-
Notifications
You must be signed in to change notification settings - Fork 26.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[macOS] codesign native assets during embed #148310
[macOS] codesign native assets during embed #148310
Conversation
It looks like this pull request may not have tests. Please make sure to add tests before merging. If you need an exemption to this rule, contact "@test-exemption-reviewer" in the #hackers channel in Chat (don't just cc them here, they won't see it! Use Discord!). If you are not sure if you need tests, consider this rule of thumb: the purpose of a test is to make sure someone doesn't accidentally revert the fix. Ask yourself, is there anything in your PR that you feel it is important we not accidentally revert back to how it was before your fix? Reviewers: Read the Tree Hygiene page and make sure this patch meets those guidelines before LGTMing. |
@dcharkes, any idea if this is testable (and how)? Also this PR leaves all the dart codesigning paths unchanged. Those are not really used (the code-signing identity define is never set). |
We can only test this with an integration test. A test that actually runs flutter/packages/flutter_tools/test/integration.shard/isolated/native_assets_test.dart Line 285 in cb656c2
We should probably use some kind of commandline tool to inspect what signature the dylib is signed with and check that it's the right one (or the same one as the flutter framework). |
The problem here is that the dylibs are already codesigned through a) the codesigning is performed twice (second time actual identity replacing the first signature), Possible option would be to disable codesigning of macOS native assets in code and only do it in the script, in which case we should be able to verify the signature in tests. |
The annoying part about this is that this diverges the macOS / iOS implementation even further. On iOS codesigning through code should work, since it's part of the Runner target and thus has access to identity. @jmagman, do you know why on macOS Flutter assemble is handled as a separate Xcode target? It would be much easier if everything was handled in the Runner target, but pragmatically, even if doable, that'd be a pretty big change and just the migration itself would likely require some significant xcode project surgery. |
@dcharkes, I disabled adhoc code-signing of macOS dylib in dart code ( Note that as far as I can tell there is currently no way to provide code-signing identity in a way that would reach |
6724801
to
6f06402
Compare
I totally agree, the divergence has been completely annoying and added so much work over the years. |
👍 The test is failing on the CI atm. |
c8b54c7
to
74cf7a6
Compare
@dcharkes, the tests are passing now. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
Thanks @knopp! 🙏
74cf7a6
to
1bd47bc
Compare
Fixes flutter#148051 Currently only the "embed" phase, which is run during the Runner target build have access to code-signing identity. The flutter assemble target, which does the main build (and also builds native assets) does not have access to the code-signing identity. ## Pre-launch Checklist - [x] I read the [Contributor Guide] and followed the process outlined there for submitting PRs. - [x] I read the [Tree Hygiene] wiki page, which explains my responsibilities. - [x] I read and followed the [Flutter Style Guide], including [Features we expect every widget to implement]. - [x] I signed the [CLA]. - [x] I listed at least one issue that this PR fixes in the description above. - [x] I updated/added relevant documentation (doc comments with `///`). - [x] I added new tests to check the change I am making, or this PR is [test-exempt]. - [x] I followed the [breaking change policy] and added [Data Driven Fixes] where supported. - [x] All existing and new tests are passing. If you need help, consider asking for advice on the #hackers-new channel on [Discord]. <!-- Links --> [Contributor Guide]: https://github.com/flutter/flutter/wiki/Tree-hygiene#overview [Tree Hygiene]: https://github.com/flutter/flutter/wiki/Tree-hygiene [test-exempt]: https://github.com/flutter/flutter/wiki/Tree-hygiene#tests [Flutter Style Guide]: https://github.com/flutter/flutter/wiki/Style-guide-for-Flutter-repo [Features we expect every widget to implement]: https://github.com/flutter/flutter/wiki/Style-guide-for-Flutter-repo#features-we-expect-every-widget-to-implement [CLA]: https://cla.developers.google.com/ [flutter/tests]: https://github.com/flutter/tests [breaking change policy]: https://github.com/flutter/flutter/wiki/Tree-hygiene#handling-breaking-changes [Discord]: https://github.com/flutter/flutter/wiki/Chat [Data Driven Fixes]: https://github.com/flutter/flutter/wiki/Data-driven-Fixes
flutter/flutter@0d22d91...00425ef 2024-05-17 engine-flutter-autoroll@skia.org Roll Flutter Engine from d575e511f9e5 to a19d3722922d (2 revisions) (flutter/flutter#148534) 2024-05-17 engine-flutter-autoroll@skia.org Roll Flutter Engine from 8d1a1d8d7b48 to d575e511f9e5 (5 revisions) (flutter/flutter#148529) 2024-05-17 engine-flutter-autoroll@skia.org Manual roll Flutter Engine from 6fa734d68688 to 8d1a1d8d7b48 (8 revisions) (flutter/flutter#148528) 2024-05-17 32538273+ValentinVignal@users.noreply.github.com Add test for material_banner.0.dart and material_banner.1.dart (flutter/flutter#148452) 2024-05-17 nate.w5687@gmail.com `switch` statement cleanup (flutter/flutter#148382) 2024-05-16 goderbauer@google.com const vs. non-const widget build benchmark (flutter/flutter#148261) 2024-05-16 49699333+dependabot[bot]@users.noreply.github.com Bump actions/checkout from 4.1.5 to 4.1.6 (flutter/flutter#148516) 2024-05-16 98614782+auto-submit[bot]@users.noreply.github.com Reverts "Roll Flutter Engine from 6fa734d68688 to 1850def2ccff (1 revision) (#148507)" (flutter/flutter#148517) 2024-05-16 stuartmorgan@google.com Add PrivacyInfo.xcprivacy to plugin template (flutter/flutter#148485) 2024-05-16 stuartmorgan@google.com Fix iOS reference in macOS Cocoapods error (flutter/flutter#148506) 2024-05-16 engine-flutter-autoroll@skia.org Roll Flutter Engine from 6fa734d68688 to 1850def2ccff (1 revision) (flutter/flutter#148507) 2024-05-16 engine-flutter-autoroll@skia.org Roll Flutter Engine from 460df6caef0e to 6fa734d68688 (4 revisions) (flutter/flutter#148500) 2024-05-16 nate.w5687@gmail.com Enhanced enum features for `AnimationStatus` (flutter/flutter#147801) 2024-05-16 matej.knopp@gmail.com [macOS] codesign native assets during embed (flutter/flutter#148310) If this roll has caused a breakage, revert this CL and stop the roller using the controls here: https://autoroll.skia.org/r/flutter-packages Please CC rmistry@google.com,stuartmorgan@google.com on the revert to ensure that a human is aware of the problem. To file a bug in Packages: https://github.com/flutter/flutter/issues/new/choose To report a problem with the AutoRoller itself, please file a bug: https://issues.skia.org/issues/new?component=1389291&template=1850622 Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+doc/main/autoroll/README.md
…r#6753) flutter/flutter@0d22d91...00425ef 2024-05-17 engine-flutter-autoroll@skia.org Roll Flutter Engine from d575e511f9e5 to a19d3722922d (2 revisions) (flutter/flutter#148534) 2024-05-17 engine-flutter-autoroll@skia.org Roll Flutter Engine from 8d1a1d8d7b48 to d575e511f9e5 (5 revisions) (flutter/flutter#148529) 2024-05-17 engine-flutter-autoroll@skia.org Manual roll Flutter Engine from 6fa734d68688 to 8d1a1d8d7b48 (8 revisions) (flutter/flutter#148528) 2024-05-17 32538273+ValentinVignal@users.noreply.github.com Add test for material_banner.0.dart and material_banner.1.dart (flutter/flutter#148452) 2024-05-17 nate.w5687@gmail.com `switch` statement cleanup (flutter/flutter#148382) 2024-05-16 goderbauer@google.com const vs. non-const widget build benchmark (flutter/flutter#148261) 2024-05-16 49699333+dependabot[bot]@users.noreply.github.com Bump actions/checkout from 4.1.5 to 4.1.6 (flutter/flutter#148516) 2024-05-16 98614782+auto-submit[bot]@users.noreply.github.com Reverts "Roll Flutter Engine from 6fa734d68688 to 1850def2ccff (1 revision) (#148507)" (flutter/flutter#148517) 2024-05-16 stuartmorgan@google.com Add PrivacyInfo.xcprivacy to plugin template (flutter/flutter#148485) 2024-05-16 stuartmorgan@google.com Fix iOS reference in macOS Cocoapods error (flutter/flutter#148506) 2024-05-16 engine-flutter-autoroll@skia.org Roll Flutter Engine from 6fa734d68688 to 1850def2ccff (1 revision) (flutter/flutter#148507) 2024-05-16 engine-flutter-autoroll@skia.org Roll Flutter Engine from 460df6caef0e to 6fa734d68688 (4 revisions) (flutter/flutter#148500) 2024-05-16 nate.w5687@gmail.com Enhanced enum features for `AnimationStatus` (flutter/flutter#147801) 2024-05-16 matej.knopp@gmail.com [macOS] codesign native assets during embed (flutter/flutter#148310) If this roll has caused a breakage, revert this CL and stop the roller using the controls here: https://autoroll.skia.org/r/flutter-packages Please CC rmistry@google.com,stuartmorgan@google.com on the revert to ensure that a human is aware of the problem. To file a bug in Packages: https://github.com/flutter/flutter/issues/new/choose To report a problem with the AutoRoller itself, please file a bug: https://issues.skia.org/issues/new?component=1389291&template=1850622 Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+doc/main/autoroll/README.md
Fixes #148051
Currently only the "embed" phase, which is run during the Runner target build have access to code-signing identity. The flutter assemble target, which does the main build (and also builds native assets) does not have access to the code-signing identity.
Pre-launch Checklist
///
).If you need help, consider asking for advice on the #hackers-new channel on Discord.