dotnet · jtschuster · Nov 12, 2024 · Oct 17, 2024 · Oct 17, 2024 · Oct 17, 2024
diff --git a/eng/Version.Details.xml b/eng/Version.Details.xml
@@ -474,5 +474,9 @@
       <Uri>https://github.com/dotnet/node</Uri>
       <Sha>78c56619da525bd37de4c2828092762fb4fa03c4</Sha>
     </Dependency>
+    <Dependency Name="Microsoft.NET.HostModel.TestData" Version="10.0.0-beta.24522.1">
+      <Uri>https://github.com/dotnet/runtime-assets</Uri>
+      <Sha>24f902e6d5bfe3fec9f07d55efe44794aec614a1</Sha>
+    </Dependency>
   </ToolsetDependencies>
 </Dependencies>
diff --git a/eng/Versions.props b/eng/Versions.props
@@ -154,6 +154,7 @@
     <SystemTextRegularExpressionsTestDataVersion>10.0.0-beta.24530.1</SystemTextRegularExpressionsTestDataVersion>
     <SystemWindowsExtensionsTestDataVersion>10.0.0-beta.24530.1</SystemWindowsExtensionsTestDataVersion>
     <MicrosoftDotNetCilStripSourcesVersion>10.0.0-beta.24530.1</MicrosoftDotNetCilStripSourcesVersion>
+    <MicrosoftNETHostModelTestDataVersion>10.0.0-beta.24522.1</MicrosoftNETHostModelTestDataVersion>
     <!-- dotnet-optimization dependencies -->
     <optimizationwindows_ntx64MIBCRuntimeVersion>1.0.0-prerelease.24462.2</optimizationwindows_ntx64MIBCRuntimeVersion>
     <optimizationwindows_ntx86MIBCRuntimeVersion>1.0.0-prerelease.24462.2</optimizationwindows_ntx86MIBCRuntimeVersion>

diff --git a/src/installer/managed/Microsoft.NET.HostModel/AppHost/HostWriter.cs b/src/installer/managed/Microsoft.NET.HostModel/AppHost/HostWriter.cs
@@ -7,6 +7,7 @@
 using System.IO.MemoryMappedFiles;
 using System.Runtime.InteropServices;
 using System.Text;
+using Microsoft.NET.HostModel.MachO;
 
 namespace Microsoft.NET.HostModel.AppHost
 {
@@ -60,7 +61,7 @@ public enum SearchLocation : byte
         /// <param name="appBinaryFilePath">Full path to app binary or relative path to the result apphost file</param>
         /// <param name="windowsGraphicalUserInterface">Specify whether to set the subsystem to GUI. Only valid for PE apphosts.</param>
         /// <param name="assemblyToCopyResourcesFrom">Path to the intermediate assembly, used for copying resources to PE apphosts.</param>
-        /// <param name="enableMacOSCodeSign">Sign the app binary using codesign with an anonymous certificate.</param>
+        /// <param name="enableMacOSCodeSign">Sign the app binary with an anonymous certificate. Only use when the AppHost is a Mach-O file built for MacOS.</param>
         /// <param name="disableCetCompat">Remove CET Shadow Stack compatibility flag if set</param>
         /// <param name="dotNetSearchOptions">Options for how the created apphost should look for the .NET install</param>
         public static void CreateAppHost(
@@ -118,48 +119,55 @@ void RewriteAppHost(MemoryMappedFile mappedFile, MemoryMappedViewAccessor access
             {
                 RetryUtil.RetryOnIOError(() =>
                 {
-                    FileStream appHostSourceStream = null;
-                    MemoryMappedFile memoryMappedFile = null;
-                    MemoryMappedViewAccessor memoryMappedViewAccessor = null;
-                    try
+                    bool isMachOImage;
+                    using (FileStream appHostDestinationStream = new FileStream(appHostDestinationFilePath, FileMode.Create, FileAccess.ReadWrite))
                     {
-                        // Open the source host file.
-                        appHostSourceStream = new FileStream(appHostSourceFilePath, FileMode.Open, FileAccess.Read, FileShare.Read, bufferSize: 1);
-                        memoryMappedFile = MemoryMappedFile.CreateFromFile(appHostSourceStream, null, 0, MemoryMappedFileAccess.Read, HandleInheritability.None, true);
-                        memoryMappedViewAccessor = memoryMappedFile.CreateViewAccessor(0, 0, MemoryMappedFileAccess.CopyOnWrite);
-
+                        using (FileStream appHostSourceStream = new(appHostSourceFilePath, FileMode.Open, FileAccess.Read, FileShare.Read, bufferSize: 1))
+                        {
+                            isMachOImage = MachObjectFile.IsMachOImage(appHostSourceStream);
+                            if (!isMachOImage && enableMacOSCodeSign)
+                            {
+                                throw new InvalidDataException("Cannot sign a non-Mach-O file.");
+                            }
+                            appHostSourceStream.CopyTo(appHostDestinationStream);
+                        }
                         // Get the size of the source app host to ensure that we don't write extra data to the destination.
                         // On Windows, the size of the view accessor is rounded up to the next page boundary.
-                        long sourceAppHostLength = appHostSourceStream.Length;
-
-                        // Transform the host file in-memory.
-                        RewriteAppHost(memoryMappedFile, memoryMappedViewAccessor);
-
-                        // Save the transformed host.
-                        using (FileStream fileStream = new FileStream(appHostDestinationFilePath, FileMode.Create))
+                        long appHostLength = appHostDestinationStream.Length;
+                        string destinationFileName = Path.GetFileName(appHostDestinationFilePath);
+                        // On Mac, we need to extend the file size to accommodate the signature.
+                        long appHostTmpCapacity = enableMacOSCodeSign ?
+                            appHostLength + MachObjectFile.GetSignatureSizeEstimate((uint)appHostLength, destinationFileName)
+                            : appHostLength;
+
+                        using (MemoryMappedFile memoryMappedFile = MemoryMappedFile.CreateFromFile(appHostDestinationStream, null, appHostTmpCapacity, MemoryMappedFileAccess.ReadWrite, HandleInheritability.None, true))
+                        using (MemoryMappedViewAccessor memoryMappedViewAccessor = memoryMappedFile.CreateViewAccessor(0, appHostTmpCapacity, MemoryMappedFileAccess.ReadWrite))
                         {
-                            BinaryUtils.WriteToStream(memoryMappedViewAccessor, fileStream, sourceAppHostLength);
-
-                            // Remove the signature from MachO hosts.
-                            if (!appHostIsPEImage)
+                            // Transform the host file in-memory.
+                            RewriteAppHost(memoryMappedFile, memoryMappedViewAccessor);
+                            if (isMachOImage)
                             {
-                                MachOUtils.RemoveSignature(fileStream);
+                                if (enableMacOSCodeSign)
+                                {
+                                    string fileName = Path.GetFileName(appHostDestinationFilePath);
+                                    MachObjectFile machObjectFile = MachObjectFile.Create(memoryMappedViewAccessor);
+                                    appHostLength = machObjectFile.CreateAdHocSignature(memoryMappedViewAccessor, fileName);
+                                }
+                                else if (MachObjectFile.TryRemoveCodesign(memoryMappedViewAccessor, out long? length))
+                                {
+                                    appHostLength = length.Value;
+                                }
                             }
+                        }
+                        appHostDestinationStream.SetLength(appHostLength);
 
-                            if (assemblyToCopyResourcesFrom != null && appHostIsPEImage)
-                            {
-                                using var updater = new ResourceUpdater(fileStream, true);
-                                updater.AddResourcesFromPEImage(assemblyToCopyResourcesFrom);
-                                updater.Update();
-                            }
+                        if (assemblyToCopyResourcesFrom != null && appHostIsPEImage)
+                        {
+                            using var updater = new ResourceUpdater(appHostDestinationStream, true);
+                            updater.AddResourcesFromPEImage(assemblyToCopyResourcesFrom);
+                            updater.Update();
                         }
                     }
-                    finally
-                    {
-                        memoryMappedViewAccessor?.Dispose();
-                        memoryMappedFile?.Dispose();
-                        appHostSourceStream?.Dispose();
-                    }
                 });
 
                 if (!RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
@@ -178,15 +186,6 @@ void RewriteAppHost(MemoryMappedFile mappedFile, MemoryMappedViewAccessor access
                     {
                         throw new Win32Exception(Marshal.GetLastWin32Error(), $"Could not set file permission {Convert.ToString(filePermissionOctal, 8)} for {appHostDestinationFilePath}.");
                     }
-
-                    if (enableMacOSCodeSign && RuntimeInformation.IsOSPlatform(OSPlatform.OSX) && HostModelUtils.IsCodesignAvailable())
-                    {
-                        (int exitCode, string stdErr) = HostModelUtils.RunCodesign("-s -", appHostDestinationFilePath);
-                        if (exitCode != 0)
-                        {
-                            throw new AppHostSigningException(exitCode, stdErr);
-                        }
-                    }
                 }
             }
             catch (Exception ex)