iOS,macOS: Add list of expected-unsigned binaries #154591
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Member
Author
|
As a followup to this, I think we should add an equivalent file on the engine side, so instead of |
jmagman
reviewed
Sep 3, 2024
Member
jmagman
left a comment
jmagman
left a comment
There was a problem hiding this comment.
The codesign script stdout from the last 3.24.candidate.0 build show's the dSYMs being "successfully" codesigned:
[INFO] codesign: Executing: /usr/bin/codesign --keychain build.keychain -f -s Developer ID Application: FLUTTER.IO LLC (S8QB4VV633) /Volumes/Work/s/w/ir/x/t/conductor_codesign9UWZuh/single_artifact/extension_safe/Flutter.xcframework/ios-arm64_x86_64-simulator/dSYMs/Flutter.framework.dSYM/Contents/Resources/DWARF/Flutter --timestamp --options=runtime
I'm guessing the codesign command check on this side doesn't like this because it's not an executable, as you said.
I think the more correct solution would be to have an unsigned_binaries.txt next to the entitlements and without_entitlements txt files in the engine. However, as a stop-gap for a better solution #153614 this seems fine?
Member
Author
Yep see my comment here: #154591 (comment) For that approach, we still need this patch. |
Member
Ah sorry, missed that comment. |
This updates the codesigning test to account for iOS and macOS binaries in the artifact cache that are _expected_ to not be codesigned. In flutter/engine#54414 we started bundling dSYM (debugging symbols) within Flutter.xcframework, a requirement for App Store verification using Xcode 16. We did the same for macOS in flutter/engine#54696. Unlike the framework dylib, dSYM contents are not directly codesigned (though the xcframework containing them is). Issue: flutter#154571
cbracken
force-pushed
the
codesign-exclusions
branch
from
b96b7f6 to
e8e57d0
Compare
jmagman
approved these changes
Sep 4, 2024
9 tasks
cbracken
added
the
autosubmit
Contributor
|
auto label is removed for flutter/flutter/154591, due to - The status or check suite Google testing has failed. Please fix the issues identified (or deflake) before re-applying this label. |
auto-submit
bot
removed
the
autosubmit
cbracken
added
the
autosubmit
engine-flutter-autoroll
added a commit
to engine-flutter-autoroll/packages
that referenced
this pull request
Sep 4, 2024
auto-submit bot
pushed a commit
that referenced
this pull request
Sep 4, 2024
This updates the codesigning test to account for iOS and macOS binaries in the artifact cache that are _expected_ to not be codesigned. In flutter/engine#54414 we started bundling dSYM (debugging symbols) within Flutter.xcframework, a requirement for App Store verification using Xcode 16. We did the same for macOS in flutter/engine#54696. Unlike the framework dylib, dSYM contents are not directly codesigned (though the xcframework containing them is). Issue: #154571 This is a cherry-pick of #154591 to the flutter-3.24-candidate.0 branch.
engine-flutter-autoroll
added a commit
to engine-flutter-autoroll/packages
that referenced
this pull request
Sep 5, 2024
engine-flutter-autoroll
added a commit
to engine-flutter-autoroll/packages
that referenced
this pull request
Sep 5, 2024
engine-flutter-autoroll
added a commit
to engine-flutter-autoroll/packages
that referenced
this pull request
Sep 5, 2024
engine-flutter-autoroll
added a commit
to engine-flutter-autoroll/packages
that referenced
this pull request
Sep 5, 2024
engine-flutter-autoroll
added a commit
to engine-flutter-autoroll/packages
that referenced
this pull request
Sep 5, 2024
8 tasks
auto-submit bot
pushed a commit
to flutter/engine
that referenced
this pull request
Sep 5, 2024
There are three categories of binaries produced as part of the framework artifacts: * Those that use APIs that require entitlements and must be code-signed; e.g. gen_snapshot * Those that do not use APIs that require entitlements and must be code-signed; e.g. Flutter.framework dylib. * Those that do not need to be code-signed; e.g. Flutter.dSYM symbols. Until now, our signing infrastructure has assumed that all mach-o binaries in the artifacts we produce require a signature. dSYM files are not required to be codesigned, although the xcframework containing them are, and as such they cannot be removed or tampered with. The framework code-signing tests in `dev/bots/suite_runners/run_verify_binaries_codesigned_tests.dart` are only run on post-submit on release branches, and thus, this issue was not uncovered until the first release after all the dSYM work landed. Those tests were updated in flutter/flutter#154591. This updates the framework and artifact archive generation code to also explicitly exclude those files from signing. Issue: flutter/flutter#154571 Related: flutter/flutter#116493 Related: flutter/flutter#153532 [C++, Objective-C, Java style guides]: https://github.com/flutter/engine/blob/main/CONTRIBUTING.md#style
Gustl22
pushed a commit
to Gustl22/flutter
that referenced
this pull request
Nov 13, 2024
This updates the codesigning test to account for iOS and macOS binaries in the artifact cache that are _expected_ to not be codesigned. In flutter/engine#54414 we started bundling dSYM (debugging symbols) within Flutter.xcframework, a requirement for App Store verification using Xcode 16. We did the same for macOS in flutter/engine#54696. Unlike the framework dylib, dSYM contents are not directly codesigned (though the xcframework containing them is). Issue: flutter#154571 This is a cherry-pick of flutter#154591 to the flutter-3.24-candidate.0 branch.
engine-flutter-autoroll
added a commit
to engine-flutter-autoroll/packages
that referenced
this pull request
Dec 11, 2024
engine-flutter-autoroll
added a commit
to engine-flutter-autoroll/packages
that referenced
this pull request
Dec 12, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This updates the codesigning test to account for iOS and macOS binaries in the artifact cache that are expected to not be codesigned.
In flutter/engine#54414 we started bundling dSYM (debugging symbols) within Flutter.xcframework, a requirement for App Store verification using Xcode 16.
We did the same for macOS in flutter/engine#54696.
Unlike the framework dylib, dSYM contents are not directly codesigned (though the xcframework containing them is).
Issue: #154571
Pre-launch Checklist
///).If you need help, consider asking for advice on the #hackers-new channel on Discord.