| # Copyright 2016 The Chromium Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| import argparse |
| import datetime |
| import fnmatch |
| import glob |
| import os |
| import plistlib |
| import shutil |
| import subprocess |
| import sys |
| import tempfile |
| |
| |
| def GetProvisioningProfilesDir(): |
| """Returns the location of the installed mobile provisioning profiles. |
| |
| Returns: |
| The path to the directory containing the installed mobile provisioning |
| profiles as a string. |
| """ |
| return os.path.join( |
| os.environ['HOME'], 'Library', 'MobileDevice', 'Provisioning Profiles') |
| |
| |
| def LoadPlistFile(plist_path): |
| """Loads property list file at |plist_path|. |
| |
| Args: |
| plist_path: path to the property list file to load. |
| |
| Returns: |
| The content of the property list file as a python object. |
| """ |
| return plistlib.readPlistFromString(subprocess.check_output([ |
| 'xcrun', 'plutil', '-convert', 'xml1', '-o', '-', plist_path])) |
| |
| |
| class Bundle(object): |
| """Wraps a bundle.""" |
| |
| def __init__(self, bundle_path): |
| """Initializes the Bundle object with data from bundle Info.plist file.""" |
| self._path = bundle_path |
| self._data = LoadPlistFile(os.path.join(self._path, 'Info.plist')) |
| |
| @property |
| def path(self): |
| return self._path |
| |
| @property |
| def identifier(self): |
| return self._data['CFBundleIdentifier'] |
| |
| @property |
| def binary_path(self): |
| return os.path.join(self._path, self._data['CFBundleExecutable']) |
| |
| def Validate(self, expected_mappings): |
| """Checks that keys in the bundle have the expected value. |
| |
| Args: |
| expected_mappings: a dictionary of string to object, each mapping will |
| be looked up in the bundle data to check it has the same value (missing |
| values will be ignored) |
| |
| Returns: |
| A dictionary of the key with a different value between expected_mappings |
| and the content of the bundle (i.e. errors) so that caller can format the |
| error message. The dictionary will be empty if there are no errors. |
| """ |
| errors = {} |
| for key, expected_value in expected_mappings.iteritems(): |
| if key in self._data: |
| value = self._data[key] |
| if value != expected_value: |
| errors[key] = (value, expected_value) |
| return errors |
| |
| |
| class ProvisioningProfile(object): |
| """Wraps a mobile provisioning profile file.""" |
| |
| def __init__(self, provisioning_profile_path): |
| """Initializes the ProvisioningProfile with data from profile file.""" |
| self._path = provisioning_profile_path |
| self._data = plistlib.readPlistFromString(subprocess.check_output([ |
| 'xcrun', 'security', 'cms', '-D', '-u', 'certUsageAnyCA', |
| '-i', provisioning_profile_path])) |
| |
| @property |
| def path(self): |
| return self._path |
| |
| @property |
| def application_identifier_pattern(self): |
| return self._data.get('Entitlements', {}).get('application-identifier', '') |
| |
| @property |
| def team_identifier(self): |
| return self._data.get('TeamIdentifier', [''])[0] |
| |
| @property |
| def entitlements(self): |
| return self._data.get('Entitlements', {}) |
| |
| @property |
| def expiration_date(self): |
| return self._data.get('ExpirationDate', datetime.datetime.now()) |
| |
| def ValidToSignBundle(self, bundle_identifier): |
| """Checks whether the provisioning profile can sign bundle_identifier. |
| |
| Args: |
| bundle_identifier: the identifier of the bundle that needs to be signed. |
| |
| Returns: |
| True if the mobile provisioning profile can be used to sign a bundle |
| with the corresponding bundle_identifier, False otherwise. |
| """ |
| return fnmatch.fnmatch( |
| '%s.%s' % (self.team_identifier, bundle_identifier), |
| self.application_identifier_pattern) |
| |
| def Install(self, installation_path): |
| """Copies mobile provisioning profile info to |installation_path|.""" |
| shutil.copy2(self.path, installation_path) |
| |
| |
| class Entitlements(object): |
| """Wraps an Entitlement plist file.""" |
| |
| def __init__(self, entitlements_path): |
| """Initializes Entitlements object from entitlement file.""" |
| self._path = entitlements_path |
| self._data = LoadPlistFile(self._path) |
| |
| @property |
| def path(self): |
| return self._path |
| |
| def ExpandVariables(self, substitutions): |
| self._data = self._ExpandVariables(self._data, substitutions) |
| |
| def _ExpandVariables(self, data, substitutions): |
| if isinstance(data, str): |
| for key, substitution in substitutions.iteritems(): |
| data = data.replace('$(%s)' % (key,), substitution) |
| return data |
| |
| if isinstance(data, dict): |
| for key, value in data.iteritems(): |
| data[key] = self._ExpandVariables(value, substitutions) |
| return data |
| |
| if isinstance(data, list): |
| for i, value in enumerate(data): |
| data[i] = self._ExpandVariables(value, substitutions) |
| |
| return data |
| |
| def LoadDefaults(self, defaults): |
| for key, value in defaults.iteritems(): |
| if key not in self._data: |
| self._data[key] = value |
| |
| def WriteTo(self, target_path): |
| plistlib.writePlist(self._data, target_path) |
| |
| |
| def FindProvisioningProfile(bundle_identifier, required): |
| """Finds mobile provisioning profile to use to sign bundle. |
| |
| Args: |
| bundle_identifier: the identifier of the bundle to sign. |
| |
| Returns: |
| The ProvisioningProfile object that can be used to sign the Bundle |
| object or None if no matching provisioning profile was found. |
| """ |
| provisioning_profile_paths = glob.glob( |
| os.path.join(GetProvisioningProfilesDir(), '*.mobileprovision')) |
| |
| # Iterate over all installed mobile provisioning profiles and filter those |
| # that can be used to sign the bundle, ignoring expired ones. |
| now = datetime.datetime.now() |
| valid_provisioning_profiles = [] |
| one_hour = datetime.timedelta(0, 3600) |
| for provisioning_profile_path in provisioning_profile_paths: |
| provisioning_profile = ProvisioningProfile(provisioning_profile_path) |
| if provisioning_profile.expiration_date - now < one_hour: |
| sys.stderr.write( |
| 'Warning: ignoring expired provisioning profile: %s.\n' % |
| provisioning_profile_path) |
| continue |
| if provisioning_profile.ValidToSignBundle(bundle_identifier): |
| valid_provisioning_profiles.append(provisioning_profile) |
| |
| if not valid_provisioning_profiles: |
| if required: |
| sys.stderr.write( |
| 'Error: no mobile provisioning profile found for "%s".\n' % |
| bundle_identifier) |
| sys.exit(1) |
| return None |
| |
| # Select the most specific mobile provisioning profile, i.e. the one with |
| # the longest application identifier pattern (prefer the one with the latest |
| # expiration date as a secondary criteria). |
| selected_provisioning_profile = max( |
| valid_provisioning_profiles, |
| key=lambda p: (len(p.application_identifier_pattern), p.expiration_date)) |
| |
| one_week = datetime.timedelta(7) |
| if selected_provisioning_profile.expiration_date - now < 2 * one_week: |
| sys.stderr.write( |
| 'Warning: selected provisioning profile will expire soon: %s' % |
| selected_provisioning_profile.path) |
| return selected_provisioning_profile |
| |
| |
| def CodeSignBundle(bundle_path, identity, extra_args): |
| process = subprocess.Popen(['xcrun', 'codesign', '--force', '--sign', |
| identity, '--timestamp=none'] + list(extra_args) + [bundle_path], |
| stderr=subprocess.PIPE) |
| _, stderr = process.communicate() |
| if process.returncode: |
| sys.stderr.write(stderr) |
| sys.exit(process.returncode) |
| for line in stderr.splitlines(): |
| if line.endswith(': replacing existing signature'): |
| # Ignore warning about replacing existing signature as this should only |
| # happen when re-signing system frameworks (and then it is expected). |
| continue |
| sys.stderr.write(line) |
| sys.stderr.write('\n') |
| |
| |
| def InstallSystemFramework(framework_path, bundle_path, args): |
| """Install framework from |framework_path| to |bundle| and code-re-sign it.""" |
| installed_framework_path = os.path.join( |
| bundle_path, 'Frameworks', os.path.basename(framework_path)) |
| |
| if os.path.exists(installed_framework_path): |
| shutil.rmtree(installed_framework_path) |
| |
| shutil.copytree(framework_path, installed_framework_path) |
| CodeSignBundle(installed_framework_path, args.identity, |
| ['--deep', '--preserve-metadata=identifier,entitlements']) |
| |
| |
| def GenerateEntitlements(path, provisioning_profile, bundle_identifier): |
| """Generates an entitlements file. |
| |
| Args: |
| path: path to the entitlements template file |
| provisioning_profile: ProvisioningProfile object to use, may be None |
| bundle_identifier: identifier of the bundle to sign. |
| """ |
| entitlements = Entitlements(path) |
| if provisioning_profile: |
| entitlements.LoadDefaults(provisioning_profile.entitlements) |
| app_identifier_prefix = provisioning_profile.team_identifier + '.' |
| else: |
| app_identifier_prefix = '*.' |
| entitlements.ExpandVariables({ |
| 'CFBundleIdentifier': bundle_identifier, |
| 'AppIdentifierPrefix': app_identifier_prefix, |
| }) |
| return entitlements |
| |
| |
| def GenerateBundleInfoPlist(bundle_path, plist_compiler, partial_plist): |
| """Generates the bundle Info.plist for a list of partial .plist files. |
| |
| Args: |
| bundle_path: path to the bundle |
| plist_compiler: string, path to the Info.plist compiler |
| partial_plist: list of path to partial .plist files to merge |
| """ |
| |
| # Filter empty partial .plist files (this happens if an application |
| # does not include need to compile any asset catalog, in which case |
| # the partial .plist file from the asset catalog compilation step is |
| # just a stamp file). |
| filtered_partial_plist = [] |
| for plist in partial_plist: |
| plist_size = os.stat(plist).st_size |
| if plist_size: |
| filtered_partial_plist.append(plist) |
| |
| # Invoke the plist_compiler script. It needs to be a python script. |
| subprocess.check_call([ |
| 'python', plist_compiler, 'merge', '-f', 'binary1', |
| '-o', os.path.join(bundle_path, 'Info.plist'), |
| ] + filtered_partial_plist) |
| |
| |
| class Action(object): |
| """Class implementing one action supported by the script.""" |
| |
| @classmethod |
| def Register(cls, subparsers): |
| parser = subparsers.add_parser(cls.name, help=cls.help) |
| parser.set_defaults(func=cls._Execute) |
| cls._Register(parser) |
| |
| |
| class CodeSignBundleAction(Action): |
| """Class implementing the code-sign-bundle action.""" |
| |
| name = 'code-sign-bundle' |
| help = 'perform code signature for a bundle' |
| |
| @staticmethod |
| def _Register(parser): |
| parser.add_argument( |
| '--entitlements', '-e', dest='entitlements_path', |
| help='path to the entitlements file to use') |
| parser.add_argument( |
| 'path', help='path to the iOS bundle to codesign') |
| parser.add_argument( |
| '--identity', '-i', required=True, |
| help='identity to use to codesign') |
| parser.add_argument( |
| '--binary', '-b', required=True, |
| help='path to the iOS bundle binary') |
| parser.add_argument( |
| '--framework', '-F', action='append', default=[], dest='frameworks', |
| help='install and resign system framework') |
| parser.add_argument( |
| '--disable-code-signature', action='store_true', dest='no_signature', |
| help='disable code signature') |
| parser.add_argument( |
| '--disable-embedded-mobileprovision', action='store_false', |
| default=True, dest='embedded_mobileprovision', |
| help='disable finding and embedding mobileprovision') |
| parser.add_argument( |
| '--platform', '-t', required=True, |
| help='platform the signed bundle is targeting') |
| parser.add_argument( |
| '--partial-info-plist', '-p', action='append', default=[], |
| help='path to partial Info.plist to merge to create bundle Info.plist') |
| parser.add_argument( |
| '--plist-compiler-path', '-P', action='store', |
| help='path to the plist compiler script (for --partial-info-plist)') |
| parser.set_defaults(no_signature=False) |
| |
| @staticmethod |
| def _Execute(args): |
| if not args.identity: |
| args.identity = '-' |
| |
| if args.partial_info_plist: |
| GenerateBundleInfoPlist( |
| args.path, |
| args.plist_compiler_path, |
| args.partial_info_plist) |
| |
| bundle = Bundle(args.path) |
| |
| # According to Apple documentation, the application binary must be the same |
| # as the bundle name without the .app suffix. See crbug.com/740476 for more |
| # information on what problem this can cause. |
| # |
| # To prevent this class of error, fail with an error if the binary name is |
| # incorrect in the Info.plist as it is not possible to update the value in |
| # Info.plist at this point (the file has been copied by a different target |
| # and ninja would consider the build dirty if it was updated). |
| # |
| # Also checks that the name of the bundle is correct too (does not cause the |
| # build to be considered dirty, but still terminate the script in case of an |
| # incorrect bundle name). |
| # |
| # Apple documentation is available at: |
| # https://developer.apple.com/library/content/documentation/CoreFoundation/Conceptual/CFBundles/BundleTypes/BundleTypes.html |
| bundle_name = os.path.splitext(os.path.basename(bundle.path))[0] |
| errors = bundle.Validate({ |
| 'CFBundleName': bundle_name, |
| 'CFBundleExecutable': bundle_name, |
| }) |
| if errors: |
| for key in sorted(errors): |
| value, expected_value = errors[key] |
| sys.stderr.write('%s: error: %s value incorrect: %s != %s\n' % ( |
| bundle.path, key, value, expected_value)) |
| sys.stderr.flush() |
| sys.exit(1) |
| |
| # Delete existing embedded mobile provisioning. |
| embedded_provisioning_profile = os.path.join( |
| bundle.path, 'embedded.mobileprovision') |
| if os.path.isfile(embedded_provisioning_profile): |
| os.unlink(embedded_provisioning_profile) |
| |
| # Delete existing code signature. |
| signature_file = os.path.join(args.path, '_CodeSignature', 'CodeResources') |
| if os.path.isfile(signature_file): |
| shutil.rmtree(os.path.dirname(signature_file)) |
| |
| # Install system frameworks if requested. |
| for framework_path in args.frameworks: |
| InstallSystemFramework(framework_path, args.path, args) |
| |
| # Copy main binary into bundle. |
| if os.path.isfile(bundle.binary_path): |
| os.unlink(bundle.binary_path) |
| shutil.copy(args.binary, bundle.binary_path) |
| |
| if args.no_signature: |
| return |
| |
| codesign_extra_args = [] |
| |
| if args.embedded_mobileprovision: |
| # Find mobile provisioning profile and embeds it into the bundle (if a |
| # code signing identify has been provided, fails if no valid mobile |
| # provisioning is found). |
| provisioning_profile_required = args.identity != '-' |
| provisioning_profile = FindProvisioningProfile( |
| bundle.identifier, provisioning_profile_required) |
| if provisioning_profile and args.platform != 'iphonesimulator': |
| provisioning_profile.Install(embedded_provisioning_profile) |
| |
| if args.entitlements_path is not None: |
| temporary_entitlements_file = \ |
| tempfile.NamedTemporaryFile(suffix='.xcent') |
| codesign_extra_args.extend( |
| ['--entitlements', temporary_entitlements_file.name]) |
| |
| entitlements = GenerateEntitlements( |
| args.entitlements_path, provisioning_profile, bundle.identifier) |
| entitlements.WriteTo(temporary_entitlements_file.name) |
| |
| CodeSignBundle(bundle.path, args.identity, codesign_extra_args) |
| |
| |
| class CodeSignFileAction(Action): |
| """Class implementing code signature for a single file.""" |
| |
| name = 'code-sign-file' |
| help = 'code-sign a single file' |
| |
| @staticmethod |
| def _Register(parser): |
| parser.add_argument( |
| 'path', help='path to the file to codesign') |
| parser.add_argument( |
| '--identity', '-i', required=True, |
| help='identity to use to codesign') |
| parser.add_argument( |
| '--output', '-o', |
| help='if specified copy the file to that location before signing it') |
| parser.set_defaults(sign=True) |
| |
| @staticmethod |
| def _Execute(args): |
| if not args.identity: |
| args.identity = '-' |
| |
| install_path = args.path |
| if args.output: |
| |
| if os.path.isfile(args.output): |
| os.unlink(args.output) |
| elif os.path.isdir(args.output): |
| shutil.rmtree(args.output) |
| |
| if os.path.isfile(args.path): |
| shutil.copy(args.path, args.output) |
| elif os.path.isdir(args.path): |
| shutil.copytree(args.path, args.output) |
| |
| install_path = args.output |
| |
| CodeSignBundle(install_path, args.identity, |
| ['--deep', '--preserve-metadata=identifier,entitlements']) |
| |
| |
| class GenerateEntitlementsAction(Action): |
| """Class implementing the generate-entitlements action.""" |
| |
| name = 'generate-entitlements' |
| help = 'generate entitlements file' |
| |
| @staticmethod |
| def _Register(parser): |
| parser.add_argument( |
| '--entitlements', '-e', dest='entitlements_path', |
| help='path to the entitlements file to use') |
| parser.add_argument( |
| 'path', help='path to the entitlements file to generate') |
| parser.add_argument( |
| '--info-plist', '-p', required=True, |
| help='path to the bundle Info.plist') |
| |
| @staticmethod |
| def _Execute(args): |
| info_plist = LoadPlistFile(args.info_plist) |
| bundle_identifier = info_plist['CFBundleIdentifier'] |
| provisioning_profile = FindProvisioningProfile(bundle_identifier, False) |
| entitlements = GenerateEntitlements( |
| args.entitlements_path, provisioning_profile, bundle_identifier) |
| entitlements.WriteTo(args.path) |
| |
| |
| def Main(): |
| parser = argparse.ArgumentParser('codesign iOS bundles') |
| parser.add_argument('--developer_dir', required=False, |
| help='Path to Xcode.') |
| subparsers = parser.add_subparsers() |
| |
| actions = [ |
| CodeSignBundleAction, |
| CodeSignFileAction, |
| GenerateEntitlementsAction, |
| ] |
| |
| for action in actions: |
| action.Register(subparsers) |
| |
| args = parser.parse_args() |
| if args.developer_dir: |
| os.environ['DEVELOPER_DIR'] = args.developer_dir |
| args.func(args) |
| |
| |
| if __name__ == '__main__': |
| sys.exit(Main()) |
