Add entitlement checks to codesigning test (#52919)
This commit is contained in:
Jenn Magder
GitHub
parent
284e3bad33
commit
8001abec43
@ -61,9 +61,74 @@ bool checkCacheIsCurrent() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
void main() {
|
List<String> get binariesWithEntitlements => List<String>.unmodifiable(<String>[
|
||||||
final List<String> failures = <String>[];
|
'idevice_id',
|
||||||
|
'ideviceinfo',
|
||||||
|
'idevicename',
|
||||||
|
'idevicescreenshot',
|
||||||
|
'idevicesyslog',
|
||||||
|
'libimobiledevice.6.dylib',
|
||||||
|
'ideviceinstaller',
|
||||||
|
'libplist.3.dylib',
|
||||||
|
'iproxy',
|
||||||
|
'libusbmuxd.4.dylib',
|
||||||
|
'libssl.1.0.0.dylib',
|
||||||
|
'libcrypto.1.0.0.dylib',
|
||||||
|
'libzip.5.0.dylib',
|
||||||
|
'libzip.5.dylib',
|
||||||
|
'gen_snapshot',
|
||||||
|
'dart',
|
||||||
|
'flutter_tester',
|
||||||
|
'gen_snapshot_arm64',
|
||||||
|
'gen_snapshot_armv7',
|
||||||
|
]);
|
||||||
|
|
||||||
|
List<String> get expectedEntitlements => List<String>.unmodifiable(<String>[
|
||||||
|
'com.apple.security.cs.allow-jit',
|
||||||
|
'com.apple.security.cs.allow-unsigned-executable-memory',
|
||||||
|
'com.apple.security.cs.allow-dyld-environment-variables',
|
||||||
|
'com.apple.security.network.client',
|
||||||
|
'com.apple.security.network.server',
|
||||||
|
'com.apple.security.cs.disable-library-validation',
|
||||||
|
]);
|
||||||
|
|
||||||
|
|
||||||
|
/// Check if the binary has the expected entitlements.
|
||||||
|
bool hasExpectedEntitlements(String binaryPath) {
|
||||||
|
try {
|
||||||
|
final ProcessResult entitlementResult = Process.runSync(
|
||||||
|
'codesign',
|
||||||
|
<String>[
|
||||||
|
'--display',
|
||||||
|
'--entitlements',
|
||||||
|
':-',
|
||||||
|
binaryPath,
|
||||||
|
],
|
||||||
|
);
|
||||||
|
|
||||||
|
if (entitlementResult.exitCode != 0) {
|
||||||
|
print('The `codesign --entitlements` command failed with exit code ${entitlementResult.exitCode}:\n'
|
||||||
|
'${entitlementResult.stderr}\n');
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
bool passes = true;
|
||||||
|
final String output = entitlementResult.stdout as String;
|
||||||
|
for (final String entitlement in expectedEntitlements) {
|
||||||
|
final bool entitlementExpected = binariesWithEntitlements.contains(path.basename(binaryPath));
|
||||||
|
if (output.contains(entitlement) != entitlementExpected) {
|
||||||
|
print('File "$binaryPath" ${entitlementExpected ? 'does not have expected' : 'has unexpected'} entitlement $entitlement.');
|
||||||
|
passes = false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return passes;
|
||||||
|
} catch (e) {
|
||||||
|
print(e);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
void main() {
|
||||||
if (!Platform.isMacOS) {
|
if (!Platform.isMacOS) {
|
||||||
print('Error! Expected operating system "macos", actual operating system '
|
print('Error! Expected operating system "macos", actual operating system '
|
||||||
'is: "${Platform.operatingSystem}"');
|
'is: "${Platform.operatingSystem}"');
|
||||||
@ -78,28 +143,45 @@ void main() {
|
|||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
final List<String> unsignedBinaries = <String>[];
|
||||||
|
final List<String> wrongEntitlementBinaries = <String>[];
|
||||||
for (final String binaryPath in findBinaryPaths(cacheDirectory)) {
|
for (final String binaryPath in findBinaryPaths(cacheDirectory)) {
|
||||||
print('Verifying the code signature of $binaryPath');
|
print('Verifying the code signature of $binaryPath');
|
||||||
final ProcessResult result = Process.runSync(
|
final ProcessResult codeSignResult = Process.runSync(
|
||||||
'codesign',
|
'codesign',
|
||||||
<String>[
|
<String>[
|
||||||
'-vvv',
|
'-vvv',
|
||||||
binaryPath,
|
binaryPath,
|
||||||
],
|
],
|
||||||
);
|
);
|
||||||
if (result.exitCode != 0) {
|
if (codeSignResult.exitCode != 0) {
|
||||||
failures.add(binaryPath);
|
unsignedBinaries.add(binaryPath);
|
||||||
print('File "$binaryPath" does not appear to be codesigned.\n'
|
print('File "$binaryPath" does not appear to be codesigned.\n'
|
||||||
'The `codesign` command failed with exit code ${result.exitCode}:\n'
|
'The `codesign` command failed with exit code ${codeSignResult.exitCode}:\n'
|
||||||
'${result.stderr}\n');
|
'${codeSignResult.stderr}\n');
|
||||||
|
continue;
|
||||||
|
} else {
|
||||||
|
print('Verifying entitlements of $binaryPath');
|
||||||
|
if (!hasExpectedEntitlements(binaryPath)) {
|
||||||
|
wrongEntitlementBinaries.add(binaryPath);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (failures.isNotEmpty) {
|
if (unsignedBinaries.isNotEmpty) {
|
||||||
print('Found ${failures.length} unsigned binaries.');
|
print('Found ${unsignedBinaries.length} unsigned binaries:');
|
||||||
failures.forEach(print);
|
unsignedBinaries.forEach(print);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (wrongEntitlementBinaries.isNotEmpty) {
|
||||||
|
print('Found ${wrongEntitlementBinaries.length} binaries with unexpected entitlements:');
|
||||||
|
wrongEntitlementBinaries.forEach(print);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (unsignedBinaries.isNotEmpty) {
|
||||||
|
// TODO(jmagman): Also exit if `wrongEntitlementBinaries.isNotEmpty` after https://github.com/flutter/flutter/issues/46704 is done.
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
print('Verified that binaries are codesigned.');
|
print('Verified that binaries are codesigned and have expected entitlements.');
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user