iOS,macOS: Add list of expected-unsigned binaries

This updates the codesigning test to account for iOS and macOS binaries in the artifact cache that are _expected_ to not be codesigned. In flutter/engine#54414 we started bundling dSYM (debugging symbols) within Flutter.xcframework, a requirement for App Store verification using Xcode 16. We did the same for macOS in flutter/engine#54696. Unlike the framework dylib, dSYM contents are not directly codesigned (though the xcframework containing them is). Issue: flutter#154571
cbracken · Sep 4, 2024 · bb7d645 · bb7d645
1 parent 4cf269e
commit bb7d645
Showing 1 changed file with 28 additions and 8 deletions.
diff --git a/dev/bots/suite_runners/run_verify_binaries_codesigned_tests.dart b/dev/bots/suite_runners/run_verify_binaries_codesigned_tests.dart
@@ -97,11 +97,9 @@ List<String> binariesWithoutEntitlements(String flutterRoot) {
     'artifacts/engine/ios-profile/extension_safe/Flutter.xcframework/ios-arm64/Flutter.framework/Flutter',
     'artifacts/engine/ios-profile/extension_safe/Flutter.xcframework/ios-arm64_x86_64-simulator/Flutter.framework/Flutter',
     'artifacts/engine/ios-release/Flutter.xcframework/ios-arm64/Flutter.framework/Flutter',
-    'artifacts/engine/ios-release/Flutter.xcframework/ios-arm64/dSYMs/Flutter.framework.dSYM/Contents/Resources/DWARF/Flutter',
     'artifacts/engine/ios-release/Flutter.xcframework/ios-arm64_x86_64-simulator/Flutter.framework/Flutter',
     'artifacts/engine/ios-release/Flutter.xcframework/ios-arm64_x86_64-simulator/dSYMs/Flutter.framework.dSYM/Contents/Resources/DWARF/Flutter',
     'artifacts/engine/ios-release/extension_safe/Flutter.xcframework/ios-arm64/Flutter.framework/Flutter',
-    'artifacts/engine/ios-release/extension_safe/Flutter.xcframework/ios-arm64/dSYMs/Flutter.framework.dSYM/Contents/Resources/DWARF/Flutter',
     'artifacts/engine/ios-release/extension_safe/Flutter.xcframework/ios-arm64_x86_64-simulator/Flutter.framework/Flutter',
     'artifacts/engine/ios-release/extension_safe/Flutter.xcframework/ios-arm64_x86_64-simulator/dSYMs/Flutter.framework.dSYM/Contents/Resources/DWARF/Flutter',
     'artifacts/engine/ios/Flutter.xcframework/ios-arm64/Flutter.framework/Flutter',
@@ -113,6 +111,21 @@ List<String> binariesWithoutEntitlements(String flutterRoot) {
   .map((String relativePath) => path.join(flutterRoot, 'bin', 'cache', relativePath)).toList();
 }
 
+/// Binaries that are not expected to be codesigned.
+///
+/// This list should be kept in sync with the actual contents of Flutter's cache.
+List<String> unsignedBinaries(String flutterRoot) {
+  return <String>[
+    'artifacts/engine/darwin-x64-release/FlutterMacOS.xcframework/macos-arm64_x86_64/dSYMs/FlutterMacOS.framework.dSYM/Contents/Resources/DWARF/FlutterMacOS',
+    'artifacts/engine/ios-release/Flutter.xcframework/ios-arm64/dSYMs/Flutter.framework.dSYM/Contents/Resources/DWARF/Flutter',
+    'artifacts/engine/ios-release/Flutter.xcframework/ios-arm64_x86_64-simulator/dSYMs/Flutter.framework.dSYM/Contents/Resources/DWARF/Flutter',
+    'artifacts/engine/ios-release/extension_safe/Flutter.xcframework/ios-arm64/dSYMs/Flutter.framework.dSYM/Contents/Resources/DWARF/Flutter',
+    'artifacts/engine/ios-release/extension_safe/Flutter.xcframework/ios-arm64_x86_64-simulator/dSYMs/Flutter.framework.dSYM/Contents/Resources/DWARF/Flutter',
+  ]
+  .map((String relativePath) => path.join(flutterRoot, 'bin', 'cache', relativePath)).toList();
+}
+
+
 /// xcframeworks that are expected to be codesigned.
 ///
 /// This list should be kept in sync with the actual contents of Flutter's
@@ -137,8 +150,8 @@ List<String> signedXcframeworks(String flutterRoot) {
 /// This function ignores code signatures and entitlements, and is intended to
 /// be run on every commit. It should throw if either new binaries are added
 /// to the cache or expected binaries removed. In either case, this class'
-/// [binariesWithEntitlements] or [binariesWithoutEntitlements] lists should
-/// be updated accordingly.
+/// [binariesWithEntitlements], [binariesWithoutEntitlements], and
+/// [unsignedBinaries] lists should be updated accordingly.
 Future<void> verifyExist(
   String flutterRoot,
   {@visibleForTesting ProcessManager processManager = const LocalProcessManager()
@@ -147,16 +160,18 @@ Future<void> verifyExist(
     path.join(flutterRoot, 'bin', 'cache'),
     processManager: processManager,
   );
-  final List<String> allExpectedFiles = binariesWithEntitlements(flutterRoot) + binariesWithoutEntitlements(flutterRoot);
+  final List<String> expectedSigned = binariesWithEntitlements(flutterRoot) + binariesWithoutEntitlements(flutterRoot);
+  final List<String> expectedUnsigned = unsignedBinaries(flutterRoot);
   final Set<String> foundFiles = <String>{
     for (final String binaryPath in binaryPaths)
-      if (allExpectedFiles.contains(binaryPath)) binaryPath
+      if (expectedSigned.contains(binaryPath)) binaryPath
+      else if (expectedUnsigned.contains(binaryPath)) binaryPath
       else throw Exception('Found unexpected binary in cache: $binaryPath'),
   };
 
-  if (foundFiles.length < allExpectedFiles.length) {
+  if (foundFiles.length < expectedSigned.length) {
     final List<String> unfoundFiles = <String>[
-      for (final String file in allExpectedFiles) if (!foundFiles.contains(file)) file,
+      for (final String file in expectedSigned) if (!foundFiles.contains(file)) file,
     ];
     print(
       'Expected binaries not found in cache:\n\n${unfoundFiles.join('\n')}\n\n'
@@ -196,6 +211,11 @@ Future<void> verifySignatures(
     if (signedXcframeworks(flutterRoot).contains(pathToCheck)) {
       verifySignature = true;
     }
+    if (unsignedBinaries(flutterRoot).contains(pathToCheck)) {
+      // Binary is expected to be unsigned. No need to check signature, entitlements.
+      continue;
+    }
+
     if (!verifySignature && !verifyEntitlements) {
       unexpectedFiles.add(pathToCheck);
       print('Unexpected binary or xcframework $pathToCheck found in cache!');