Reapply "Share secrets between Code and Agents app via macOS Keychain" (#313241)

This reverts commit afe5823.

Author: deepak1556

build/.moduleignore

@@ -159,6 +159,14 @@ vsda/**
 @vscode/policy-watcher/index.d.ts
 !@vscode/policy-watcher/build/Release/vscode-policy-watcher.node
 
+@vscode/macos-keychain/build/**
+@vscode/macos-keychain/src/**
+@vscode/macos-keychain/test/**
+@vscode/macos-keychain/binding.gyp
+@vscode/macos-keychain/README.md
+@vscode/macos-keychain/index.d.ts
+!@vscode/macos-keychain/build/Release/keychainNative.node
+
 @vscode/windows-ca-certs/**/*
 !@vscode/windows-ca-certs/package.json
 !@vscode/windows-ca-certs/**/*.node

build/azure-pipelines/darwin/app-entitlements.plist

@@ -10,5 +10,9 @@
     <true/>
     <key>com.apple.security.automation.apple-events</key>
     <true/>
+    <key>keychain-access-groups</key>
+    <array>
+        <string>$(TeamIdentifierPrefix)com.microsoft.vscode.shared-secrets</string>
+    </array>
 </dict>
 </plist>

build/azure-pipelines/darwin/steps/product-build-darwin-compile.yml

@@ -332,6 +332,16 @@ steps:
         BUILD_SOURCESDIRECTORY: $(Build.SourcesDirectory)
       displayName: ✍️ Codesign & Notarize
 
+    # Re-sign the app without the provisioning profile for tests.
+    # This strips the keychain-access-groups entitlement which requires a
+    # provisioning profile and is not needed for running tests. The codesign
+    # step reads from the archives packaged above which have the full entitlements.
+    - script: |
+        set -e
+        export CODESIGN_IDENTITY=$(security find-identity -v -p codesigning $(agent.tempdirectory)/buildagent.keychain | grep -oEi "([0-9A-F]{40})" | head -n 1)
+        DEBUG=electron-osx-sign* node build/darwin/sign.ts --skip-provisioning-profile $(agent.builddirectory)
+      displayName: Set Hardened Entitlements (for tests)
+
   - ${{ if or(eq(parameters.VSCODE_RUN_ELECTRON_TESTS, true), eq(parameters.VSCODE_RUN_BROWSER_TESTS, true), eq(parameters.VSCODE_RUN_REMOTE_TESTS, true)) }}:
     - template: product-build-darwin-test.yml@self
       parameters:

build/darwin/sign.ts

@@ -18,7 +18,14 @@ function getElectronVersion(): string {
 	return target;
 }
 
-function getEntitlementsForFile(filePath: string): string {
+const mainProvisioningProfilePath = path.join(baseDir, 'darwin', 'main.provisionprofile');
+const agentsProvisioningProfilePath = path.join(baseDir, 'darwin', 'agents.provisionprofile');
+
+function hasProvisioningProfile(): boolean {
+	return fs.existsSync(mainProvisioningProfilePath);
+}
+
+function getEntitlementsForFile(filePath: string, tempDir: string, useProvisioningProfile: boolean, teamId?: string): string {
 	if (filePath.includes(' Helper (GPU).app')) {
 		return path.join(baseDir, 'azure-pipelines', 'darwin', 'helper-gpu-entitlements.plist');
 	} else if (filePath.includes(' Helper (Renderer).app')) {
@@ -28,7 +35,51 @@ function getEntitlementsForFile(filePath: string): string {
 	} else if (filePath.includes(' Helper.app')) {
 		return path.join(baseDir, 'azure-pipelines', 'darwin', 'helper-entitlements.plist');
 	}
-	return path.join(baseDir, 'azure-pipelines', 'darwin', 'app-entitlements.plist');
+	const entitlementsPath = path.join(baseDir, 'azure-pipelines', 'darwin', 'app-entitlements.plist');
+	if (!useProvisioningProfile) {
+		// Without a provisioning profile, keychain-access-groups entitlement
+		// will cause signing failures. Strip it from the entitlements plist.
+		return getStrippedEntitlements(entitlementsPath, tempDir);
+	}
+	if (teamId) {
+		return getExpandedEntitlements(entitlementsPath, tempDir, teamId);
+	}
+	return entitlementsPath;
+}
+
+let _strippedEntitlementsPath: string | undefined;
+
+/**
+ * Returns a path to a copy of the entitlements plist with the
+ * keychain-access-groups key removed.
+ */
+function getStrippedEntitlements(entitlementsPath: string, tempDir: string): string {
+	if (!_strippedEntitlementsPath) {
+		const content = fs.readFileSync(entitlementsPath, 'utf8');
+		const stripped = content.replace(
+			/\s*<key>keychain-access-groups<\/key>\s*<array>[\s\S]*?<\/array>/,
+			''
+		);
+		_strippedEntitlementsPath = path.join(tempDir, 'app-entitlements-stripped.plist');
+		fs.writeFileSync(_strippedEntitlementsPath, stripped);
+	}
+	return _strippedEntitlementsPath;
+}
+
+let expandedEntitlementsPath: string | undefined;
+
+/**
+ * Returns a path to a copy of the entitlements plist with
+ * $(TeamIdentifierPrefix) expanded to the actual team identifier.
+ */
+function getExpandedEntitlements(entitlementsPath: string, tempDir: string, teamId: string): string {
+	if (!expandedEntitlementsPath) {
+		const content = fs.readFileSync(entitlementsPath, 'utf8');
+		const expanded = content.replace(/\$\(TeamIdentifierPrefix\)/g, teamId + '.');
+		expandedEntitlementsPath = path.join(tempDir, 'app-entitlements.plist');
+		fs.writeFileSync(expandedEntitlementsPath, expanded);
+	}
+	return expandedEntitlementsPath;
 }
 
 async function retrySignOnKeychainError<T>(fn: () => Promise<T>, maxRetries: number = 3): Promise<T> {
@@ -60,7 +111,7 @@ async function retrySignOnKeychainError<T>(fn: () => Promise<T>, maxRetries: num
 	throw lastError;
 }
 
-async function main(buildDir?: string): Promise<void> {
+async function main(buildDir?: string, skipProvisioningProfile?: boolean): Promise<void> {
 	const tempDir = process.env['AGENT_TEMPDIRECTORY'];
 	const arch = process.env['VSCODE_ARCH'];
 	const identity = process.env['CODESIGN_IDENTITY'];
@@ -80,23 +131,51 @@ async function main(buildDir?: string): Promise<void> {
 		? path.resolve(appRoot, appName, 'Contents', 'Applications', `${product.embedded.nameLong}.app`, 'Contents', 'Info.plist')
 		: undefined;
 
+	const useProvisioningProfile = !skipProvisioningProfile && hasProvisioningProfile();
+	const resolvedProvisioningProfile = useProvisioningProfile ? mainProvisioningProfilePath : undefined;
+
+	let teamId: string | undefined;
+	if (resolvedProvisioningProfile) {
+		const profilePlist = await spawn('security', ['cms', '-D', '-i', resolvedProvisioningProfile]);
+		const teamIdMatch = /<key>TeamIdentifier<\/key>\s*<array>\s*<string>(.*?)<\/string>/s.exec(profilePlist);
+		if (teamIdMatch) {
+			teamId = teamIdMatch[1];
+			console.log(`Extracted TeamIdentifier from provisioning profile: ${teamId}`);
+		} else {
+			console.warn('Could not extract TeamIdentifier from provisioning profile; $(TeamIdentifierPrefix) will not be expanded');
+		}
+	}
+
+	// Embed the agents provisioning profile into the embedded app bundle
+	// before signing, since @electron/osx-sign only supports one top-level profile.
+	if (useProvisioningProfile && product.embedded && fs.existsSync(agentsProvisioningProfilePath)) {
+		const embeddedAppPath = path.join(appRoot, appName, 'Contents', 'Applications', `${product.embedded.nameLong}.app`);
+		if (fs.existsSync(embeddedAppPath)) {
+			const embeddedProfileDest = path.join(embeddedAppPath, 'Contents', 'embedded.provisionprofile');
+			fs.copyFileSync(agentsProvisioningProfilePath, embeddedProfileDest);
+			console.log(`Embedded agents provisioning profile into ${embeddedProfileDest}`);
+		}
+	}
+
 	const appOpts: SignOptions = {
 		app: path.join(appRoot, appName),
 		platform: 'darwin',
 		optionsForFile: (filePath) => ({
-			entitlements: getEntitlementsForFile(filePath),
+			entitlements: getEntitlementsForFile(filePath, tempDir, useProvisioningProfile, teamId),
 			hardenedRuntime: true,
 		}),
 		preAutoEntitlements: false,
-		preEmbedProvisioningProfile: false,
+		preEmbedProvisioningProfile: !!resolvedProvisioningProfile,
+		provisioningProfile: resolvedProvisioningProfile,
 		keychain: path.join(tempDir, 'buildagent.keychain'),
 		version: getElectronVersion(),
 		identity,
 	};
 
 	// Only overwrite plist entries for x64 and arm64 builds,
 	// universal will get its copy from the x64 build.
-	if (arch !== 'universal') {
+	// Skip when re-signing (skipProvisioningProfile) since entries already exist.
+	if (arch !== 'universal' && !skipProvisioningProfile) {
 		await spawn('plutil', [
 			'-insert',
 			'NSAppleEventsUsageDescription',
@@ -176,7 +255,10 @@ async function main(buildDir?: string): Promise<void> {
 }
 
 if (import.meta.main) {
-	main(process.argv[2]).catch(async err => {
+	const args = process.argv.slice(2);
+	const skipProvisioningProfile = args.includes('--skip-provisioning-profile');
+	const buildDir = args.filter(a => !a.startsWith('--'))[0];
+	main(buildDir, skipProvisioningProfile).catch(async err => {
 		console.error(err);
 		const tempDir = process.env['AGENT_TEMPDIRECTORY'];
 		if (tempDir) {

package-lock.json

@@ -268,6 +268,7 @@
     "url": "https://github.com/microsoft/vscode/issues"
   },
   "optionalDependencies": {
+    "@vscode/macos-keychain": "^0.0.1",
     "windows-foreground-love": "0.6.1"
   }
 }

package.json

@@ -26,6 +26,7 @@
 	"win32TunnelServiceMutex": "vscodeoss-tunnelservice",
 	"win32TunnelMutex": "vscodeoss-tunnel",
 	"darwinBundleIdentifier": "com.visualstudio.code.oss",
+	"darwinSharedKeychainServiceName": "com.visualstudio.code.oss.shared-secrets",
 	"darwinProfileUUID": "47827DD9-4734-49A0-AF80-7E19B11495CC",
 	"darwinProfilePayloadUUID": "CF808BE7-53F3-46C6-A7E2-7EDB98A5E959",
 	"linuxIconName": "code-oss",

product.json

@@ -0,0 +1,15 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+
+// Type declarations for @vscode/macos-keychain.
+// The package is an optional dependency (macOS-only native addon), so types
+// are duplicated here to ensure TypeScript compilation succeeds on all platforms.
+
+declare module '@vscode/macos-keychain' {
+	export function keychainSet(service: string, account: string, value: string): void;
+	export function keychainGet(service: string, account: string): string | undefined;
+	export function keychainDelete(service: string, account: string): boolean;
+	export function keychainList(service: string): string[];
+}

src/typings/macos-keychain.d.ts

@@ -224,6 +224,7 @@ export interface IProductConfiguration {
 	readonly darwinUniversalAssetId?: string;
 	readonly darwinBundleIdentifier?: string;
 	readonly darwinSiblingBundleIdentifier?: string;
+	readonly darwinSharedKeychainServiceName?: string;
 	readonly profileTemplatesUrl?: string;
 
 	readonly commonlyUsedSettings?: string[];

src/vs/base/common/product.ts

@@ -37,6 +37,8 @@ import { DiagnosticsMainService, IDiagnosticsMainService } from '../../platform/
 import { DialogMainService, IDialogMainService } from '../../platform/dialogs/electron-main/dialogMainService.js';
 import { IEncryptionMainService } from '../../platform/encryption/common/encryptionService.js';
 import { EncryptionMainService } from '../../platform/encryption/electron-main/encryptionMainService.js';
+import { ISharedKeychainMainService } from '../../platform/secrets/common/sharedKeychainService.js';
+import { SharedKeychainMainService } from '../../platform/secrets/electron-main/sharedKeychainMainService.js';
 import { ipcBrowserViewChannelName } from '../../platform/browserView/common/browserView.js';
 import { ipcBrowserViewGroupChannelName } from '../../platform/browserView/common/browserViewGroup.js';
 import { BrowserViewMainService, IBrowserViewMainService } from '../../platform/browserView/electron-main/browserViewMainService.js';
@@ -1092,6 +1094,9 @@ export class CodeApplication extends Disposable {
 		// Encryption
 		services.set(IEncryptionMainService, new SyncDescriptor(EncryptionMainService));
 
+		// Shared Keychain
+		services.set(ISharedKeychainMainService, new SyncDescriptor(SharedKeychainMainService));
+
 		// Cross-app IPC
 		services.set(ICrossAppIPCService, new SyncDescriptor(CrossAppIPCService));
 
@@ -1270,12 +1275,12 @@ export class CodeApplication extends Disposable {
 			this._register(new MacOSCrossAppSecretSharing(
 				accessor.get(IStorageMainService),
 				accessor.get(IEncryptionMainService),
+				accessor.get(ISharedKeychainMainService),
 				accessor.get(IStateService),
 				this.logService,
 				this.environmentMainService,
 				accessor.get(ILaunchMainService),
 				this.lifecycleMainService,
-				crossAppIPCService,
 			));
 		}
 
@@ -1292,6 +1297,10 @@ export class CodeApplication extends Disposable {
 		const encryptionChannel = ProxyChannel.fromService(accessor.get(IEncryptionMainService), disposables);
 		mainProcessElectronServer.registerChannel('encryption', encryptionChannel);
 
+		// Shared Keychain
+		const sharedKeychainChannel = ProxyChannel.fromService(accessor.get(ISharedKeychainMainService), disposables);
+		mainProcessElectronServer.registerChannel('sharedKeychain', sharedKeychainChannel);
+
 		// Browser View
 		const browserViewChannel = ProxyChannel.fromService(accessor.get(IBrowserViewMainService), disposables);
 		mainProcessElectronServer.registerChannel(ipcBrowserViewChannelName, browserViewChannel);