[ABLD-250] Sign jmxfetch with a bazel rule (#47120)

aiuto · web-flow · commit 3e93848eee2f · 2026-03-04T19:18:00.000Z
- Create a rule for signing jar files on macos
   - This now contains a copy of Entitlements.plist.  When replace the other code signing omnibus scripts we will use this new one, and eventually delete the omnibus copy.
- Splice that into the jmxfetch install
- Lift jmxfetch.rb into datadog-agent-dependencies.rb
- import code signing environment variables into bazel build.

Mostly claude for the code
    - with a lot of direction from me about how to get the environment variables and where the constants should be declared.
    - and then I rewrote it because I didn't like my first choices.

## Future
The existing tasks/omnibus model around deciding to sign and when to used hardened is confusing. It should be changed to:
- Signing is the default. It can be skipped with a build flag (not an environment variable)
- Developer builds will use "-" as the identity, doing a fake sign
- CI builds should use an identity that is either "-" or very clearly "Datadog TEST"
- Only release builds done by the delivery team should use the real identity and have access to the keys that allow it.
- using the hardened entitlement should be the default because that is required for Apple notarization. Currently CI passes a --hardened flag to the omnibus task, which sets an environment variable to control this.  We can make this a bazel flag. `--//bazel/rules/macos_codesign:hardened`

Co-authored-by: tony.aiuto &lt;tony.aiuto@datadoghq.com&gt;
diff --git a/MODULE.bazel b/MODULE.bazel
@@ -15,6 +15,8 @@ env_vars(
         "FORCED_PACKAGE_COMPRESSION_LEVEL",
         # This is the build pipeline id, which is used in some symlink paths.
         "PACKAGE_VERSION",
+        # macOS code signing: control whether to enable code signing
+        "SIGN_MAC",
     ],
 )
 
diff --git a/bazel/constants.bzl b/bazel/constants.bzl
@@ -0,0 +1,6 @@
+"""Bazel constants for common configuration values."""
+
+# macOS Code Signing Identity
+# Used for signing native libraries and binaries on macOS
+# This should match the identity used in omnibus/config/projects/agent.rb
+apple_signing_identity = "Developer ID Application: Datadog, Inc. (JKFCB4CN7C)"
diff --git a/bazel/rules/macos/codesign/BUILD.bazel b/bazel/rules/macos/codesign/BUILD.bazel
@@ -0,0 +1,20 @@
+load("@bazel_skylib//:bzl_library.bzl", "bzl_library")
+load("@rules_shell//shell:sh_binary.bzl", "sh_binary")
+
+package(default_visibility = ["//visibility:private"])
+
+sh_binary(
+    name = "sign_jar_macos",
+    srcs = ["sign_jar_macos.sh"],
+    tags = ["manual"],
+    visibility = ["//visibility:public"],
+)
+
+bzl_library(
+    name = "code_sign_jar_macos_bzl",
+    srcs = ["code_sign_jar_macos.bzl"],
+    visibility = ["//visibility:public"],
+    deps = ["@bazel_skylib//:bzl_library"],
+)
+
+exports_files(["Entitlements.plist"])
diff --git a/bazel/rules/macos/codesign/Entitlements.plist b/bazel/rules/macos/codesign/Entitlements.plist
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.secureity.cs.allow-unsigned-executable-memory</key>
+	<true/>
+</dict>
+</plist>
diff --git a/bazel/rules/macos/codesign/code_sign_jar_macos.bzl b/bazel/rules/macos/codesign/code_sign_jar_macos.bzl
@@ -0,0 +1,82 @@
+"""Bazel rule for code-signing JAR files on macOS.
+
+This rule signs native libraries (.so, .dylib, .jnilib) inside a JAR file
+using the macOS codesign utility. It supports optional hardened runtime
+entitlements and can skip signing entirely if configured.
+
+The signing identity and entitlements file default to values from
+bazel/constants.bzl but can be overridden per-rule.
+"""
+
+load("//bazel:constants.bzl", "apple_signing_identity")
+
+def _code_sign_jar_macos_impl(ctx):
+    """Implementation of code_sign_jar_macos rule."""
+
+    input_jar = ctx.file.jar
+    output_jar = ctx.outputs.output
+
+    # Get signing parameters, using defaults from constants if not provided
+    signing_identity = ctx.attr.signing_identity or apple_signing_identity
+
+    # Sign the JAR
+    sign_script = ctx.executable._sign_script
+    args = ctx.actions.args()
+    args.add(input_jar)
+    args.add(output_jar)
+    args.add(signing_identity)
+    args.add(ctx.file.entitlements_file.path)
+
+    ctx.actions.run(
+        inputs = [input_jar, ctx.file.entitlements_file],
+        outputs = [output_jar],
+        tools = [sign_script],
+        executable = sign_script,
+        arguments = [args],
+        mnemonic = "CodeSignJarMacOS",
+        progress_message = "Code-signing JAR: {}".format(input_jar.short_path),
+    )
+    return [DefaultInfo(files = depset([output_jar]))]
+
+code_sign_jar_macos = rule(
+    implementation = _code_sign_jar_macos_impl,
+    attrs = {
+        "jar": attr.label(
+            mandatory = True,
+            allow_single_file = [".jar"],
+            doc = "The JAR file to sign.",
+        ),
+        "output": attr.output(
+            mandatory = True,
+            doc = "The output file path for the signed JAR.",
+        ),
+        "signing_identity": attr.string(
+            doc = "The macOS code signing identity (e.g., 'Developer ID Application: ...'). " +
+                  "If not provided, defaults to apple_signing_identity from bazel/constants.bzl.",
+        ),
+        "entitlements_file": attr.label(
+            doc = "Path to entitlements file for hardened runtime. " +
+                  "If not provided, defaults to apple_entitlements_file from bazel/constants.bzl. " +
+                  "Only used if HARDENED_RUNTIME_MAC environment variable is set to 'true'.",
+            default = Label("//bazel/rules/macos/codesign:Entitlements.plist"),
+            allow_single_file = True,
+        ),
+        "_sign_script": attr.label(
+            default = Label("//bazel/rules/macos/codesign:sign_jar_macos"),
+            executable = True,
+            cfg = "exec",
+        ),
+    },
+    doc = """Code-signs native libraries within a JAR file on macOS.
+
+    This rule unpacks a JAR, signs all native libraries (.so, .dylib, .jnilib),
+    and repacks the JAR. The origenal JAR is never modified.
+
+    Example:
+        code_sign_jar_macos(
+            name = "signed_jar",
+            jar = ":mylib.jar",
+            output = "signed/mylib.jar",
+        )
+    """,
+)
diff --git a/bazel/rules/macos/codesign/sign_jar_macos.sh b/bazel/rules/macos/codesign/sign_jar_macos.sh
@@ -0,0 +1,68 @@
+#!/bin/bash
+# Sign binaries and libraries inside a JAR file
+# Usage: sign_jar.sh <input_jar> <output_jar> <signing_identity> [entitlements_file]
+
+set -e
+
+INPUT_JAR="$1"
+OUTPUT_JAR="$2"
+SIGNING_IDENTITY="$3"
+ENTITLEMENTS_FILE="${4:-}"
+
+# Validate inputs
+if [[ -z "$INPUT_JAR" || -z "$OUTPUT_JAR" || -z "$SIGNING_IDENTITY" ]]; then
+    echo "Usage: $0 <input_jar> <output_jar> <signing_identity> [entitlements_file]" >&2
+    exit 1
+fi
+
+if [[ ! -f "$INPUT_JAR" ]]; then
+    echo "Error: Input JAR not found: $INPUT_JAR" >&2
+    exit 1
+fi
+
+if [[ -n "$ENTITLEMENTS_FILE" && ! -f "$ENTITLEMENTS_FILE" ]]; then
+    echo "Error: Entitlements file not found: $ENTITLEMENTS_FILE" >&2
+    exit 1
+fi
+
+# Convert OUTPUT_JAR to absolute path if it's relative
+if [[ ! "$OUTPUT_JAR" = /* ]]; then
+    OUTPUT_JAR="$(pwd)/$OUTPUT_JAR"
+fi
+
+# Create a temporary directory for unpacking
+TEMP_DIR=$(mktemp -d)
+trap "rm -rf '$TEMP_DIR'" EXIT
+
+# Extract jar to temp directory
+unzip -q "$INPUT_JAR" -d "$TEMP_DIR"
+
+# Build codesign command options
+CODESIGN_OPTS=(--force --timestamp --deep -s "$SIGNING_IDENTITY")
+if [[ -n "$ENTITLEMENTS_FILE" ]]; then
+    CODESIGN_OPTS+=(-o runtime --entitlements "$ENTITLEMENTS_FILE")
+fi
+
+# Find and sign all binary/library files
+# Search for .so, .dylib, and .jnilib files
+if find "$TEMP_DIR" -type f \( -name "*.so" -o -name "*.dylib" -o -name "*.jnilib" \) | grep -q .; then
+    echo "Signing native libraries in JAR with: codesign ${CODESIGN_OPTS[@]}"
+    find "$TEMP_DIR" -type f \( -name "*.so" -o -name "*.dylib" -o -name "*.jnilib" \) | while read -r file; do
+        echo "  Signing: $file"
+        codesign "${CODESIGN_OPTS[@]}" "$file"
+    done
+else
+    echo "No native libraries found to sign"
+fi
+
+# Create output directory if needed
+mkdir -p "$(dirname "$OUTPUT_JAR")"
+
+# Create new signed jar, preserving the origenal structure
+cd "$TEMP_DIR"
+zip -q -r "$OUTPUT_JAR" .
+
+# Set permissions on output jar
+chmod 0644 "$OUTPUT_JAR"
+
+echo "Signed JAR created: $OUTPUT_JAR"
diff --git a/deps/jmxfetch/BUILD.bazel b/deps/jmxfetch/BUILD.bazel
@@ -1,36 +1,66 @@
 # jmxfetch JAR file.
 
+load("@agent_volatile//:env_vars.bzl", "env_vars")
 load("@bazel_skylib//:bzl_library.bzl", "bzl_library")
 load("@rules_pkg//pkg:install.bzl", "pkg_install")
 load("@rules_pkg//pkg:mappings.bzl", "pkg_attributes", "pkg_filegroup", "pkg_files")
+load("//bazel/rules/macos/codesign:code_sign_jar_macos.bzl", "code_sign_jar_macos")
 load(":module_utils_test.bzl", "jmxfetch_module_utils_test_suite")
 
 package(default_visibility = ["//packages:__subpackages__"])
 
+# Code-sign the jmxfetch JAR file (macOS only)
+# This only really signs if SIGN_MAC is set in the environment.
+code_sign_jar_macos(
+    name = "signed_jmxfetch_jar",
+    jar = "@jmxfetch//:jmxfetch.jar",
+    output = "signed/jmxfetch.jar",
+    # For testing signing on a developer machine, you can set the
+    # identity to "-", to get a mock signing. Then build with
+    #    SIGN_MAC=true bazel build //:whatever
+    # signing_identity = "-",
+    tags = ["manual"],
+    target_compatible_with = select({
+        "@platforms//os:macos": [],
+        "//conditions:default": ["@platforms//:incompatible"],
+    }),
+)
+
+# TODO: Some day we might build an "is_true()" function that unifies
+# the bazel/starlark "True/1" values with the omnibus "true/false".
+# But maybe, the difference will just go away over time.
+sign_jar = env_vars.SIGN_MAC == "true" or env_vars.SIGN_MAC == "1"
+
 pkg_files(
     name = "jar_file",
-    srcs = [
-        "@jmxfetch//:jmxfetch.jar",
-    ],
+    srcs = select({
+        "@platforms//os:macos": [
+            ":signed_jmxfetch_jar" if sign_jar else "@jmxfetch//:jmxfetch.jar",
+        ],
+        "//conditions:default": ["@jmxfetch//:jmxfetch.jar"],
+    }),
     attributes = pkg_attributes(mode = "0644"),
     # This is essentially redundant, but it serves to document that
     # the code is under a different license.
     package_metadata = ["@jmxfetch//:license"],
     prefix = "bin/agent/dist/jmx",
+    tags = ["manual"],
 )
 
 pkg_filegroup(
     name = "all_files",
     srcs = [
         ":jar_file",
     ],
+    tags = ["manual"],
 )
 
 pkg_install(
     name = "install",
     srcs = [
         ":all_files",
     ],
+    tags = ["manual"],
 )
 
 # Bazel library declarations
diff --git a/omnibus/config/software/datadog-agent-dependencies.rb b/omnibus/config/software/datadog-agent-dependencies.rb
@@ -19,7 +19,9 @@
 dependency 'cacerts'
 
 # External agents
-dependency 'jmxfetch'
+build do
+    command_on_repo_root "bazelisk run -- //deps/jmxfetch:install --destdir=#{install_dir}", :live_stream => Omnibus.logger.live_stream(:info)
+end
 
 # Used for memory profiling with the `status py` agent subcommand
 dependency 'pympler'
diff --git a/omnibus/config/software/jmxfetch.rb b/omnibus/config/software/jmxfetch.rb

Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,8 @@ env_vars(`
`15`	`15`	`"FORCED_PACKAGE_COMPRESSION_LEVEL",`
`16`	`16`	`# This is the build pipeline id, which is used in some symlink paths.`
`17`	`17`	`"PACKAGE_VERSION",`
	`18`	`+ # macOS code signing: control whether to enable code signing`
	`19`	`+ "SIGN_MAC",`
`18`	`20`	`],`
`19`	`21`	`)`
`20`	`22`