Add iOS/tvOS signing capability to Helix SDK (XHarness) (#6823)

Adds the possibility to target real Apple devices and sign the applications before deploying them using XHarness.

The signing process requires certificates to be placed on each Helix machine in a KeyChain and a provisioning profile from netcorenativeassets that is embedded into the application.

Integration testing will be coming soon

- The `OSX.1015.Amd64.Iphone.Open` queue is already populated with signing certificates and is ready to start signing
- The `OSX.1015.Amd64.AppleTV.Open` will be ready soon (#11675)

Resolves dotnet/core-eng#11678

Author: premun

.gitattributes

@@ -61,3 +61,4 @@ format text eol=lf
 compat text eol=lf
 *.bats text eol=lf
 *.1 text eol=lf
+*.plist text eol=lf

azure-pipelines.yml

@@ -181,10 +181,24 @@ stages:
               -projects $(Build.SourcesDirectory)/tests/UnitTests.XHarness.iOS.proj
               /bl:$(Build.SourcesDirectory)/artifacts/log/$(_BuildConfig)/Helix.XHarness.iOS.binlog
               /p:RestoreUsingNuGetTargets=false
-            displayName: XHarness iOS Helix Testing
+            displayName: XHarness iOS Simulator Helix Testing
             env:
               SYSTEM_ACCESSTOKEN: $(System.AccessToken)
               HelixAccessToken: ''
+          # TODO (prvysoky): This will be enabled once we get a better app to test with (core-eng/11893)
+          # - script: eng/common/build.sh
+          #     -configuration $(_BuildConfig)
+          #     -prepareMachine
+          #     -ci
+          #     -restore
+          #     -test
+          #     -projects $(Build.SourcesDirectory)/tests/UnitTests.XHarness.iOS.Device.proj
+          #     /bl:$(Build.SourcesDirectory)/artifacts/log/$(_BuildConfig)/Helix.XHarness.iOS.Device.binlog
+          #     /p:RestoreUsingNuGetTargets=false
+          #   displayName: XHarness iOS Device Helix Testing
+          #   env:
+          #     SYSTEM_ACCESSTOKEN: $(System.AccessToken)
+          #     HelixAccessToken: ''
           - script: eng/common/build.sh
               -configuration $(_BuildConfig)
               -prepareMachine

src/Microsoft.DotNet.Helix/Sdk/CreateXHarnessAndroidWorkItems.cs

@@ -66,7 +66,7 @@ private async Task<ITaskItem> PrepareWorkItem(ITaskItem appPackage)
             Log.LogMessage($"Creating work item with properties Identity: {workItemName}, Payload: {appPackage.ItemSpec}, Command: {command}");
 
             string workItemZip = await CreateZipArchiveOfPackageAsync(appPackage.ItemSpec);
-            
+
             return new Build.Utilities.TaskItem(workItemName, new Dictionary<string, string>()
             {
                 { "Identity", workItemName },
@@ -82,28 +82,17 @@ private async Task<string> CreateZipArchiveOfPackageAsync(string fileToZip)
             string fileName = $"xharness-apk-payload-{Path.GetFileNameWithoutExtension(fileToZip).ToLowerInvariant()}.zip";
             string outputZipAbsolutePath = Path.Combine(directoryOfPackage, fileName);
             using (FileStream fs = File.OpenWrite(outputZipAbsolutePath))
+            using (var zip = new ZipArchive(fs, ZipArchiveMode.Create, false))
             {
-                using (var zip = new ZipArchive(fs, ZipArchiveMode.Create, false))
-                {
-                    zip.CreateEntryFromFile(fileToZip, Path.GetFileName(fileToZip));
-                    // WorkItem payloads of APKs can be reused if sent to multiple queues at once,
-                    // so we'll always include both scripts (very small)
-                    await AddEntryPointScriptsToWorkItemPayloadAsync(zip, PosixAndroidWrapperScript);
-                    await AddEntryPointScriptsToWorkItemPayloadAsync(zip, NonPosixAndroidWrapperScript);
-                }
+                zip.CreateEntryFromFile(fileToZip, Path.GetFileName(fileToZip));
             }
-            return outputZipAbsolutePath;
-        }
 
-        private async Task AddEntryPointScriptsToWorkItemPayloadAsync(ZipArchive zip, string scriptName)
-        {
-            var runnerScriptEntry = zip.CreateEntry(scriptName);
-            using (var helixPayloadStreamWriter = new StreamWriter(runnerScriptEntry.Open()))
-            {
-                var thisAssembly = GetType().Assembly;
-                using Stream embeddedScriptResourceStream = thisAssembly.GetManifestResourceStream($"{thisAssembly.GetName().Name}.tools.xharness_runner.{scriptName}");
-                await embeddedScriptResourceStream.CopyToAsync(helixPayloadStreamWriter.BaseStream);
-            }
+            // WorkItem payloads of APKs can be reused if sent to multiple queues at once,
+            // so we'll always include both scripts (very small)
+            await AddResourceFileToPayload(outputZipAbsolutePath, PosixAndroidWrapperScript);
+            await AddResourceFileToPayload(outputZipAbsolutePath, NonPosixAndroidWrapperScript);
+
+            return outputZipAbsolutePath;
         }
 
         private string ValidateMetadataAndGetXHarnessAndroidCommand(ITaskItem appPackage, TimeSpan xHarnessTimeout, int expectedExitCode)

src/Microsoft.DotNet.Helix/Sdk/CreateXHarnessAppleWorkItems.cs

@@ -31,6 +31,11 @@ public class CreateXHarnessAppleWorkItems : XHarnessTaskBase
         /// </summary>
         public string XcodeVersion { get; set; }
 
+        /// <summary>
+        /// Path to the provisioning profile that will be used to sign the app (in case of real device targets).
+        /// </summary>
+        public string ProvisioningProfilePath { get; set; }
+
         /// <summary>
         /// The main method of this MSBuild task which calls the asynchronous execution method and
         /// collates logged errors in order to determine the success of HelixWorkItems
@@ -85,6 +90,14 @@ private async Task<ITaskItem> PrepareWorkItem(ITaskItem appBundleItem)
                 return null;
             }
 
+            bool isDeviceTarget = targets.Contains("device");
+            string provisioningProfileDest = Path.Combine(appFolderPath, "embedded.mobileprovision");
+            if (isDeviceTarget && string.IsNullOrEmpty(ProvisioningProfilePath) && !File.Exists(provisioningProfileDest))
+            {
+                Log.LogError("ProvisioningProfilePath parameter not set but required for real device targets!");
+                return null;
+            }
+
             // Optional timeout for the how long it takes for the app to be installed, booted and tests start executing
             TimeSpan launchTimeout = TimeSpan.FromMinutes(DefaultLaunchTimeoutInMinutes);
             if (appBundleItem.TryGetMetadata(LaunchTimeoutPropName, out string launchTimeoutProp))
@@ -110,15 +123,29 @@ private async Task<ITaskItem> PrepareWorkItem(ITaskItem appBundleItem)
                 Log.LogWarning("The ExpectedExitCode property is ignored in the `ios test` scenario");
             }
 
+            if (isDeviceTarget)
+            {
+                if (!File.Exists(provisioningProfileDest))
+                {
+                    Log.LogMessage("Adding provisioning profile into the app bundle");
+                    File.Copy(ProvisioningProfilePath, provisioningProfileDest);
+                }
+                else
+                {
+                    Log.LogMessage("Bundle already contains a provisioning profile");
+                }
+            }
+
             string appName = Path.GetFileName(appBundleItem.ItemSpec);
             string command = GetHelixCommand(appName, targets, testTimeout, launchTimeout, includesTestRunner, expectedExitCode);
+            string payloadArchivePath = await CreateZipArchiveOfFolder(appFolderPath);
 
             Log.LogMessage($"Creating work item with properties Identity: {workItemName}, Payload: {appFolderPath}, Command: {command}");
 
-            return new Microsoft.Build.Utilities.TaskItem(workItemName, new Dictionary<string, string>()
+            return new Build.Utilities.TaskItem(workItemName, new Dictionary<string, string>()
             {
                 { "Identity", workItemName },
-                { "PayloadArchive", await CreateZipArchiveOfFolder(appFolderPath) },
+                { "PayloadArchive", payloadArchivePath },
                 { "Command", command },
                 { "Timeout", workItemTimeout.ToString() },
             });
@@ -158,21 +185,10 @@ private async Task<string> CreateZipArchiveOfFolder(string folderToZip)
             ZipFile.CreateFromDirectory(folderToZip, outputZipPath, CompressionLevel.Fastest, includeBaseDirectory: true);
 
             Log.LogMessage($"Adding the Helix job payload scripts into the ziparchive");
-            await AddFileToPayload(outputZipPath, EntryPointScriptName);
-            await AddFileToPayload(outputZipPath, RunnerScriptName);
+            await AddResourceFileToPayload(outputZipPath, EntryPointScriptName);
+            await AddResourceFileToPayload(outputZipPath, RunnerScriptName);
 
             return outputZipPath;
         }
-
-        private async Task AddFileToPayload(string payloadArchivePath, string fileName)
-        {
-            var thisAssembly = typeof(CreateXHarnessAppleWorkItems).Assembly;
-            using Stream fileStream = thisAssembly.GetManifestResourceStream($"{thisAssembly.GetName().Name}.tools.xharness_runner.{fileName}");
-            using FileStream archiveStream = new FileStream(payloadArchivePath, FileMode.Open);
-            using ZipArchive archive = new ZipArchive(archiveStream, ZipArchiveMode.Update);
-            ZipArchiveEntry entry = archive.CreateEntry(fileName);
-            using StreamWriter zipEntryWriter = new StreamWriter(entry.Open());
-            await fileStream.CopyToAsync(zipEntryWriter.BaseStream);
-        }
     }
 }

src/Microsoft.DotNet.Helix/Sdk/XharnessTaskBase.cs

@@ -1,4 +1,8 @@
 using System;
+using System.IO;
+using System.IO.Compression;
+using System.Reflection;
+using System.Threading.Tasks;
 using Microsoft.Build.Framework;
 using Newtonsoft.Json;
 
@@ -90,5 +94,26 @@ public abstract class XHarnessTaskBase : BaseTask
                 WorkItemTimeout: workItemTimeout,
                 ExpectedExitCode: expectedExitCode);
         }
+
+        protected static async Task AddResourceFileToPayload(string payloadArchivePath, string resourceFileName, string targetFileName = null)
+        {
+            using Stream fileStream = GetResourceFileContent(resourceFileName);
+            await AddToPayloadArchive(payloadArchivePath, targetFileName ?? resourceFileName, fileStream);
+        }
+
+        protected static async Task AddToPayloadArchive(string payloadArchivePath, string targetFilename, Stream content)
+        {
+            using FileStream archiveStream = new FileStream(payloadArchivePath, FileMode.Open);
+            using ZipArchive archive = new ZipArchive(archiveStream, ZipArchiveMode.Update);
+            ZipArchiveEntry entry = archive.CreateEntry(targetFilename);
+            using Stream targetStream = entry.Open();
+            await content.CopyToAsync(targetStream);
+        }
+
+        protected static Stream GetResourceFileContent(string resourceFileName)
+        {
+            Assembly thisAssembly = typeof(XHarnessTaskBase).Assembly;
+            return thisAssembly.GetManifestResourceStream($"{thisAssembly.GetName().Name}.tools.xharness_runner.{resourceFileName}");
+        }
     }
 }

src/Microsoft.DotNet.Helix/Sdk/tools/xharness-runner/Readme.md

@@ -115,6 +115,16 @@ You can configure the execution further via MSBuild properties:
 </PropertyGroup>
 ```
 
+#### Targeting real iOS/tvOS devices
+
+To deploy an app bundle to a real device, the app bundle needs to be signed before the deployment.
+The Helix machines, that have devices attached to them, already contain the signing certificates and a provisioning profile will be downloaded as part of the job.
+
+When using the Helix SDK and targeting real devices:
+- You have to ideally supply a non-signed app bundle - the app will be signed for you on the Helix machine where your job gets executed
+- Only the basic set of app permissions are supported at the moment and we cannot re-sign an app that was already signed with a different set of permissions
+- Bundle id has to start with `net.dot.` since we only support those application IDs at the moment
+
 ### Android .apk payloads
 
 To execute .apks, declare one or more `XHarnessApkToTest` items:

src/Microsoft.DotNet.Helix/Sdk/tools/xharness-runner/XHarnessRunner.props

@@ -6,5 +6,8 @@
     <_HelixMonoQueueTargets>$(_HelixMonoQueueTargets);$(MSBuildThisFileDirectory)XHarnessRunner.targets</_HelixMonoQueueTargets>
 
     <XHarnessPackageSource Condition=" '$(XHarnessPackageSource)' == '' ">https://dnceng.pkgs.visualstudio.com/public/_packaging/dotnet-eng/nuget/v3/index.json</XHarnessPackageSource>
+
+    <!-- Needed for app signing and tied to certificates installed in Helix machines -->
+    <XHarnessAppleProvisioningProfileUrl>https://netcorenativeassets.blob.core.windows.net/resource-packages/external/ios/NET_Apple_Development_iOS.mobileprovision</XHarnessAppleProvisioningProfileUrl>
   </PropertyGroup>
 </Project>

src/Microsoft.DotNet.Helix/Sdk/tools/xharness-runner/XHarnessRunner.targets

@@ -102,9 +102,18 @@
   <Target Name="CreateAppleWorkItems"
           Condition=" '@(XHarnessAppBundleToTest)' != '' "
           BeforeTargets="CoreTest">
+    <DownloadFile SourceUrl="$(XHarnessAppleProvisioningProfileUrl)"
+                  Condition=" '$(XHarnessAppleProvisioningProfileUrl)' != '' "
+                  DestinationFolder="$(ArtifactsTmpDir)"
+                  SkipUnchangedFiles="True"
+                  Retries="5">
+      <Output TaskParameter="DownloadedFile" ItemName="_XHarnessProvisioningProfile" />
+    </DownloadFile>
+
     <CreateXHarnessAppleWorkItems AppBundles="@(XHarnessAppBundleToTest)"
-                                IsPosixShell="$(IsPosixShell)"
-                                XcodeVersion="$(XHarnessXcodeVersion)">
+                                  IsPosixShell="$(IsPosixShell)"
+                                  XcodeVersion="$(XHarnessXcodeVersion)"
+                                  ProvisioningProfilePath="@(_XHarnessProvisioningProfile)">
       <Output TaskParameter="WorkItems" ItemName="HelixWorkItem"/>
     </CreateXHarnessAppleWorkItems>
   </Target>

src/Microsoft.DotNet.Helix/Sdk/tools/xharness-runner/xharness-runner.apple.sh

@@ -99,9 +99,47 @@ else
     xcode_path="/Applications/Xcode${xcode_version/./}.app"
 fi
 
-# Start the simulator if it is not running already
-simulator_app="$xcode_path/Contents/Developer/Applications/Simulator.app"
-open -a "$simulator_app"
+# Signing
+if [ "$targets" == 'ios-device' ] || [ "$targets" == 'tvos-device' ]; then
+    echo "Real device target detected, application will be signed"
+
+    provisioning_profile="$app/embedded.mobileprovision"
+    if [ ! -f "$provisioning_profile" ]; then
+        echo "No embedded provisioning profile found at $provisioning_profile! Failed to sign the app!"
+        exit 21
+    fi
+
+    # Unlock the keychain with certs
+    keychain_name='signing-certs.keychain-db'
+    keychain_password=$(cat ~/.config/keychain)
+
+    security list-keychains | grep "$keychain_name"
+    result=$?
+    if [ $result != 0 ]; then
+        echo "Keychain '$keychain_name' was not found"
+        exit 22
+    fi
+
+    security find-identity -vp codesigning "$keychain_name" | grep " 0 valid identities found"
+    result=$?
+    if [ $result == 0 ]; then
+        echo "No valid signing identities found in the keychain"
+        exit 23
+    fi
+
+    security unlock-keychain -p "$keychain_password" "$keychain_name"
+
+    # Generate entitlements file
+    security cms -D -i "$provisioning_profile" > provision.plist
+    /usr/libexec/PlistBuddy -x -c 'Print :Entitlements' provision.plist > entitlements.plist
+
+    # Sign the app
+    /usr/bin/codesign -v --force --sign "Apple Development" --keychain "$keychain_name" --entitlements entitlements.plist "$app"
+else
+    # Start the simulator if it is not running already
+    simulator_app="$xcode_path/Contents/Developer/Applications/Simulator.app"
+    open -a "$simulator_app"
+fi
 
 export XHARNESS_DISABLE_COLORED_OUTPUT=true
 export XHARNESS_LOG_WITH_TIMESTAMPS=true
@@ -110,12 +148,12 @@ export XHARNESS_LOG_WITH_TIMESTAMPS=true
 # which come from outside and are appeneded behind "--" and forwarded to the iOS application from XHarness.
 # shellcheck disable=SC2086,SC2090
 dotnet exec "$xharness_cli_path" apple $command \
-    --app="$app"                              \
-    --output-directory="$output_directory"    \
-    --targets="$targets"                      \
-    --timeout="$timeout"                      \
-    --xcode="$xcode_path"                     \
-    -v                                        \
+    --app="$app"                                \
+    --output-directory="$output_directory"      \
+    --targets="$targets"                        \
+    --timeout="$timeout"                        \
+    --xcode="$xcode_path"                       \
+    -v                                          \
     $app_arguments
 
 exit_code=$?

tests/UnitTests.XHarness.iOS.Device.proj

@@ -0,0 +1,49 @@
+<Project DefaultTargets="Test">
+  <!-- See UnitTests.proj in above folder for why this is included directly-from-repo -->
+  <Import Project="$(MSBuildThisFileDirectory)\..\src\Microsoft.DotNet.Helix\Sdk\sdk\Sdk.props"/>
+
+  <!--
+    This is a project used in integration tests of Arcade.
+    It tests sending iOS (XHarness) workloads using the Helix SDK.
+    It builds two mock projects that do not build iOS apps but only downloads them from a storage account.
+   -->
+
+  <PropertyGroup>
+    <MicrosoftDotNetHelixSdkTasksAssembly Condition="'$(MSBuildRuntimeType)' == 'Core'">$(MSBuildThisFileDirectory)../artifacts/bin/Microsoft.DotNet.Helix.Sdk/$(Configuration)/netcoreapp2.1/publish/Microsoft.DotNet.Helix.Sdk.dll</MicrosoftDotNetHelixSdkTasksAssembly>
+    <MicrosoftDotNetHelixSdkTasksAssembly Condition="'$(MSBuildRuntimeType)' != 'Core'">$(MSBuildThisFileDirectory)../artifacts/bin/Microsoft.DotNet.Helix.Sdk/$(Configuration)/net472/publish/Microsoft.DotNet.Helix.Sdk.dll</MicrosoftDotNetHelixSdkTasksAssembly>
+  </PropertyGroup>
+
+  <PropertyGroup>
+    <HelixType>test/product/</HelixType>
+    <TestRunNamePrefix>$(AGENT_JOBNAME)</TestRunNamePrefix>
+    <IncludeXHarnessCli>true</IncludeXHarnessCli>
+    <EnableXUnitReporter>true</EnableXUnitReporter>
+    <EnableAzurePipelinesReporter>true</EnableAzurePipelinesReporter>
+    <HelixBaseUri>https://helix.dot.net</HelixBaseUri>
+  </PropertyGroup>
+
+  <!-- Test project which builds app bundle to run via XHarness -->
+  <ItemGroup>
+    <XHarnessAppleProject Include="$(MSBuildThisFileDirectory)XHarness\XHarness.RunAppBundle.Device.proj" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <HelixTargetQueue Include="osx.1015.amd64.iphone.open" />
+  </ItemGroup>
+
+  <PropertyGroup Condition=" '$(HelixAccessToken)' == '' ">
+    <IsExternal>true</IsExternal>
+    <Creator>$(BUILD_SOURCEVERSIONAUTHOR)</Creator>
+    <Creator Condition=" '$(Creator)' == ''">anon</Creator>
+  </PropertyGroup>
+
+  <!-- Useless stuff to make Arcade SDK happy -->
+  <PropertyGroup>
+    <Language>msbuild</Language>
+  </PropertyGroup>
+
+  <Target Name="Pack"/>
+
+  <!-- See UnitTests.proj in above folder for why this is included directly-from-repo -->
+  <Import Project="$(MSBuildThisFileDirectory)\..\src\Microsoft.DotNet.Helix\Sdk\sdk\Sdk.targets"/>
+</Project>