Description
I noticed this today after an internal discussion on Teams related to dotnet/cli-lab#346.
When you publish a self-contained app on macOS today the apphost in the output directory doesn't contain any entitlements:
$ dotnet new console -o signtest
$ dotnet publish --self-contained
$ codesign -d --entitlements - --xml bin/Release/net9.0/osx-x64/publish/signtest
Executable=/Users/alexander/dev/test/signtest/bin/Release/net9.0/osx-x64/publish/signtestcontrast this to the apphost in the apphost pack:
$ codesign -d --entitlements - --xml /Users/alexander/.nuget/packages/microsoft.netcore.app.host.osx-x64/9.0.2/runtimes/osx-x64/native/apphost
Executable=/Users/alexander/.nuget/packages/microsoft.netcore.app.host.osx-x64/9.0.2/runtimes/osx-x64/native/apphost
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>com.apple.security.cs.allow-dyld-environment-variables</key><true/><key>com.apple.security.cs.allow-jit</key><true/><key>com.apple.security.cs.debugger</key><true/><key>com.apple.security.cs.disable-library-validation</key><true/><key>com.apple.security.get-task-allow</key><true/></dict></plist>
This has the entitlements we embed during the runtime build from https://github.com/dotnet/runtime/blob/main/eng/native/entitlements.plist
It looks like the code in HostWriter.cs which gets invoked by the CreateAppHost msbuild task in the dotnet sdk to ad-hoc sign the binary doesn't preserve the entitlements.
This means that developers who want to sign the apphost using a real certificate and enable the hardened runtime option need to re-add the entitlements again which is not obvious, see dotnet/sdk#24337 which now also uses outdated entitlements compared to what we use nowadays. The list on the public docs page is outdated too: https://learn.microsoft.com/en-us/dotnet/core/install/macos-notarization-issues#default-entitlements