fix(build): sign debug binaries with required entitlements

[swiftveteran]

The vmnet plugin requires com.apple.security.virtualization entitlement. Without it, vmnet_network_create() fails with VMNET_MEM_FAILURE (1002).

Previously only installer-pkg signed binaries with entitlements. Debug builds were adhoc-signed without entitlements, causing vmnet failures.

Type of Change

• Bug fix
• New feature
• Breaking change
• Documentation update

Motivation and Context

We can't create vmnet without these entitlements. Needed for nat, shared networking, and dhcp client. Startup of container could also just hang forever without this.

Testing

• Tested locally
• Added/updated tests
• Added/updated docs

[jglogan]

@swiftveteran thanks for the report! Can you show me the steps for reproducing the failure on my system?

[jglogan]

I don't think this change is necessary; it's not the responsibility of the build Makefile target to perform the signing.

make all builds the container target, which in turn builds the build target and then spawns make install to create an installer package and install the contents into bin/ and libexec/ under the project directory:

% make all
Building container binaries...
swift-driver version: 1.127.14.1 Apple Swift version 6.2 (swiftlang-6.2.3.1.1 clang-1700.6.1.1)
...
Signing container binaries...
bin/debug/staging/bin/container: replacing existing signature
bin/debug/staging/bin/container-apiserver: replacing existing signature
bin/debug/staging/libexec/container/plugins/container-core-images/bin/container-core-images: replacing existing signature
bin/debug/staging/libexec/container/plugins/container-runtime-linux/bin/container-runtime-linux: replacing existing signature
bin/debug/staging/libexec/container/plugins/container-network-vmnet/bin/container-network-vmnet: replacing existing signature
Creating application installer
pkgbuild: Inferring bundle components from contents of bin/debug/staging/
pkgbuild: Wrote package to bin/debug/container-installer-unsigned.pkg
Installing container installer package

% codesign -vvv -d --entitlements - libexec/container/plugins/container-network-vmnet/bin/container-network-vmnet 
Executable=/Users/john/projects/jglogan/container/libexec/container/plugins/container-network-vmnet/bin/container-network-vmnet
Identifier=com.apple.container.container-network-vmnet
Format=Mach-O thin (arm64)
CodeDirectory v=20400 size=108708 flags=0x2(adhoc) hashes=3386+7 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=ece551c49793b75d154517fc9691bed876facf36
CandidateCDHashFull sha256=ece551c49793b75d154517fc9691bed876facf36367bf7c2e025ef1179f4333f
Hash choices=sha256
CMSDigest=ece551c49793b75d154517fc9691bed876facf36367bf7c2e025ef1179f4333f
CMSDigestType=2
CDHash=ece551c49793b75d154517fc9691bed876facf36
Signature=adhoc
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=0 size=12
[Dict]
	[Key] com.apple.security.virtualization
	[Value]
		[Bool] true

% codesign -vvv -d --entitlements - libexec/container/plugins/container-runtime-linux/bin/container-runtime-linux 
Executable=/Users/john/projects/jglogan/container/libexec/container/plugins/container-runtime-linux/bin/container-runtime-linux
Identifier=com.apple.container.container-runtime-linux
Format=Mach-O thin (arm64)
CodeDirectory v=20400 size=113060 flags=0x2(adhoc) hashes=3522+7 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=b43b34d147001a5c7937801a46fa9912748a1a61
CandidateCDHashFull sha256=b43b34d147001a5c7937801a46fa9912748a1a61e9a25b1e94ed1d02001d8317
Hash choices=sha256
CMSDigest=b43b34d147001a5c7937801a46fa9912748a1a61e9a25b1e94ed1d02001d8317
CMSDigestType=2
CDHash=b43b34d147001a5c7937801a46fa9912748a1a61
Signature=adhoc
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=0 size=12
[Dict]
	[Key] com.apple.security.virtualization
	[Value]
		[Bool] true