Use the NativeBinary property instead of reconstructing the path in NativeAOT target

[jtschuster]

Adds a target to codesign the native AOT binary when publishing on a Mac. Assumes no cross-compilation (which we don't support IIRC).

Adds entitlements.xml with the disable-library-validation entitlement, which appears to be necessary though I haven't determined why yet.

Use the NativeBinary property instead of reconstructing the path.

[Copilot]

Pull Request Overview

This PR adds automatic code signing for native AOT binaries on macOS by introducing an entitlements file and new MSBuild targets.

• Introduce entitlements.xml with disable-library-validation entitlement
• Add AdHocSign target in Microsoft.NETCore.Native.Unix.targets to codesign the binary after linking
• Update CopyNativeBinary in Microsoft.NETCore.Native.Publish.targets to copy the signed binary

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
src/coreclr/nativeaot/BuildIntegration/entitlements.xml	New entitlements file enabling disable-library-validation
src/coreclr/nativeaot/BuildIntegration/Microsoft.NETCore.Native.Unix.targets	New AdHocSign MSBuild target for ad-hoc signing on Apple platforms
src/coreclr/nativeaot/BuildIntegration/Microsoft.NETCore.Native.Publish.targets	Updated CopyNativeBinary to use the signed $(NativeBinary)

Comments suppressed due to low confidence (4)

src/coreclr/nativeaot/BuildIntegration/Microsoft.NETCore.Native.Unix.targets:365

• [nitpick] The target name AdHocSign is ambiguous. Consider renaming it to CodesignNativeBinary to clearly convey its purpose and match existing naming conventions.

  <Target Name="AdHocSign"

src/coreclr/nativeaot/BuildIntegration/Microsoft.NETCore.Native.Unix.targets:365

• [nitpick] It may be helpful to introduce a user-settable property (e.g., SkipCodesign) so teams can opt out of this signing step in certain CI or debug scenarios. You can conditionally run this target based on that property.

  <Target Name="AdHocSign"

src/coreclr/nativeaot/BuildIntegration/Microsoft.NETCore.Native.Publish.targets:92

• [nitpick] Add a comment to explain why we’re now copying the signed $(NativeBinary) instead of the original output path to clarify this change for future maintainers.

    <Copy SourceFiles="$(NativeBinary)" DestinationFolder="$(PublishDir)" />

src/coreclr/nativeaot/BuildIntegration/entitlements.xml:1

• The entitlements.xml needs the standard plist wrapper and XML declaration to be a valid property list. Consider adding <?xml version=\"1.0\" encoding=\"UTF-8\"?> and <plist version=\"1.0\"> before <dict>, and a closing </plist> after.

<dict>

[dotnet-policy-service]

Tagging subscribers to this area: @agocke, @MichalStrehovsky, @jkotas
See info in area-owners.md if you want to be subscribed.

[agocke]

LGTM, thanks!

[jkotas]

What is the scenario that this is fixing?

[agocke]

Turns out this isn't necessary. Native AOT shouldn't need any entitlements. The rest of the cleanup is still nice though.

[jtschuster]

Reverted the codesign-related changes, left in a small change to use the NativeBinary property instead of reconstructing the path.

[agocke]

LGTM although I think the title and description are now out of date