Remove Debug and Release Entitlements plists and Replace with Custom Entitlements #16355
Conversation
|
/azp run |
|
Azure Pipelines successfully started running 3 pipeline(s). |
dustin-wojciechowski
added
area-templates
dustin-wojciechowski
changed the title
|
Still need to test this through TestFlight as well, but getting this out for visibility. |
There was a problem hiding this comment.
Ultimately I think these should go into the macios sdk workload. Android already does this for some debug and release config defaults.
@dalexsoto @rolfbjarne @jonathanpeppers
Thoughts?
I agree, this is not limited to MAUI so we can move this to defaults in xamarin-macios instead. |
|
I am preparing a PR for the xamarin-macios repo to hopefully include the files there, so I will close this PR. |
|
Yeah, have a look and see if there is something we can do. We have the dotnetinternal class, so maybe we can add a appleinternal and have a build then check. I did something for windows #17238 You can also skip tests where this won't work. Not sure if this will run in non mac. |
|
Update: An integration test that uses codesign to verify entitlements was introduced separately in this PR: #17331. That passes in main because the entitlements are being added via the template. The latest commit successfully adds the network.security.client entitlement to the executable, but the tests will still fail because the PR in xamarin-macios that adds the com.security.get-task-allow and com.security.app-sandbox entitlements (xamarin/xamarin-macios#18669) will be released in NET8.0.100 RC 2. Once that is released, and the version.props file is updated to consume the latest maccatalyst workload, all tests should pass and this PR should be good to be merged. |
…. Also added entitlements that are missing and will be added at a later date to the ios sdk
|
As we're closely approaching NET8 GA, I can add all the entitlements to the MAUI SDK now, and then take them out when maui is able to consume macios SDK NET8 RC2 successfully. Two options:
Let me know what you think. |
There was a problem hiding this comment.
This change doesn't sit quite right with me because I feel it's hard-coding too much Blazor Hybrid template functionality and hides it behind an assumption of how the project is structured. That's fine when it's within the template because the developer can tweak as needed, but here it's in some targets that can be hard to modify the behavior of.
| <Project> | ||
|
|
||
| <PropertyGroup> | ||
| <EnableDefaultMauiBlazorEntitlements Condition="'$(EnableDefaultMauiBlazorEntitlements)'=='' And '$(UsingMicrosoftNETSdkRazor)'=='true'">true</EnableDefaultMauiBlazorEntitlements> |
There was a problem hiding this comment.
Hmm this essentially looks like it's hard-coding some Blazor Hybrid logic into this target, which seems a bit too specific. I'm not sure this logic is quite right, either, because I don't think the MAUI project itself has to necessarily use the Razor SDK, yet the app likely still wants to use these entitlements if it has Blazor usage in it (perhaps indirectly through a project reference).
There was a problem hiding this comment.
Hmm, I got the idea from the Microsoft.Maui.Sdk.ProjectCapabilities.targets file. It would have been more favorable to use the MauiBlazor ProjectCapability directly, but the condition checking for that wasn't working in the integration test.
I had not thought of an indirect reference without using the Razor SDK though. I will investigate and see if I can come up with an alternative means.
There was a problem hiding this comment.
Oh weird... I don't really like that either. Looks like it's ancient. I think it's a reasonable for telemetry but I'm not sure I like it for functional purposes... Though it doesn't even necessarily look right for that because it doesn't actually check if it's MAUI SDK + Razor, though probably that's fine because this very target is from MAUI to begin with.
There was a problem hiding this comment.
should this rather be in the maui blazor webview nuget? Then installing the webview nuget also sets this?
|
@Eilon @mattleibow if this doesn't belong to the targets what do you suggest we do here? Maybe the fact that this is already in the MacCat blazor templates is good enough and we can close this? |
| <EnableDefaultMauiBlazorEntitlements Condition="'$(EnableDefaultMauiBlazorEntitlements)'=='' And '$(UsingMicrosoftNETSdkRazor)'=='true'">true</EnableDefaultMauiBlazorEntitlements> | ||
| </PropertyGroup> | ||
|
|
||
| <ItemGroup Condition="'$(EnableDefaultMauiBlazorEntitlements)'=='true'And '$(Configuration)' == 'Release'"> |
There was a problem hiding this comment.
| <ItemGroup Condition="'$(EnableDefaultMauiBlazorEntitlements)'=='true'And '$(Configuration)' == 'Release'"> | |
| <ItemGroup Condition="'$(EnableDefaultMauiBlazorEntitlements)'=='true' And '$(Configuration)' == 'Release'"> |
| <CustomEntitlements Include="com.apple.security.network.client" Type="boolean" Value="true" /> | ||
| </ItemGroup> | ||
|
|
||
| <ItemGroup Condition="'$(EnableDefaultMauiBlazorEntitlements)'=='True'And '$(Configuration)' == 'Debug'"> |
There was a problem hiding this comment.
| <ItemGroup Condition="'$(EnableDefaultMauiBlazorEntitlements)'=='True'And '$(Configuration)' == 'Debug'"> | |
| <ItemGroup Condition="'$(EnableDefaultMauiBlazorEntitlements)'=='True' And '$(Configuration)' == 'Debug'"> |
Maybe do nothing for now? I don't like hiding project-specific settings in the SDK because then it becomes a huge challenge when someone wants to change the value for their project. The thing I don't know is whether this is just "always fine" and not really cause anyone problems in the future - I'm not familiar enough with these settings/behaviors to have a good sense of that. If we're super duper sure that this conditional logic and behavior is almost certainly right for almost all apps, then maybe it's OK. If we're not so sure, then let's leave them as project template settings. (I don't like having junk in projects, either, but sometimes it's really not junk). |
|
Moving this to GA as if we downgrade to net7 without removing the hardend runtime property, mac catalyst crashes. Once net8 ships, this will live in peoples' templates forever and it makes it look sad. So fix soon, ship soon, happy forever! |
Not sure I understand what "downgrade to net7" means? Also, what is the harm of having "this" (not sure what "this" is?) live in peoples' templates? Is the alternative to put this in the SDK and then we break peoples' apps when we decide to change the defaults (that's part of what I'm worried about)? |
|
this refers to the issue. downgrade refers to file new maui net8, and then changing the tfm to net7. But I would expect the basic parts needed to make a blazor app work be in the box and not in the templates. If these are not needed, then why are they in the template at all. We have thousands of defaults already in the box, both the sdk and in android/ios. So, if blazor needs these or works best with them then we should set it. The comment says it is essential - and thus does not qualify as a basic "default". <!--Essential for MAUI Blazor, as it allows your sandboxed app to connect to a server process.-->
<CustomEntitlements Include="com.apple.security.app-sandbox" Type="boolean" Value="true" />
<CustomEntitlements Include="com.apple.security.network.client" Type="boolean" Value="true" />If they are not essential, then what are they for? |
| <Project> | ||
|
|
||
| <PropertyGroup> | ||
| <EnableDefaultMauiBlazorEntitlements Condition="'$(EnableDefaultMauiBlazorEntitlements)'=='' And '$(UsingMicrosoftNETSdkRazor)'=='true'">true</EnableDefaultMauiBlazorEntitlements> |
There was a problem hiding this comment.
should this rather be in the maui blazor webview nuget? Then installing the webview nuget also sets this?
| </ItemGroup> | ||
|
|
||
| <ItemGroup Condition="'$(EnableDefaultMauiBlazorEntitlements)'=='True'And '$(Configuration)' == 'Debug'"> | ||
| <CustomEntitlements Include="com.apple.security.get-task-allow" Type="boolean" Value="true" /> |
There was a problem hiding this comment.
This is in the iOS sdk now so we can leave it out? If this is just needed because main is net7, then we need an issue tracking this to be removed in the net8 branch asap and it needs to be marked for GA using the Milestones.
|
Per the discussion mentioned above:
Please see current PR #17833 for adjustments to templates. |
…r MacCatalyst projects" (#19171) Reverts #18669 per discussion in MAUI about sdk defaults. See dotnet/maui#16355 for more information. Consult teams thread for more information: https://teams.microsoft.com/l/message/19:989ffa44998147aca4ceaf7482967668@thread.skype/1696009594958?tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47&groupId=0056f60b-301f-43ac-bbcf-f356d3c42c92&parentMessageId=1696009594958&teamName=VS%20Client%20Experiences&channelName=MAUI%20??&createdTime=1696009594958 (MSFT only) Backport of #19125 Co-authored-by: dustin-wojciechowski <dustin.wojciechowski@microsoft.com>
…nts for MacCatalyst projects" (#19172) Reverts #18669 per discussion in MAUI about sdk defaults. See dotnet/maui#16355 for more information. Consult teams thread for more information: https://teams.microsoft.com/l/message/19:989ffa44998147aca4ceaf7482967668@thread.skype/1696009594958?tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47&groupId=0056f60b-301f-43ac-bbcf-f356d3c42c92&parentMessageId=1696009594958&teamName=VS%20Client%20Experiences&channelName=MAUI%20??&createdTime=1696009594958 (MSFT only) Backport of #19125 Co-authored-by: dustin-wojciechowski <dustin.wojciechowski@microsoft.com>
UPDATE: I've reopened this PR to keep everything together. I've added two of the entitlements that were in this PR to the iOS sdk, but we agreed that the issue with adding the com.network.client as a default could cause issues during notarizing in that not all MacCatalyst apps require that entitlement. This was a requirement that is strictly unique to MAUI Blazor applications, so I have left that entitlement in there.
But open to suggestions if there is a more favorable way to do this.
Description of Change
CustomEntitlements in csproj should replace need for adding Entitlement .plist files for Debug and Release for MacCatalyst templates.
Ideally we should try to move this away from the csproj in Maui project altogether and into iOS sdk(xamarin/xamarin-macios#18344). Also, unique configurations based on debug and publish intentions has been proposed for dotnet but doesn't seem to have any traction: dotnet/sdk#31918