Skip to content

iOS,macOS: Skip codesigning files in unsigned_binaries.txt #3890

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 5, 2024
Merged

iOS,macOS: Skip codesigning files in unsigned_binaries.txt #3890

merged 1 commit into from
Sep 5, 2024

Conversation

cbracken
Copy link
Member

@cbracken cbracken commented Sep 5, 2024

This updates the code-signing workflow to account for iOS and macOS binaries in the artifact cache that are expected to not be codesigned.

In flutter/engine#54414 we started bundling dSYM (debugging symbols) within Flutter.xcframework, a requirement for App Store verification using Xcode 16.

We did the same for macOS in flutter/engine#54696.

Unlike the framework dylib, dSYM contents are not directly codesigned (though the xcframework containing them is). This skips code-signing for files found in unsigned_binaries.txt, which will be added in a followup patch to the framework artifact archive creation scripts in engine:

  • sky/tools/create_ios_framework.py
  • sky/tools/create_macos_framework.py

Issue: flutter/flutter#154571

Pre-launch Checklist

  • I read the Contributor Guide and followed the process outlined there for submitting PRs.
  • I read the Tree Hygiene wiki page, which explains my responsibilities.
  • I read the Flutter Style Guide recently, and have followed its advice.
  • I signed the CLA.
  • I listed at least one issue that this PR fixes in the description above.
  • I updated/added relevant documentation (doc comments with ///).
  • I added new tests to check the change I am making, or this PR is test-exempt.
  • All existing and new tests are passing.

If you need help, consider asking for advice on the #hackers-new channel on Discord.

cbracken
cbracken commented Sep 5, 2024
View reviewed changes
cipd_packages/codesign/lib/src/file_codesign_visitor.dart
@@ -124,26 +130,30 @@ class FileCodesignVisitor {
static final RegExp _notarytoolStatusCheckPattern = RegExp(r'[ ]*status: ([a-zA-z ]+)');
static final RegExp _notarytoolRequestPattern = RegExp(r'id: ([a-z0-9-]+)');

static const String fixItInstructions = '''
static final String fixItInstructions = '''
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because we're using the filenames from the enum now rather than hardcoding.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

interesting that dereferencing this is not a const expression, but oh well

@cbracken cbracken force-pushed the add-unsigned branch 2 times, most recently from 39bb7a5 to 61da2b6 Compare September 5, 2024 18:20
@cbracken
Copy link
Member Author

cbracken commented Sep 5, 2024

Note: Updated a doc comment and improved a variable name in a followup commit just now.

@cbracken
iOS,macOS: Skip codesigning files in unsigned_binaries.txt
85cf234 
This updates the code-signing workflow to account for iOS and macOS binaries in the artifact cache that are _expected_ to not be codesigned.

In flutter/engine#54414 we started bundling dSYM (debugging symbols) within Flutter.xcframework, a requirement for App Store verification using Xcode 16.

We did the same for macOS in flutter/engine#54696.

Unlike the framework dylib, dSYM contents are not directly codesigned (though the xcframework containing them is). This skips code-signing for files found in `unsigned_binaries.txt`, which will be added in a followup patch to the framework artifact archive creation scripts in engine:
* `sky/tools/create_ios_framework.py`
* `sky/tools/create_macos_framework.py`

Issue: flutter/flutter#154571
christopherfujino
christopherfujino approved these changes Sep 5, 2024
View reviewed changes
Copy link
Contributor

@christopherfujino christopherfujino left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@cbracken cbracken added the autosubmit Merge PR when tree becomes green via auto submit App. label Sep 5, 2024
@auto-submit auto-submit bot merged commit e5c16b7 into flutter:main Sep 5, 2024
5 checks passed
@cbracken cbracken deleted the add-unsigned branch September 5, 2024 19:46
@cbracken cbracken mentioned this pull request Sep 5, 2024
Merged
9 tasks
auto-submit bot pushed a commit to flutter/flutter that referenced this pull request Sep 5, 2024
@cbracken
iOS,macOS: Do not copy unsigned_binaries.txt to build outputs (#154684)
4d17998 
There are three categories of binaries produced as part of the framework artifacts:
* Those that use APIs that require entitlements and must be code-signed; e.g. gen_snapshot
* Those that do not use APIs that require entitlements and must be code-signed; e.g. Flutter.framework dylib.
* Those that do not need to be code-signed; e.g. Flutter.dSYM symbols.

We are adding the third category in flutter/engine#54977. The Cocoon code signing aspect of this was handled in flutter/cocoon#3890.

This ensures these files don't get copied into the build output should they appear in the artifact cache.

Issue: #154571
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jmagman jmagman jmagman approved these changes

@christopherfujino christopherfujino christopherfujino approved these changes

Assignees
No one assigned
Labels
autosubmit Merge PR when tree becomes green via auto submit App.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cbracken @jmagman @christopherfujino