dotnet: fix dotnet executables in darwin sandbox

This fixes:

    Could not load ICU data. UErrorCode: 2

We're using a hook instead of a wrapper because various things like to
reference the unwrapped dotnet executable.

pkgs/build-support/dotnet/build-dotnet-module/default.nix

@@ -185,6 +185,10 @@ stdenvNoCC.mkDerivation (args // {
 
   inherit selfContainedBuild useAppHost useDotnetFromEnv;
 
+  # propagate the runtime sandbox profile since the contents apply to published
+  # executables
+  propagatedSandboxProfile = toString dotnet-runtime.__propagatedSandboxProfile;
+
   passthru = {
     inherit nuget-source;
   } // lib.optionalAttrs (!lib.isDerivation nugetDeps) {
@@ -316,8 +320,4 @@ stdenvNoCC.mkDerivation (args // {
   } // args.passthru or { };
 
   meta = (args.meta or { }) // { inherit platforms; };
-}
+})
-  # ICU tries to unconditionally load files from /usr/share/icu on Darwin, which makes builds fail
-  # in the sandbox, so disable ICU on Darwin. This, as far as I know, shouldn't cause any built packages
-  # to behave differently, just the dotnet build tool.
-  // lib.optionalAttrs stdenvNoCC.isDarwin { DOTNET_SYSTEM_GLOBALIZATION_INVARIANT = 1; })

pkgs/development/compilers/dotnet/build-dotnet.nix

@@ -26,6 +26,7 @@ assert if type == "sdk" then packages != null else true;
 , mkNugetDeps
 , callPackage
 , dotnetCorePackages
+, xmlstarlet
 }:
 
 let
@@ -47,6 +48,9 @@ let
 
   targetRid = dotnetCorePackages.systemToDotnetRid stdenv.targetPlatform.system;
 
+  sigtool = callPackage ./sigtool.nix {};
+  signAppHost = callPackage ./sign-apphost.nix {};
+
 in
 mkCommon type rec {
   inherit pname version;
@@ -54,7 +58,11 @@ mkCommon type rec {
   # Some of these dependencies are `dlopen()`ed.
   nativeBuildInputs = [
     makeWrapper
-  ] ++ lib.optional stdenv.isLinux autoPatchelfHook;
+  ] ++ lib.optional stdenv.isLinux autoPatchelfHook
+  ++ lib.optionals (type == "sdk" && stdenv.isDarwin) [
+    xmlstarlet
+    sigtool
+  ];
 
   buildInputs = [
     stdenv.cc.cc
@@ -71,6 +79,16 @@ mkCommon type rec {
 
   sourceRoot = ".";
 
+  postPatch = if type == "sdk" && stdenv.isDarwin then ''
+    xmlstarlet ed \
+      --inplace \
+      -s //_:Project -t elem -n Import \
+      -i \$prev -t attr -n Project -v "${signAppHost}" \
+      sdk/*/Sdks/Microsoft.NET.Sdk/targets/Microsoft.NET.Sdk.targets
+
+    codesign --remove-signature packs/Microsoft.NETCore.App.Host.osx-*/*/runtimes/osx-*/native/{apphost,singlefilehost}
+  '' else null;
+
   dontPatchELF = true;
   noDumpEnvVars = true;
 
@@ -108,6 +126,14 @@ mkCommon type rec {
       $out/packs/Microsoft.NETCore.App.Host.${targetRid}/*/runtimes/${targetRid}/native/*host
   '';
 
+  # fixes: Could not load ICU data. UErrorCode: 2
+  propagatedSandboxProfile = lib.optionalString stdenv.isDarwin ''
+    (allow file-read* (subpath "/usr/share/icu"))
+    (allow file-read* (subpath "/private/var/db/mds/system"))
+    (allow mach-lookup (global-name "com.apple.SecurityServer")
+                       (global-name "com.apple.system.opendirectoryd.membership"))
+  '';
+
   passthru = {
     inherit icu;
   } // lib.optionalAttrs (type == "sdk") {

pkgs/development/compilers/dotnet/common.nix

@@ -52,7 +52,12 @@
           run ? null,
         }:
         let
-          built = runCommand "dotnet-test-${name}" { buildInputs = [ finalAttrs.finalPackage ]; } (''
+          sdk = finalAttrs.finalPackage;
+          built = runCommand "dotnet-test-${name}" {
+            buildInputs = [ sdk ];
+            # make sure ICU works in a sandbox
+            propagatedSandboxProfile = toString sdk.__propagatedSandboxProfile;
+          } (''
             HOME=$PWD/.home
             dotnet new nugetconfig
             dotnet nuget disable source nuget
@@ -65,11 +70,13 @@
           if run == null
             then built
           else
-            runCommand "${built.name}-run" { src = built; nativeBuildInputs = runInputs; } (
+            runCommand "${built.name}-run" {
-              lib.optionalString (runtime != null) ''
+              src = built;
-                # TODO: use runtime here
+              nativeBuildInputs = [ built ] ++ runInputs;
-                export DOTNET_ROOT=${runtime}
+            } (lib.optionalString (runtime != null) ''
-              '' + run);
+              # TODO: use runtime here
+              export DOTNET_ROOT=${runtime}
+            '' + run);
 
       # Setting LANG to something other than 'C' forces the runtime to search
       # for ICU, which will be required in most user environments.

pkgs/development/compilers/dotnet/stage0.nix

@@ -25,8 +25,6 @@ let
 
   patchNupkgs = pkgsBuildHost.callPackage ./patch-nupkgs.nix {};
 
-  signAppHost = callPackage ./sign-apphost.nix {};
-
   deps = mkNugetDeps {
     name = "dotnet-vmr-deps";
     sourceFile = depsFile;
@@ -51,12 +49,6 @@ let
         -s //Project -t elem -n Import \
         -i \$prev -t attr -n Project -v "${./patch-restored-packages.proj}" \
         src/*/Directory.Build.targets
-    '' + lib.optionalString stdenv.isDarwin ''
-      xmlstarlet ed \
-        --inplace \
-        -s //Project -t elem -n Import \
-        -i \$prev -t attr -n Project -v "${signAppHost}" \
-        src/runtime/Directory.Build.targets
     '';
 
     postConfigure = old.postConfigure or "" + ''