[codesign + GN + artifacts] embed entitlement files in engine artifacts #34112
Conversation
XilaiZhang
changed the title
XilaiZhang
force-pushed
the
xilaizhang-entitlement-1
branch
from
52a043f to
54124cb
Compare
build/zip.py
Outdated
| else: | ||
| zip_file.write(path, archive_name) | ||
| if args.entitlements or args.without_entitlements: | ||
| entitlement_txt = open('/tmp/entitlements.txt', 'w+') |
There was a problem hiding this comment.
is it safe to hardcode this temp path here? what about instead of writing to disk, and then copying to the zip, writing from memory directly to zip with https://docs.python.org/3/library/zipfile.html#zipfile.ZipFile.writestr
There was a problem hiding this comment.
True, working on it
| }, | ||
| ] | ||
|
|
||
| if (is_mac && target_cpu == "x64") { |
There was a problem hiding this comment.
is this not built on arm?
There was a problem hiding this comment.
umm maybe it is built on arm as well but only code signed on x64? in the old code signing script, for font-subset I only find darwin-x64. https://github.com/christopherfujino/codesign.py/blob/a0c3e4c46b936061f7b350ca33109c27e61ad17e/codesign.py#L108-L112
There was a problem hiding this comment.
to ask another way, why are we only running this block if target_cpu == "x64"?
There was a problem hiding this comment.
I could be wrong but I think our old code signing script only signed darwin-x64/font-subset.zip and did not sign for other zips. just font-subset in https://github.com/christopherfujino/codesign.py/blob/a0c3e4c46b936061f7b350ca33109c27e61ad17e/codesign.py#L108-L112. It didn't sign something like darwin-arm/font-subset.zip, so I figured that we probably would just sign when( is_mac && target_cpu == "x64"), which would give us a darwin-x64/font-subset.zip
There was a problem hiding this comment.
It looks like the answer is because we don't generate arm macos host artifacts yet. However, eventually we will, and if we only generate these files for the x64 case, then this code will be wrong once we start building for macOS arm.
There was a problem hiding this comment.
umm I think Christopher mentioned earlier that it might be a good thing if the program fails when we produce new arm macos host artifacts. So that we can detect the new artifact, and adjust the path to entitlements as well, in case they change.
There was a problem hiding this comment.
umm I think Christopher mentioned earlier that it might be a good thing if the program fails when we produce new arm macos host artifacts. So that we can detect the new artifact, and adjust the path to entitlements as well, in case they change.
which program to fail?
There was a problem hiding this comment.
codesign standalone
Yeah if we impose no limit, and later arm64 is included in entitlements.txt, then the codesign program would assume its existence is legit, and treat it as an existing binary.
If arm64 is not included in entitlements.txt, during the traversal of filesystem, codesign standalone would detect that it exists in file system, but does not exist in the configuration file (entitlements.txt), and would therefore prompt the user to update path for arm64.
I am thinking the latter might be better?
godofredoc
left a comment
godofredoc
left a comment
There was a problem hiding this comment.
My recommendation is to keep this PR as simple as we can. E.g. changes to zip.py, template and a single artifact. It is always easier and faster to get a review for a small PR.
Have we tested the change locally?
godofredoc
left a comment
godofredoc
left a comment
There was a problem hiding this comment.
My recommendation is to keep this PR as simple as we can. E.g. changes to zip.py, template and a single artifact. It is always easier and faster to get a review for a small PR.
Have we tested the change locally?
| prefix = "$full_platform_name-$flutter_runtime_mode/" | ||
| } | ||
| output = "$prefix/artifacts.zip" | ||
| encode_entitlements = false |
There was a problem hiding this comment.
Do we need this? or can we rely on the entitlements and without_entitlements list?
| _zip_dir(path, zip_file, archive_name) | ||
| else: | ||
| zip_file.write(path, archive_name) | ||
| if args.entitlements or args.without_entitlements: |
There was a problem hiding this comment.
Should this be two separate if clauses? if one list exists and the other does not it will generate empty files.
| # The files variable is an array of scopes that specify a source file or | ||
| # directory and a destination path in the archive to create. | ||
| # | ||
| # If this zip file is not intended to be codesigned as a Mac artifact, |
There was a problem hiding this comment.
This is probably unnecessary if we can rely on the entitlements lists to decide whether to generate files or not.
| # set variable encode_entitlements to false. | ||
| # | ||
| # If encode_entitlements is set to true, this api will embed Mac | ||
| # codesign entitlements information in the zip file at |
There was a problem hiding this comment.
Maybe more explicitly stating here that it will embed a entitlement.txt file with the list of artifacts to get signed with entitlements ...
| # 'entitlements' and 'without_entitlements'. | ||
| # The entitlements array specifies the list of filepaths that should be | ||
| # codesigned with entitlements. | ||
| # The without_entitlements array specifies the list of filepaths that |
There was a problem hiding this comment.
This seems a bit contradictory. Is this still signing but signing without entitlements?
| ] | ||
| sources += [ input.source ] | ||
| } | ||
| if (invoker.encode_entitlements) { |
There was a problem hiding this comment.
Can you please add docs for the entitlements parameters. E.g. are they expecting the names with directories or just file names? e.g. for a file a/b/c.txt does it need to include path info as a/b/c.txt or just c.txt?
| zip_file.write(path, archive_name) | ||
| if args.entitlements or args.without_entitlements: | ||
| entitlements_txt = '\n'.join(args.entitlements) | ||
| zip_file.writestr('entitlements.txt', entitlements_txt) |
There was a problem hiding this comment.
This script should only be a simple wrapper around zip. We should not be loading it up with any other features.
For files that need to be written from GN, we can use GN's write_file function. See: https://gn.googlesource.com/gn/+/main/docs/reference.md#func_write_file
|
Thanks everyone for the fantastic feedbacks! I pushed up #34180 to incorporate all of them |
|
From Triage: This PR is obsoleted by #34180. Closing. Please re-open if I am mistaken. |
5 participants
embed entitlement files in engine artifacts. This is one of the many parts of the code signing project.
This commit makes changes to BUILD.gn files to include configuration files in engine artifacts.
context: During mac code signing, we would like to know which files in the zip artifact should be signed with entitlements, and this is done by comparing the file paths to an entitlement configuration file. To keep the entitlement configuration file up to date, we would like to host them inside flutter/engine.
design docs: go/code-signing-bot, go/code-signing-standalone