid Developer ID certificate.",
        "docUrl": null,
        "architecture": "x86_64"
      },
      {
        "severity": "error",
        "code": null,
        "path": "dylibSignTest.app.zip/dylibSignTest.app/Contents/MonoBundle/libSystem.Net.Security.Native.dylib",
        "message": "The signature does not include a secure timestamp.",
        "docUrl": null,
        "architecture": "x86_64"
      },
      {
        "severity": "error",
        "code": null,
        "path": "dylibSignTest.app.zip/dylibSignTest.app/Contents/MonoBundle/libmscordbi.dylib",
        "message": "The binary is not signed with a valid Developer ID certificate.",
        "docUrl": null,
        "architecture": "x86_64"
      },
      {
        "severity": "error",
        "code": null,
        "path": "dylibSignTest.app.zip/dylibSignTest.app/Contents/MonoBundle/libmscordbi.dylib",
        "message": "The signature does not include a secure timestamp.",
        "docUrl": null,
        "architecture": "x86_64"
      },
      {
        "severity": "error",
        "code": null,
        "path": "dylibSignTest.app.zip/dylibSignTest.app/Contents/MonoBundle/libhostpolicy.dylib",
        "message": "The binary is not signed with a valid Developer ID certificate.",
        "docUrl": null,
        "architecture": "x86_64"
      },
      {
        "severity": "error",
        "code": null,
        "path": "dylibSignTest.app.zip/dylibSignTest.app/Contents/MonoBundle/libhostpolicy.dylib",
        "message": "The signature does not include a secure timestamp.",
        "docUrl": null,
        "architecture": "x86_64"
      },
      {
        "severity": "error",
        "code": null,
        "path": "dylibSignTest.app.zip/dylibSignTest.app/Contents/MonoBundle/libSystem.Security.Cryptography.Native.OpenSsl.dylib",
        "message": "The binary is not signed with a valid Developer ID certificate.",
        "docUrl": null,
        "architecture": "x86_64"
      },
      {
        "severity": "error",
        "code": null,
        "path": "dylibSignTest.app.zip/dylibSignTest.app/Contents/MonoBundle/libSystem.Security.Cryptography.Native.OpenSsl.dylib",
        "message": "The signature does not include a secure timestamp.",
        "docUrl": null,
        "architecture": "x86_64"
      },
      {
        "severity": "error",
        "code": null,
        "path": "dylibSignTest.app.zip/dylibSignTest.app/Contents/MonoBundle/libdbgshim.dylib",
        "message": "The binary is not signed with a valid Developer ID certificate.",
        "docUrl": null,
        "architecture": "x86_64"
      },
      {
        "severity": "error",
        "code": null,
        "path": "dylibSignTest.app.zip/dylibSignTest.app/Contents/MonoBundle/libdbgshim.dylib",
        "message": "The signature does not include a secure timestamp.",
        "docUrl": null,
        "architecture": "x86_64"
      },
      {
        "severity": "error",
        "code": null,
        "path": "dylibSignTest.app.zip/dylibSignTest.app/Contents/MonoBundle/libclrjit.dylib",
        "message": "The binary is not signed with a valid Developer ID certificate.",
        "docUrl": null,
        "architecture": "x86_64"
      },
      {
        "severity": "error",
        "code": null,
        "path": "dylibSignTest.app.zip/dylibSignTest.app/Contents/MonoBundle/libclrjit.dylib",
        "message": "The signature does not include a secure timestamp.",
        "docUrl": null,
        "architecture": "x86_64"
      }
    ]
  

• meanwhile, the codesign --verify --deep shows that all ok with the app bundle signature.

Environment

Version information

Visual Studio Professional 2022 for Mac
Version 17.3.2 (build 24)
Installation UUID: a87824ae-bc51-4a50-8f48-0dd33f485b77

Runtime
.NET 6.0.5 (64-bit)
Architecture: X64

Roslyn (Language Service)
4.3.0-3.22312.2+52adfb8b2dc71ed4278debcf13960f2116868608

NuGet
Version: 6.2.1.2

.NET SDK (x64)
SDK: /usr/local/share/dotnet/sdk/6.0.400/Sdks
SDK Versions:
  6.0.400
  3.1.422
MSBuild SDKs: /Applications/Visual Studio.app/Contents/MonoBundle/MSBuild/Current/bin/Sdks

.NET Runtime (x64)
Runtime: /usr/local/share/dotnet/dotnet
Runtime Versions:
  6.0.8
  3.1.28

Xamarin.Profiler
Version: 1.8.0.19
Location: /Applications/Xamarin Profiler.app/Contents/MacOS/Xamarin Profiler

Updater
Version: 11

Apple Developer Tools
Xcode 13.4.1 (20504)
Build 13F100

Xamarin.Mac
Version: 8.12.0.2 (Visual Studio Professional)
Hash: 87f98a75e
Branch: d17-3
Build date: 2022-07-25 20:18:54-0400

Xamarin.iOS
Version: 15.12.0.2 (Visual Studio Professional)
Hash: 87f98a75e
Branch: d17-3
Build date: 2022-07-25 20:18:55-0400

Xamarin Designer
Version: 17.3.0.208
Hash: 0de472ea0
Branch: remotes/origin/d17-3
Build date: 2022-08-18 19:06:21 UTC

Xamarin.Android
Not Installed

Microsoft Build of OpenJDK
Java SDK: /Library/Java/JavaVirtualMachines/microsoft-11.jdk
11.0.12
Android Designer EPL code available here:
https://github.com/xamarin/AndroidDesigner.EPL

Eclipse Temurin JDK
Java SDK: /Library/Java/JavaVirtualMachines/temurin-8.jdk
1.8.0.302
Android Designer EPL code available here:
https://github.com/xamarin/AndroidDesigner.EPL

Android SDK Manager
Version: 17.3.0.23
Hash: 965bf40
Branch: remotes/origin/d17-3
Build date: 2022-08-18 19:06:26 UTC

Android Device Manager
Version: 0.0.0.1169
Hash: fafb1d5
Branch: fafb1d5
Build date: 2022-08-18 19:06:26 UTC

Build Information
Release ID: 1703020024
Git revision: c1a3681e7dfad26a867f37f6666da40621931798
Build date: 2022-08-18 19:04:12+00
Build branch: release-17.3
Build lane: release-17.3

Operating System
Mac OS X 12.5.1
Darwin 21.6.0 Darwin Kernel Version 21.6.0
    Wed Aug 10 14:25:27 PDT 2022
    root:xnu-8020.141.5~2/RELEASE_X86_64 x86_64

Enabled user installed extensions
Log Monitor 0.7
.NET Core Extensions 0.4

Build Logs

msbuild.binlog.zip

Example Project (If Possible)

dylibSignTest.zip

Additional details

• the distribution certificate used for notarization is valid, I was able to pass notarization with this certificate for old mono-based project
• I tried workaround from CreateDump doesn't get signed #13417 (comment), but got the build error

  error : The "Codesign" task was not given a value for the required parameter "StampFile", nor was there a "CodesignStampFile" metadata on the resource /Users/sergey/work/dylibSignTest/dylibSignTest/bin/Release/net6.0-macos/osx-x64/dylibSignTest.app/Contents/MonoBundle/createdump.
  
  

[chamons]

So when I try to run with the entitlement in release it crashed for my consistently until I added this to the Entitlements.plist:

<key>com.apple.security.cs.allow-jit</key>
<true/>

Once I added that, I did not have trouble locally, however I did see notarization issues. Looking into that now.

[snechaev]

Note for someone who can came here from google: after adding/changing of signing options or entitlements it may be not enough to just hit F5 in VSfM. It may be needed to perform full rebuild (and even with manually removing bin & obj folders).
So, for the current sample, adding entitlements and full rebuild solved both problems for me - app is running and passing notarization.

[chamons]

Good to know, sounds like that resolved your issue. The fact that you had to force a clean is a bug, which I've referenced in #15757

[snechaev]

Sorry, but may I ask, why not to add jit entitlements into the default macos project template? Per my understanding, the hardened runtime and thus jit entitlement is absolutely mandatory for now for any distribution, whatever it distributed via appStore or with "Developer ID Application" distribution certificate.
And when VSfM developers will return the UI for configuring hardened runtime and signing, such a defaults will make the release build preparation as simple as several clicks in the project properties UI. At the same time, even after configuring the signing it not so easy to remember that additional entitlement is needed, and non-informative apple's error messages make it more harder.

[chamons]

This is a reasonable concern, I'm going to reopen this for investigation in NET7 timeframe (as we are actively working on xcode 14 right now).