Add code signing build rules

MaxDesiatov · MaxDesiatov · commit 68d877e07da5 · 2023-10-18T09:33:32.000+01:00
diff --git a/Sources/Build/BuildDescription/ProductBuildDescription.swift b/Sources/Build/BuildDescription/ProductBuildDescription.swift
@@ -367,6 +367,10 @@ public final class ProductBuildDescription: SPMBuildCore.ProductBuildDescription
 
         return flags
     }
+
+    func codeSigningArguments(plistPath: AbsolutePath, binaryPath: AbsolutePath) -> [String] {
+        ["codesign", "--force", "--sign", "-", "--entitlements", plistPath.pathString, binaryPath.pathString]
+    }
 }
 
 extension SortedArray where Element == AbsolutePath {
diff --git a/Sources/Build/BuildManifest/LLBuildManifestBuilder+Product.swift b/Sources/Build/BuildManifest/LLBuildManifestBuilder+Product.swift
@@ -33,6 +33,10 @@ extension LLBuildManifestBuilder {
             testInputs = []
         }
 
+        // Create a phony node to represent the entire target.
+        let targetName = try buildProduct.product.getLLBuildTargetName(config: self.buildConfig)
+        let output: Node = .virtual(targetName)
+
         switch buildProduct.product.type {
         case .library(.static):
             try self.manifest.addShellCmd(
@@ -49,15 +53,26 @@ extension LLBuildManifestBuilder {
                 + [buildProduct.linkFileListPath]
                 + testInputs
 
+            let shouldCodeSign: Bool
+            if case .executable = buildProduct.product.type,
+               buildParameters.debuggingParameters.shouldEnableDebuggingEntitlement {
+                shouldCodeSign = true
+            } else {
+                shouldCodeSign = false
+            }
+
+            let linkedBinarySuffix = shouldCodeSign ? "-unsigned" : ""
+            let linkedBinaryPath = try AbsolutePath(validating: buildProduct.binaryPath.pathString + linkedBinarySuffix)
+
             try self.manifest.addShellCmd(
                 name: cmdName,
                 description: "Linking \(buildProduct.binaryPath.prettyPath())",
                 inputs: inputs.map(Node.file),
-                outputs: [.file(buildProduct.binaryPath)],
-                arguments: try buildProduct.linkArguments()
+                outputs: [.file(linkedBinaryPath)],
+                arguments: try buildProduct.linkArguments(outputPathSuffix: linkedBinarySuffix)
             )
 
-            if buildParameters.debuggingParameters.shouldEnableDebuggingEntitlement {
+            if shouldCodeSign {
                 let basename = try buildProduct.binaryPath.basename
                 let plistPath = try buildProduct.binaryPath.parentDirectory
                     .appending(component: "\(basename)-entitlement.plist")
@@ -67,20 +82,25 @@ extension LLBuildManifestBuilder {
                 )
 
                 let cmdName = try buildProduct.product.getCommandName(config: self.buildConfig)
+                let codeSigningOutput = Node.virtual(targetName + "-CodeSigning")
                 try self.manifest.addShellCmd(
                     name: "\(cmdName)-entitlements",
                     description: "Applying debug entitlements to \(buildProduct.binaryPath.prettyPath())",
-                    inputs: [buildProduct.binaryPath, plistPath].map(Node.file),
-                    outputs: <#T##[Node]#>,
-                    arguments: <#T##[String]#>
+                    inputs: [linkedBinaryPath, plistPath].map(Node.file),
+                    outputs: [codeSigningOutput],
+                    arguments: buildProduct.codeSigningArguments(plistPath: plistPath, binaryPath: linkedBinaryPath)
+                )
+
+                try self.manifest.addShellCmd(
+                    name: "\(cmdName)-entitlements",
+                    description: "Applying debug entitlements to \(buildProduct.binaryPath.prettyPath())",
+                    inputs: [.virtual(targetName + "-CodeSigning")],
+                    outputs: [.file(buildProduct.binaryPath)],
+                    arguments: ["mv", linkedBinaryPath.pathString, buildProduct.binaryPath.pathString]
                 )
             }
         }
 
-        // Create a phony node to represent the entire target.
-        let targetName = try buildProduct.product.getLLBuildTargetName(config: self.buildConfig)
-        let output: Node = .virtual(targetName)
-
         self.manifest.addNode(output, toTarget: targetName)
         try self.manifest.addPhonyCmd(
             name: output.name,
diff --git a/Sources/SPMBuildCore/BuildParameters/BuildParameters+Debugging.swift b/Sources/SPMBuildCore/BuildParameters/BuildParameters+Debugging.swift
@@ -28,7 +28,8 @@ extension BuildParameters {
 
         public var debugInfoFormat: DebugInfoFormat
         
-        /// Whether the produced executable
+        /// Whether the produced executable should be codesigned with the debugging entitlement, enabling enhanced
+        /// backtraces on macOS.
         public var shouldEnableDebuggingEntitlement: Bool
     }
 

Original file line number	Diff line number	Diff line change
`@@ -367,6 +367,10 @@ public final class ProductBuildDescription: SPMBuildCore.ProductBuildDescription`
`367`	`367`
`368`	`368`	`return flags`
`369`	`369`	`}`
	`370`	`+`
	`371`	`+ func codeSigningArguments(plistPath: AbsolutePath, binaryPath: AbsolutePath) -> [String] {`
	`372`	`+ ["codesign", "--force", "--sign", "-", "--entitlements", plistPath.pathString, binaryPath.pathString]`
	`373`	`+ }`
`370`	`374`	`}`
`371`	`375`
`372`	`376`	`extension SortedArray where Element == AbsolutePath {`
Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,8 @@ extension BuildParameters {`
`28`	`28`
`29`	`29`	`public var debugInfoFormat: DebugInfoFormat`
`30`	`30`
`31`		`- /// Whether the produced executable`
	`31`	`+ /// Whether the produced executable should be codesigned with the debugging entitlement, enabling enhanced`
	`32`	`+ /// backtraces on macOS.`
`32`	`33`	`public var shouldEnableDebuggingEntitlement: Bool`
`33`	`34`	`}`
`34`	`35`