AppHost signature not being removed on macOS

[externl]

Description

At some point in the last few weeks C# apps using TLS started crashing on a project I work on. After comparing Console.app logs with a colleague who is running with the same system configuration, we noticed one noticeable difference:

code requirement check failed (-67050), client is not Apple-signed

After digging closer we noticed that dotnet apps on my colleague's Macbook were not signed at all while, mine had a bogus signature.

It seems that for some reason, when I created an app using the <UseAppHost>True</UseAppHost> property, the signature is not removed from the apphost app after copying it (

runtime/src/installer/managed/Microsoft.NET.HostModel/AppHost/HostWriter.cs

Line 128 in 6072e4d

RetryUtil.RetryOnIOError(RemoveSignatureIfMachO);

?). This seems to lead to internal errors when using TLS (see a stack at the end).

How to reproduce

❯ mkdir foo && cd foo
❯ dotnet new console
*** edit project foo.csproj to include <UseAppHost>True</UseAppHost> ***
❯ dotnet build

The generated foo binary now has an invalid signature.

❯ codesign -v bin/Debug/netcoreapp3.1/foo
bin/Debug/netcoreapp3.1/foo: invalid signature (code or signature have been modified)
In architecture: x86_64

Expected result

❯ codesign -v bin/Debug/netcoreapp3.1/foo
bin/Debug/netcoreapp3.1/foo: code object is not signed at all
In architecture: x86_64

Configuration

❯ dotnet --info
.NET Core SDK (reflecting any global.json):
 Version:   3.1.401
 Commit:    39d17847db

Runtime Environment:
 OS Name:     Mac OS X
 OS Version:  10.15
 OS Platform: Darwin
 RID:         osx.10.15-x64
 Base Path:   /usr/local/share/dotnet/sdk/3.1.401/

Host (useful for support):
  Version: 3.1.7
  Commit:  fcfdef8d6b

.NET Core SDKs installed:
  3.1.401 [/usr/local/share/dotnet/sdk]

.NET Core runtimes installed:
  Microsoft.AspNetCore.App 3.1.7 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 3.1.7 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]

To install additional .NET Core runtimes or SDKs:
  https://aka.ms/dotnet-download

Regression?

Yes. Though it works fine for my colleagues. Just failing for me

Other information

• One notable thing that happened recently is that I installed, and then uninstalled quickly after, the Xcode 12 and Apple Configurator beta.

Code sign info detail for foo

❯ codesign -dv bin/Debug/netcoreapp3.1/foo
Executable=/Users/joe/workspace/foo/bin/Debug/netcoreapp3.1/foo
Identifier=client-555549446e4495955e3d30318046040352838d5a
Format=Mach-O thin (x86_64)
CodeDirectory v=20100 size=832 flags=0x2(adhoc) hashes=21+2 location=system
Signature=adhoc
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=0 size=12

The SSL/TLS exception (probably not relevant)

   ---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
    ---> Interop+AppleCrypto+SslException: Internal error
      --- End of inner exception stack trace ---
      at System.Net.Security.SslStream.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)
      at System.Net.Security.SslStream.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
      at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
      at System.Net.Security.SslStream.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
      at System.Net.Security.SslStream.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
      at System.Net.Security.SslStream.PartialFrameCallback(AsyncProtocolRequest asyncRequest)
   --- End of stack trace from previous location where exception was thrown ---
      at System.Net.Security.SslStream.ThrowIfExceptional()
      at System.Net.Security.SslStream.InternalEndProcessAuthentication(LazyAsyncResult lazyResult)
      at System.Net.Security.SslStream.EndProcessAuthentication(IAsyncResult result)
      at System.Net.Security.SslStream.EndAuthenticateAsServer(IAsyncResult asyncResult)
      at System.Net.Security.SslStream.<>c.<AuthenticateAsServerAsync>b__69_1(IAsyncResult iar)
      at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
   --- End of stack trace from previous location where exception was thrown ---

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Tagging subscribers to this area: @vitek-karas, @swaroop-sridhar, @agocke
See info in area-owners.md if you want to be subscribed.

[agocke]

I believe this is expected -- in order to publish a binary, that binary needs to be signed. Since the apphost is now part of your app you'll have to sign it with your own key.

[externl]

Which is expected, the binary not being signed at all or having an invalid signature? Which do you get?

My colleagues who try to reproduce as explained above get an unsigned binary. I get one with an invalid signature.

[agocke]

Invalid signature -- to ship the binary we have to sign it, but once it gets included in your app, the signature will no longer be valid (since it will be pointing at your code).

[agocke]

@vitek-karas to confirm my understanding here

[externl]

From my reading of CreateHostApp it should remove the signature. That's what everyone else who's tried gets.

[swaroop-sridhar]

When you build the app with UseAppHost it is expected that the signature on the apphost is removed and re-written wrt your app. That is, foo should be unsigned.

[agocke]

My mistake! Let's investigate the broken signature.

[agocke]

Also, let's see if this behavior repro's in 5.0. @externl do you happen to have a .NET 5 copy that you can build with?

[externl]

The fact that I'm getting a bogus adhoc signature kind of leads me to think there's something up with the fact that I installed the xcode 12 beta