[dsymutil] Add support for code signing dSYM bundles (#190676)

This PR adds support for code signing the dSYM bundle using the
`codesign` command line utility.

Author: JDevlieghere

llvm/docs/CommandGuide/dsymutil.rst

@@ -46,6 +46,11 @@ OPTIONS
  'profile'. Setting the DYLD_IMAGE_SUFFIX environment variable will
  cause dyld to load the specified variant at runtime.
 
+.. option:: --codesign <identity>
+
+ Code sign the dSYM bundle with the given signing identity after linking.
+ Cannot be used with :option:`--flat` or :option:`--no-output`.
+
 .. option:: --disallow <path>
 
  Exclude debug map objects listed in the YAML file at <path>. Only filters

llvm/test/tools/dsymutil/cmdline.test

@@ -9,6 +9,7 @@ CHECK: -accelerator
 CHECK: -allow <path>
 CHECK: -arch <arch>
 CHECK: -build-variant-suffix <suffix=buildvariant>
+CHECK: -codesign <identity>
 CHECK: -disallow <path>
 CHECK: -dump-debug-map
 CHECK: -D <path>

llvm/test/tools/dsymutil/codesign.test

@@ -0,0 +1,15 @@
+REQUIRES: system-darwin, x86-registered-target
+
+## Verify --codesign signs the dSYM bundle.
+RUN: dsymutil -oso-prepend-path %p %p/Inputs/basic.macho.x86_64 -o %t.dSYM --codesign=-
+RUN: codesign -v %t.dSYM
+
+## Verify --codesign is incompatible with --flat.
+RUN: not dsymutil -oso-prepend-path %p %p/Inputs/basic.macho.x86_64 -o %t.flat --flat --codesign=- 2>&1 \
+RUN:   | FileCheck %s --check-prefix=FLAT
+FLAT: error: --codesign is not supported with --flat: no bundle to sign
+
+## Verify --codesign is incompatible with --no-output.
+RUN: not dsymutil -oso-prepend-path %p %p/Inputs/basic.macho.x86_64 --no-output --codesign=- 2>&1 \
+RUN:   | FileCheck %s --check-prefix=NOOUT
+NOOUT: error: --codesign is not supported with --no-output: nothing to sign

llvm/tools/dsymutil/Options.td

@@ -256,6 +256,12 @@ def disallow: Separate<["--", "-"], "disallow">,
   Group<grp_general>;
 def: Joined<["--", "-"], "disallow=">, Alias<disallow>;
 
+def codesign: Separate<["--", "-"], "codesign">,
+  MetaVarName<"<identity>">,
+  HelpText<"Code sign the dSYM bundle with the given signing identity after linking.">,
+  Group<grp_general>;
+def: Joined<["--", "-"], "codesign=">, Alias<codesign>;
+
 def dsym_search_path: Separate<["-", "--"], "D">,
   MetaVarName<"<path>">,
   HelpText<"Specify a directory that contain dSYM files to search for.">,

llvm/tools/dsymutil/dsymutil.cpp

@@ -41,6 +41,7 @@
 #include "llvm/Support/LLVMDriver.h"
 #include "llvm/Support/MemoryBuffer.h"
 #include "llvm/Support/Path.h"
+#include "llvm/Support/Program.h"
 #include "llvm/Support/TargetSelect.h"
 #include "llvm/Support/ThreadPool.h"
 #include "llvm/Support/WithColor.h"
@@ -116,6 +117,7 @@ struct DsymutilOptions {
   bool NoObjectTimestamp = false;
   std::string OutputFile;
   std::string Toolchain;
+  std::string CodesignIdentity;
   std::string ReproducerPath;
   std::string AllowFile;
   std::string DisallowFile;
@@ -221,6 +223,16 @@ static Error verifyOptions(const DsymutilOptions &Options) {
         "--embed-resource is not supported with --flat",
         errc::invalid_argument);
 
+  if (!Options.CodesignIdentity.empty() && Options.Flat)
+    return make_error<StringError>(
+        "--codesign is not supported with --flat: no bundle to sign",
+        errc::invalid_argument);
+
+  if (!Options.CodesignIdentity.empty() && Options.LinkOpts.NoOutput)
+    return make_error<StringError>(
+        "--codesign is not supported with --no-output: nothing to sign",
+        errc::invalid_argument);
+
   return Error::success();
 }
 
@@ -388,6 +400,9 @@ static Expected<DsymutilOptions> getOptions(opt::InputArgList &Args) {
   if (opt::Arg *Toolchain = Args.getLastArg(OPT_toolchain))
     Options.Toolchain = Toolchain->getValue();
 
+  if (opt::Arg *Codesign = Args.getLastArg(OPT_codesign))
+    Options.CodesignIdentity = Codesign->getValue();
+
   if (Args.hasArg(OPT_assembly))
     Options.LinkOpts.FileType = DWARFLinkerBase::OutputFileType::Assembly;
 
@@ -657,6 +672,33 @@ getOutputFileName(StringRef InputFile, const DsymutilOptions &Options) {
   return OutputLocation(std::string(Path), ResourceDir);
 }
 
+static Error codesignBundle(StringRef BundlePath, StringRef Identity,
+                            StringRef SDKPath) {
+  auto Path = sys::findProgramByName("codesign", ArrayRef(SDKPath));
+  if (!Path)
+    Path = sys::findProgramByName("codesign");
+
+  if (!Path)
+    return make_error<StringError>(
+        "codesign not found: " + Path.getError().message(), Path.getError());
+
+  SmallVector<StringRef, 5> Args;
+  Args.push_back("codesign");
+  Args.push_back("-f");
+  Args.push_back("-s");
+  Args.push_back(Identity);
+  Args.push_back(BundlePath);
+
+  std::string ErrMsg;
+  int Result =
+      sys::ExecuteAndWait(*Path, Args, std::nullopt, {}, 0, 0, &ErrMsg);
+  if (Result)
+    return make_error<StringError>("codesign failed: " + ErrMsg,
+                                   inconvertibleErrorCode());
+
+  return Error::success();
+}
+
 int dsymutil_main(int argc, char **argv, const llvm::ToolContext &) {
   // Parse arguments.
   DsymutilOptTable T;
@@ -985,6 +1027,21 @@ int dsymutil_main(int argc, char **argv, const llvm::ToolContext &) {
               SDKPath, Fat64))
         return EXIT_FAILURE;
     }
+
+    if (!Options.CodesignIdentity.empty()) {
+      StringRef DWARFFile = OutputLocationOrErr->DWARFFile;
+      auto Pos = DWARFFile.find(".dSYM/");
+      if (Pos == StringRef::npos)
+        Pos = DWARFFile.find(".dSYM");
+      if (Pos != StringRef::npos) {
+        std::string BundlePath = DWARFFile.substr(0, Pos + 5).str();
+        if (auto E =
+                codesignBundle(BundlePath, Options.CodesignIdentity, SDKPath)) {
+          WithColor::error() << toString(std::move(E)) << '\n';
+          return EXIT_FAILURE;
+        }
+      }
+    }
   }
 
   return EXIT_SUCCESS;