firka/flutter
firka/flutter
5
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

iOS,macOS: Add list of expected-unsigned binaries (#154591)

Browse Source 
This updates the codesigning test to account for iOS and macOS binaries in the artifact cache that are _expected_ to not be codesigned.

In https://github.com/flutter/engine/pull/54414 we started bundling dSYM (debugging symbols) within Flutter.xcframework, a requirement for App Store verification using Xcode 16.

We did the same for macOS in https://github.com/flutter/engine/pull/54696.

Unlike the framework dylib, dSYM contents are not directly codesigned (though the xcframework containing them is).

Issue: https://github.com/flutter/flutter/issues/154571
This commit is contained in:
Chris Bracken 2024-09-04 11:27:06 -07:00 committed by GitHub
parent ce15e3bcb5
commit 07fcfd1776
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 28 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
dev/bots/suite_runners/run_verify_binaries_codesigned_tests.dart
View File

@ -87,7 +87,6 @@ List<String> binariesWithoutEntitlements(String flutterRoot) {
return <String>[ return <String>[
'artifacts/engine/darwin-x64-profile/FlutterMacOS.xcframework/macos-arm64_x86_64/FlutterMacOS.framework/Versions/A/FlutterMacOS', 'artifacts/engine/darwin-x64-profile/FlutterMacOS.xcframework/macos-arm64_x86_64/FlutterMacOS.framework/Versions/A/FlutterMacOS',
'artifacts/engine/darwin-x64-release/FlutterMacOS.xcframework/macos-arm64_x86_64/FlutterMacOS.framework/Versions/A/FlutterMacOS', 'artifacts/engine/darwin-x64-release/FlutterMacOS.xcframework/macos-arm64_x86_64/FlutterMacOS.framework/Versions/A/FlutterMacOS',
'artifacts/engine/darwin-x64-release/FlutterMacOS.xcframework/macos-arm64_x86_64/dSYMs/FlutterMacOS.framework.dSYM/Contents/Resources/DWARF/FlutterMacOS',
'artifacts/engine/darwin-x64/FlutterMacOS.xcframework/macos-arm64_x86_64/FlutterMacOS.framework/Versions/A/FlutterMacOS', 'artifacts/engine/darwin-x64/FlutterMacOS.xcframework/macos-arm64_x86_64/FlutterMacOS.framework/Versions/A/FlutterMacOS',
'artifacts/engine/darwin-x64/font-subset', 'artifacts/engine/darwin-x64/font-subset',
'artifacts/engine/darwin-x64/impellerc', 'artifacts/engine/darwin-x64/impellerc',
@ -98,10 +97,8 @@ List<String> binariesWithoutEntitlements(String flutterRoot) {
'artifacts/engine/ios-profile/extension_safe/Flutter.xcframework/ios-arm64/Flutter.framework/Flutter', 'artifacts/engine/ios-profile/extension_safe/Flutter.xcframework/ios-arm64/Flutter.framework/Flutter',
'artifacts/engine/ios-profile/extension_safe/Flutter.xcframework/ios-arm64_x86_64-simulator/Flutter.framework/Flutter', 'artifacts/engine/ios-profile/extension_safe/Flutter.xcframework/ios-arm64_x86_64-simulator/Flutter.framework/Flutter',
'artifacts/engine/ios-release/Flutter.xcframework/ios-arm64/Flutter.framework/Flutter', 'artifacts/engine/ios-release/Flutter.xcframework/ios-arm64/Flutter.framework/Flutter',
'artifacts/engine/ios-release/Flutter.xcframework/ios-arm64/dSYMs/Flutter.framework.dSYM/Contents/Resources/DWARF/Flutter',
'artifacts/engine/ios-release/Flutter.xcframework/ios-arm64_x86_64-simulator/Flutter.framework/Flutter', 'artifacts/engine/ios-release/Flutter.xcframework/ios-arm64_x86_64-simulator/Flutter.framework/Flutter',
'artifacts/engine/ios-release/extension_safe/Flutter.xcframework/ios-arm64/Flutter.framework/Flutter', 'artifacts/engine/ios-release/extension_safe/Flutter.xcframework/ios-arm64/Flutter.framework/Flutter',
'artifacts/engine/ios-release/extension_safe/Flutter.xcframework/ios-arm64/dSYMs/Flutter.framework.dSYM/Contents/Resources/DWARF/Flutter',
'artifacts/engine/ios-release/extension_safe/Flutter.xcframework/ios-arm64_x86_64-simulator/Flutter.framework/Flutter', 'artifacts/engine/ios-release/extension_safe/Flutter.xcframework/ios-arm64_x86_64-simulator/Flutter.framework/Flutter',
'artifacts/engine/ios/Flutter.xcframework/ios-arm64/Flutter.framework/Flutter', 'artifacts/engine/ios/Flutter.xcframework/ios-arm64/Flutter.framework/Flutter',
'artifacts/engine/ios/Flutter.xcframework/ios-arm64_x86_64-simulator/Flutter.framework/Flutter', 'artifacts/engine/ios/Flutter.xcframework/ios-arm64_x86_64-simulator/Flutter.framework/Flutter',
@ -112,6 +109,21 @@ List<String> binariesWithoutEntitlements(String flutterRoot) {
.map((String relativePath) => path.join(flutterRoot, 'bin', 'cache', relativePath)).toList(); .map((String relativePath) => path.join(flutterRoot, 'bin', 'cache', relativePath)).toList();
} }
/// Binaries that are not expected to be codesigned.
///
/// This list should be kept in sync with the actual contents of Flutter's cache.
List<String> unsignedBinaries(String flutterRoot) {
return <String>[
'artifacts/engine/darwin-x64-release/FlutterMacOS.xcframework/macos-arm64_x86_64/dSYMs/FlutterMacOS.framework.dSYM/Contents/Resources/DWARF/FlutterMacOS',
'artifacts/engine/ios-release/Flutter.xcframework/ios-arm64/dSYMs/Flutter.framework.dSYM/Contents/Resources/DWARF/Flutter',
'artifacts/engine/ios-release/Flutter.xcframework/ios-arm64_x86_64-simulator/dSYMs/Flutter.framework.dSYM/Contents/Resources/DWARF/Flutter',
'artifacts/engine/ios-release/extension_safe/Flutter.xcframework/ios-arm64/dSYMs/Flutter.framework.dSYM/Contents/Resources/DWARF/Flutter',
'artifacts/engine/ios-release/extension_safe/Flutter.xcframework/ios-arm64_x86_64-simulator/dSYMs/Flutter.framework.dSYM/Contents/Resources/DWARF/Flutter',
]
.map((String relativePath) => path.join(flutterRoot, 'bin', 'cache', relativePath)).toList();
}
/// xcframeworks that are expected to be codesigned. /// xcframeworks that are expected to be codesigned.
/// ///
/// This list should be kept in sync with the actual contents of Flutter's /// This list should be kept in sync with the actual contents of Flutter's
@ -136,8 +148,8 @@ List<String> signedXcframeworks(String flutterRoot) {
/// This function ignores code signatures and entitlements, and is intended to /// This function ignores code signatures and entitlements, and is intended to
/// be run on every commit. It should throw if either new binaries are added /// be run on every commit. It should throw if either new binaries are added
/// to the cache or expected binaries removed. In either case, this class' /// to the cache or expected binaries removed. In either case, this class'
/// [binariesWithEntitlements] or [binariesWithoutEntitlements] lists should /// [binariesWithEntitlements], [binariesWithoutEntitlements], and
/// be updated accordingly. /// [unsignedBinaries] lists should be updated accordingly.
Future<void> verifyExist( Future<void> verifyExist(
String flutterRoot, String flutterRoot,
{@visibleForTesting ProcessManager processManager = const LocalProcessManager() {@visibleForTesting ProcessManager processManager = const LocalProcessManager()
@ -146,16 +158,18 @@ Future<void> verifyExist(
path.join(flutterRoot, 'bin', 'cache'), path.join(flutterRoot, 'bin', 'cache'),
processManager: processManager, processManager: processManager,
); );
final List<String> allExpectedFiles = binariesWithEntitlements(flutterRoot) + binariesWithoutEntitlements(flutterRoot); final List<String> expectedSigned = binariesWithEntitlements(flutterRoot) + binariesWithoutEntitlements(flutterRoot);
final List<String> expectedUnsigned = unsignedBinaries(flutterRoot);
final Set<String> foundFiles = <String>{ final Set<String> foundFiles = <String>{
for (final String binaryPath in binaryPaths) for (final String binaryPath in binaryPaths)
if (allExpectedFiles.contains(binaryPath)) binaryPath if (expectedSigned.contains(binaryPath)) binaryPath
else if (expectedUnsigned.contains(binaryPath)) binaryPath
else throw Exception('Found unexpected binary in cache: $binaryPath'), else throw Exception('Found unexpected binary in cache: $binaryPath'),
}; };
if (foundFiles.length < allExpectedFiles.length) { if (foundFiles.length < expectedSigned.length) {
final List<String> unfoundFiles = <String>[ final List<String> unfoundFiles = <String>[
for (final String file in allExpectedFiles) if (!foundFiles.contains(file)) file, for (final String file in expectedSigned) if (!foundFiles.contains(file)) file,
]; ];
print( print(
'Expected binaries not found in cache:\n\n${unfoundFiles.join('\n')}\n\n' 'Expected binaries not found in cache:\n\n${unfoundFiles.join('\n')}\n\n'
@ -195,6 +209,11 @@ Future<void> verifySignatures(
if (signedXcframeworks(flutterRoot).contains(pathToCheck)) { if (signedXcframeworks(flutterRoot).contains(pathToCheck)) {
verifySignature = true; verifySignature = true;
} }
if (unsignedBinaries(flutterRoot).contains(pathToCheck)) {
// Binary is expected to be unsigned. No need to check signature, entitlements.
continue;
}
if (!verifySignature && !verifyEntitlements) { if (!verifySignature && !verifyEntitlements) {
unexpectedFiles.add(pathToCheck); unexpectedFiles.add(pathToCheck);
print('Unexpected binary or xcframework $pathToCheck found in cache!'); print('Unexpected binary or xcframework $pathToCheck found in cache!');