Add entitlement checks to codesigning test (#52919)
diff --git a/dev/bots/codesign.dart b/dev/bots/codesign.dart
index 0a90b62..1bf0455 100644
--- a/dev/bots/codesign.dart
+++ b/dev/bots/codesign.dart
@@ -61,9 +61,74 @@
}
}
-void main() {
- final List<String> failures = <String>[];
+List<String> get binariesWithEntitlements => List<String>.unmodifiable(<String>[
+ 'idevice_id',
+ 'ideviceinfo',
+ 'idevicename',
+ 'idevicescreenshot',
+ 'idevicesyslog',
+ 'libimobiledevice.6.dylib',
+ 'ideviceinstaller',
+ 'libplist.3.dylib',
+ 'iproxy',
+ 'libusbmuxd.4.dylib',
+ 'libssl.1.0.0.dylib',
+ 'libcrypto.1.0.0.dylib',
+ 'libzip.5.0.dylib',
+ 'libzip.5.dylib',
+ 'gen_snapshot',
+ 'dart',
+ 'flutter_tester',
+ 'gen_snapshot_arm64',
+ 'gen_snapshot_armv7',
+]);
+List<String> get expectedEntitlements => List<String>.unmodifiable(<String>[
+ 'com.apple.security.cs.allow-jit',
+ 'com.apple.security.cs.allow-unsigned-executable-memory',
+ 'com.apple.security.cs.allow-dyld-environment-variables',
+ 'com.apple.security.network.client',
+ 'com.apple.security.network.server',
+ 'com.apple.security.cs.disable-library-validation',
+]);
+
+
+/// Check if the binary has the expected entitlements.
+bool hasExpectedEntitlements(String binaryPath) {
+ try {
+ final ProcessResult entitlementResult = Process.runSync(
+ 'codesign',
+ <String>[
+ '--display',
+ '--entitlements',
+ ':-',
+ binaryPath,
+ ],
+ );
+
+ if (entitlementResult.exitCode != 0) {
+ print('The `codesign --entitlements` command failed with exit code ${entitlementResult.exitCode}:\n'
+ '${entitlementResult.stderr}\n');
+ return false;
+ }
+
+ bool passes = true;
+ final String output = entitlementResult.stdout as String;
+ for (final String entitlement in expectedEntitlements) {
+ final bool entitlementExpected = binariesWithEntitlements.contains(path.basename(binaryPath));
+ if (output.contains(entitlement) != entitlementExpected) {
+ print('File "$binaryPath" ${entitlementExpected ? 'does not have expected' : 'has unexpected'} entitlement $entitlement.');
+ passes = false;
+ }
+ }
+ return passes;
+ } catch (e) {
+ print(e);
+ return false;
+ }
+}
+
+void main() {
if (!Platform.isMacOS) {
print('Error! Expected operating system "macos", actual operating system '
'is: "${Platform.operatingSystem}"');
@@ -78,28 +143,45 @@
exit(1);
}
+ final List<String> unsignedBinaries = <String>[];
+ final List<String> wrongEntitlementBinaries = <String>[];
for (final String binaryPath in findBinaryPaths(cacheDirectory)) {
print('Verifying the code signature of $binaryPath');
- final ProcessResult result = Process.runSync(
+ final ProcessResult codeSignResult = Process.runSync(
'codesign',
<String>[
'-vvv',
binaryPath,
],
);
- if (result.exitCode != 0) {
- failures.add(binaryPath);
+ if (codeSignResult.exitCode != 0) {
+ unsignedBinaries.add(binaryPath);
print('File "$binaryPath" does not appear to be codesigned.\n'
- 'The `codesign` command failed with exit code ${result.exitCode}:\n'
- '${result.stderr}\n');
+ 'The `codesign` command failed with exit code ${codeSignResult.exitCode}:\n'
+ '${codeSignResult.stderr}\n');
+ continue;
+ } else {
+ print('Verifying entitlements of $binaryPath');
+ if (!hasExpectedEntitlements(binaryPath)) {
+ wrongEntitlementBinaries.add(binaryPath);
+ }
}
}
- if (failures.isNotEmpty) {
- print('Found ${failures.length} unsigned binaries.');
- failures.forEach(print);
+ if (unsignedBinaries.isNotEmpty) {
+ print('Found ${unsignedBinaries.length} unsigned binaries:');
+ unsignedBinaries.forEach(print);
+ }
+
+ if (wrongEntitlementBinaries.isNotEmpty) {
+ print('Found ${wrongEntitlementBinaries.length} binaries with unexpected entitlements:');
+ wrongEntitlementBinaries.forEach(print);
+ }
+
+ if (unsignedBinaries.isNotEmpty) {
+ // TODO(jmagman): Also exit if `wrongEntitlementBinaries.isNotEmpty` after https://github.com/flutter/flutter/issues/46704 is done.
exit(1);
}
- print('Verified that binaries are codesigned.');
+ print('Verified that binaries are codesigned and have expected entitlements.');
}
