bazelbuild
diff --git a/‎apple/internal/BUILD‎
Lines changed: 1 addition & 0 deletions b/‎apple/internal/BUILD‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎apple/internal/codesigning_support.bzl‎
Lines changed: 52 additions & 29 deletions b/‎apple/internal/codesigning_support.bzl‎
Lines changed: 52 additions & 29 deletions
diff --git a/‎apple/internal/partials/codesigning_dossier.bzl‎
Lines changed: 13 additions & 4 deletions b/‎apple/internal/partials/codesigning_dossier.bzl‎
Lines changed: 13 additions & 4 deletions
diff --git a/‎apple/internal/xcframework_rules.bzl‎
Lines changed: 78 additions & 3 deletions b/‎apple/internal/xcframework_rules.bzl‎
Lines changed: 78 additions & 3 deletions
@@ -832,6 +832,7 @@ bzl_library(
         ":swift_support",
         ":transition_support",
         "//apple:providers",
+        "//apple/internal:codesigning_support",
         "//apple/internal/aspects:resource_aspect",
         "//apple/internal/aspects:resource_aspect_hint",
         "//apple/internal/aspects:swift_usage_aspect",
 
@@ -71,20 +71,28 @@ def _codesignopts_from_rule_ctx(ctx):
         for opt in ctx.attr.codesignopts
     ]
 
-def _preferred_codesigning_identity(platform_prerequisites):
-    """Returns the preferred codesigning identity from platform prerequisites"""
-    if not platform_prerequisites.platform.is_device:
+def _preferred_codesigning_identity(
+        *,
+        build_settings,
+        objc_fragment,
+        requires_adhoc_signing):
+    """Returns the preferred codesigning identity from platform prerequisites.
+
+    Args:
+      build_settings: The build settings from apple_xplat_toolchain_info or platform_prerequisites.
+      objc_fragment: The objc fragment interface from ctx.fragments.objc.
+      requires_adhoc_signing: Whether this signing operation requires adhoc signing with the adhoc
+          pseudo identity. i.e. if this is a simulator build.
+    """
+    if requires_adhoc_signing:
         return _ADHOC_PSEUDO_IDENTITY
-    build_settings = platform_prerequisites.build_settings
     if build_settings:
-        objc_fragment = platform_prerequisites.objc_fragment
         if objc_fragment:
             # TODO(b/252873771): Remove this fallback when the native Bazel flag
             # ios_signing_cert_name is removed.
             return (build_settings.signing_certificate_name or
                     objc_fragment.signing_certificate_name)
-        else:
-            return build_settings.signing_certificate_name
+        return build_settings.signing_certificate_name
     return None
 
 def _codesign_args_for_path(
@@ -131,7 +139,11 @@ def _codesign_args_for_path(
 
     # First, try to use the identity passed on the command line, if any. If it's a simulator build,
     # use an ad hoc identity.
-    identity = _preferred_codesigning_identity(platform_prerequisites)
+    identity = _preferred_codesigning_identity(
+        build_settings = platform_prerequisites.build_settings,
+        objc_fragment = platform_prerequisites.objc_fragment,
+        requires_adhoc_signing = not platform_prerequisites.platform.is_device,
+    )
     if not identity:
         if provisioning_profile:
             cmd_codesigning.extend([
@@ -294,10 +306,12 @@ def _should_sign_simulator_bundles(
     """Check if a main bundle should be codesigned.
 
     Args:
+      config_vars: The config_vars from `ctx.var`.
+      features: List of features enabled by the user. Typically from `ctx.features`.
+      rule_descriptor: A rule descriptor for platform and product types from the rule context.
 
     Returns:
       True/False for if the bundle should be signed.
-
     """
     if "apple.codesign_simulator_bundles" in config_vars:
         # buildifier: disable=print
@@ -348,16 +362,16 @@ def _codesigning_args(
     """Returns a set of codesigning arguments to be passed to the codesigning tool.
 
     Args:
-        entitlements: The entitlements file to sign with. Can be None.
-        features: List of features enabled by the user. Typically from `ctx.features`.
-        full_archive_path: The full path to the codesigning target.
-        is_framework: If the target is a framework. False by default.
-        platform_prerequisites: Struct containing information on the platform being targeted.
-        provisioning_profile: File for the provisioning profile.
-        rule_descriptor: A rule descriptor for platform and product types from the rule context.
+      entitlements: The entitlements file to sign with. Can be None.
+      features: List of features enabled by the user. Typically from `ctx.features`.
+      full_archive_path: The full path to the codesigning target.
+      is_framework: If the target is a framework. False by default.
+      platform_prerequisites: Struct containing information on the platform being targeted.
+      provisioning_profile: File for the provisioning profile.
+      rule_descriptor: A rule descriptor for platform and product types from the rule context.
 
     Returns:
-        A list containing the arguments to pass to the codesigning tool.
+      A list containing the arguments to pass to the codesigning tool.
     """
     should_sign_bundles = _should_sign_bundles(
         provisioning_profile = provisioning_profile,
@@ -479,30 +493,39 @@ def _codesigning_command(
     )
 
 def _generate_codesigning_dossier_action(
+        *,
         actions,
-        label_name,
+        apple_fragment,
+        codesign_identity,
         dossier_codesigningtool,
         embedded_dossiers,
         entitlements,
         output_discriminator,
         output_dossier,
-        platform_prerequisites,
-        provisioning_profile):
+        label_name,
+        provisioning_profile,
+        target_signs_with_entitlements,
+        xcode_config):
     """Generates a codesigning dossier based on parameters.
 
     Args:
       actions: The actions provider from `ctx.actions`.
-      label_name: Name of the target being built.
+      apple_fragment: The apple fragment from `ctx.fragments.apple` to use for the action.
+      codesign_identity: The identity for the dossier to sign with.
       dossier_codesigningtool: The files_to_run for the code signing tool.
       embedded_dossiers: An optional List of Structs generated from
          `embedded_codesigning_dossier` that should also be included in this
           dossier.
       entitlements: Optional file representing the entitlements to sign with.
       output_discriminator: A string to differentiate between different target intermediate files
           or `None`.
-      output_dossier: The `File` representing the output dossier file - the zipped dossier will be placed here.
-      platform_prerequisites: Struct containing information on the platform being targeted.
+      output_dossier: The `File` representing the output dossier file - the zipped dossier will be
+          placed here.
+      label_name: Name of the target being built.
       provisioning_profile: The provisioning profile file. May be `None`.
+      target_signs_with_entitlements: Whether the target platform needs signing with entitlements,
+          which is true for non-simulator builds.
+      xcode_config: The `apple_common.XcodeVersionConfig` provider from the context.
     """
     input_files = [x.dossier_file for x in embedded_dossiers]
 
@@ -511,16 +534,15 @@ def _generate_codesigning_dossier_action(
 
     dossier_arguments = ["--output", output_dossier.path, "--zip"]
 
-    # Try to use the identity passed on the command line, if any. If it's a simulator build, use an
-    # ad hoc identity.
-    codesign_identity = _preferred_codesigning_identity(platform_prerequisites)
+    # Try to use the identity passed through, if any. Use the ad-hoc pseudo-identity if no identity
+    # or provisioning profile is passed through.
     if not codesign_identity and not provisioning_profile:
         codesign_identity = _ADHOC_PSEUDO_IDENTITY
     if codesign_identity:
         dossier_arguments.extend(["--codesign_identity", codesign_identity])
     else:
         dossier_arguments.append("--infer_identity")
-    if entitlements and platform_prerequisites.platform.is_device:
+    if entitlements and target_signs_with_entitlements:
         # Entitlements are embedded as segments of the linked simulator binary. They should not be
         # used for signing simulator binaries.
         input_files.append(entitlements)
@@ -559,14 +581,14 @@ def _generate_codesigning_dossier_action(
 
     apple_support.run(
         actions = actions,
-        apple_fragment = platform_prerequisites.apple_fragment,
+        apple_fragment = apple_fragment,
         arguments = args,
         executable = dossier_codesigningtool,
         inputs = input_files,
         mnemonic = mnemonic,
         outputs = [output_dossier],
         progress_message = progress_message,
-        xcode_config = platform_prerequisites.xcode_version_config,
+        xcode_config = xcode_config,
     )
 
 def _post_process_and_sign_archive_action(
@@ -826,6 +848,7 @@ codesigning_support = struct(
     embedded_codesigning_dossier = _embedded_codesigning_dossier,
     generate_codesigning_dossier_action = _generate_codesigning_dossier_action,
     post_process_and_sign_archive_action = _post_process_and_sign_archive_action,
+    preferred_codesigning_identity = _preferred_codesigning_identity,
     should_sign_bundles = _should_sign_bundles,
     sign_binary_action = _sign_binary_action,
 )
@@ -274,16 +274,25 @@ def _codesigning_dossier_partial_impl(
         bundle_name = bundle_name,
     ) if bundle_location else None
 
+    codesign_identity = codesigning_support.preferred_codesigning_identity(
+        build_settings = platform_prerequisites.build_settings,
+        objc_fragment = platform_prerequisites.objc_fragment,
+        requires_adhoc_signing = not platform_prerequisites.platform.is_device,
+    )
+
     codesigning_support.generate_codesigning_dossier_action(
         actions = actions,
-        label_name = label_name,
+        apple_fragment = platform_prerequisites.apple_fragment,
+        codesign_identity = codesign_identity,
         dossier_codesigningtool = apple_mac_toolchain_info.dossier_codesigningtool,
-        output_discriminator = output_discriminator,
-        output_dossier = output_dossier,
-        platform_prerequisites = platform_prerequisites,
         embedded_dossiers = embedded_codesign_dossiers,
         entitlements = entitlements,
+        label_name = label_name,
+        output_discriminator = output_discriminator,
+        output_dossier = output_dossier,
         provisioning_profile = provisioning_profile,
+        target_signs_with_entitlements = platform_prerequisites.platform.is_device,
+        xcode_config = platform_prerequisites.xcode_version_config,
     )
 
     embedded_dossier_depset = None
 
@@ -38,6 +38,10 @@ load(
     "//apple/internal:cc_info_support.bzl",
     "cc_info_support",
 )
+load(
+    "//apple/internal:codesigning_support.bzl",
+    "codesigning_support",
+)
 load(
     "//apple/internal:experimental.bzl",
     "is_experimental_tree_artifact_enabled",
@@ -72,6 +76,7 @@ load(
     "AppleBundleVersionInfo",
     "ApplePlatformInfo",
     "new_applebundleinfo",
+    "new_applecodesigningdossierinfo",
     "new_applestaticxcframeworkbundleinfo",
     "new_applexcframeworkbundleinfo",
 )
@@ -1173,6 +1178,50 @@ def _create_xcframework_bundle(
             progress_message = "Bundling %s" % label_name,
         )
 
+def _create_xcframework_codesigning_dossier(
+        *,
+        actions,
+        apple_fragment,
+        apple_mac_toolchain_info,
+        build_settings,
+        objc_fragment,
+        rule_label,
+        xcode_config):
+    """Generates the codesigning dossier for an XCFramework."""
+    output_dossier = actions.declare_file("%s_dossier.zip" % rule_label.name)
+
+    codesign_identity = codesigning_support.preferred_codesigning_identity(
+        build_settings = build_settings,
+        objc_fragment = objc_fragment,
+        # Never adhoc sign XCFrameworks; the SDK signing requires a valid code signing identity
+        # corresponding to a certificate.
+        requires_adhoc_signing = False,
+    )
+
+    codesigning_support.generate_codesigning_dossier_action(
+        actions = actions,
+        apple_fragment = apple_fragment,
+        codesign_identity = codesign_identity,
+        dossier_codesigningtool = apple_mac_toolchain_info.dossier_codesigningtool,
+        embedded_dossiers = [],
+        entitlements = None,
+        label_name = rule_label.name,
+        output_discriminator = None,
+        output_dossier = output_dossier,
+        provisioning_profile = None,
+        target_signs_with_entitlements = False,  # Frameworks are never signed with entitlements.
+        xcode_config = xcode_config,
+    )
+
+    return struct(
+        output_groups = {
+            "dossier": depset([output_dossier]),
+        },
+        providers = [new_applecodesigningdossierinfo(
+            dossier = output_dossier,
+        )],
+    )
+
 def _apple_xcframework_impl(ctx):
     """Implementation of apple_xcframework."""
     actions = ctx.actions
@@ -1208,6 +1257,8 @@ def _apple_xcframework_impl(ctx):
         tree_artifact_is_enabled = True
         outputs_archive = actions.declare_directory(bundle_name + ".xcframework")
 
+    build_settings = apple_xplat_toolchain_info.build_settings
+
     # Add the disable_legacy_signing feature to the list of features
     # TODO(b/72148898): Remove this when dossier based signing becomes the default.
     features = ctx.features
@@ -1262,7 +1313,7 @@ def _apple_xcframework_impl(ctx):
 
     link_result = linking_support.register_binary_linking_action(
         ctx,
-        build_settings = apple_xplat_toolchain_info.build_settings,
+        build_settings = build_settings,
         bundle_name = bundle_name,
         cc_toolchains = cc_toolchain_forwarder,
         # Frameworks do not have entitlements.
@@ -1343,6 +1394,16 @@ def _apple_xcframework_impl(ctx):
         xcode_config = xcode_version_config,
     )
 
+    dossier_outputs = _create_xcframework_codesigning_dossier(
+        actions = actions,
+        apple_fragment = apple_fragment,
+        apple_mac_toolchain_info = apple_mac_toolchain_info,
+        build_settings = build_settings,
+        objc_fragment = objc_fragment,
+        rule_label = rule_label,
+        xcode_config = xcode_version_config,
+    )
+
     processor_output = [
         # Limiting the contents of AppleBundleInfo to what is necessary for testing and validation.
         new_applebundleinfo(
@@ -1367,10 +1428,11 @@ def _apple_xcframework_impl(ctx):
         ),
         OutputGroupInfo(
             **outputs.merge_output_groups(
+                dossier_outputs.output_groups,
                 *bundled_artifacts.framework_output_groups
             )
         ),
-    ]
+    ] + dossier_outputs.providers
     return processor_output
 
 apple_xcframework = rule_factory.create_apple_rule(
@@ -1613,6 +1675,8 @@ def _apple_static_xcframework_impl(ctx):
         tree_artifact_is_enabled = True
         outputs_archive = actions.declare_directory(bundle_name + ".xcframework")
 
+    build_settings = apple_xplat_toolchain_info.build_settings
+
     _validate_resource_attrs(
         all_attrs = ctx.attr,
         bundle_format = bundle_format,
@@ -1712,6 +1776,16 @@ def _apple_static_xcframework_impl(ctx):
         xcode_config = xcode_version_config,
     )
 
+    dossier_outputs = _create_xcframework_codesigning_dossier(
+        actions = actions,
+        apple_fragment = apple_fragment,
+        apple_mac_toolchain_info = apple_mac_toolchain_info,
+        build_settings = build_settings,
+        objc_fragment = objc_fragment,
+        rule_label = rule_label,
+        xcode_config = xcode_version_config,
+    )
+
     return [
         # Limiting the contents of AppleBundleInfo to what is necessary for testing and validation.
         new_applebundleinfo(
@@ -1730,10 +1804,11 @@ def _apple_static_xcframework_impl(ctx):
         ),
         OutputGroupInfo(
             **outputs.merge_output_groups(
+                dossier_outputs.output_groups,
                 *bundled_artifacts.framework_output_groups
             )
         ),
-    ]
+    ] + dossier_outputs.providers
 
 apple_static_xcframework = rule_factory.create_apple_rule(
     cfg = transition_support.xcframework_base_transition,