diff --git a/dev/bots/suite_runners/run_verify_binaries_codesigned_tests.dart b/dev/bots/suite_runners/run_verify_binaries_codesigned_tests.dart index 3cd0c035ace26..9c07cf07a5eb0 100644 --- a/dev/bots/suite_runners/run_verify_binaries_codesigned_tests.dart +++ b/dev/bots/suite_runners/run_verify_binaries_codesigned_tests.dart @@ -97,11 +97,9 @@ List binariesWithoutEntitlements(String flutterRoot) { 'artifacts/engine/ios-profile/extension_safe/Flutter.xcframework/ios-arm64/Flutter.framework/Flutter', 'artifacts/engine/ios-profile/extension_safe/Flutter.xcframework/ios-arm64_x86_64-simulator/Flutter.framework/Flutter', 'artifacts/engine/ios-release/Flutter.xcframework/ios-arm64/Flutter.framework/Flutter', - 'artifacts/engine/ios-release/Flutter.xcframework/ios-arm64/dSYMs/Flutter.framework.dSYM/Contents/Resources/DWARF/Flutter', 'artifacts/engine/ios-release/Flutter.xcframework/ios-arm64_x86_64-simulator/Flutter.framework/Flutter', 'artifacts/engine/ios-release/Flutter.xcframework/ios-arm64_x86_64-simulator/dSYMs/Flutter.framework.dSYM/Contents/Resources/DWARF/Flutter', 'artifacts/engine/ios-release/extension_safe/Flutter.xcframework/ios-arm64/Flutter.framework/Flutter', - 'artifacts/engine/ios-release/extension_safe/Flutter.xcframework/ios-arm64/dSYMs/Flutter.framework.dSYM/Contents/Resources/DWARF/Flutter', 'artifacts/engine/ios-release/extension_safe/Flutter.xcframework/ios-arm64_x86_64-simulator/Flutter.framework/Flutter', 'artifacts/engine/ios-release/extension_safe/Flutter.xcframework/ios-arm64_x86_64-simulator/dSYMs/Flutter.framework.dSYM/Contents/Resources/DWARF/Flutter', 'artifacts/engine/ios/Flutter.xcframework/ios-arm64/Flutter.framework/Flutter', @@ -113,6 +111,21 @@ List binariesWithoutEntitlements(String flutterRoot) { .map((String relativePath) => path.join(flutterRoot, 'bin', 'cache', relativePath)).toList(); } +/// Binaries that are not expected to be codesigned. +/// +/// This list should be kept in sync with the actual contents of Flutter's cache. +List unsignedBinaries(String flutterRoot) { + return [ + 'artifacts/engine/darwin-x64-release/FlutterMacOS.xcframework/macos-arm64_x86_64/dSYMs/FlutterMacOS.framework.dSYM/Contents/Resources/DWARF/FlutterMacOS', + 'artifacts/engine/ios-release/Flutter.xcframework/ios-arm64/dSYMs/Flutter.framework.dSYM/Contents/Resources/DWARF/Flutter', + 'artifacts/engine/ios-release/Flutter.xcframework/ios-arm64_x86_64-simulator/dSYMs/Flutter.framework.dSYM/Contents/Resources/DWARF/Flutter', + 'artifacts/engine/ios-release/extension_safe/Flutter.xcframework/ios-arm64/dSYMs/Flutter.framework.dSYM/Contents/Resources/DWARF/Flutter', + 'artifacts/engine/ios-release/extension_safe/Flutter.xcframework/ios-arm64_x86_64-simulator/dSYMs/Flutter.framework.dSYM/Contents/Resources/DWARF/Flutter', + ] + .map((String relativePath) => path.join(flutterRoot, 'bin', 'cache', relativePath)).toList(); +} + + /// xcframeworks that are expected to be codesigned. /// /// This list should be kept in sync with the actual contents of Flutter's @@ -137,8 +150,8 @@ List signedXcframeworks(String flutterRoot) { /// This function ignores code signatures and entitlements, and is intended to /// be run on every commit. It should throw if either new binaries are added /// to the cache or expected binaries removed. In either case, this class' -/// [binariesWithEntitlements] or [binariesWithoutEntitlements] lists should -/// be updated accordingly. +/// [binariesWithEntitlements], [binariesWithoutEntitlements], and +/// [unsignedBinaries] lists should be updated accordingly. Future verifyExist( String flutterRoot, {@visibleForTesting ProcessManager processManager = const LocalProcessManager() @@ -147,16 +160,18 @@ Future verifyExist( path.join(flutterRoot, 'bin', 'cache'), processManager: processManager, ); - final List allExpectedFiles = binariesWithEntitlements(flutterRoot) + binariesWithoutEntitlements(flutterRoot); + final List expectedSigned = binariesWithEntitlements(flutterRoot) + binariesWithoutEntitlements(flutterRoot); + final List expectedUnsigned = unsignedBinaries(flutterRoot); final Set foundFiles = { for (final String binaryPath in binaryPaths) - if (allExpectedFiles.contains(binaryPath)) binaryPath + if (expectedSigned.contains(binaryPath)) binaryPath + else if (expectedUnsigned.contains(binaryPath)) binaryPath else throw Exception('Found unexpected binary in cache: $binaryPath'), }; - if (foundFiles.length < allExpectedFiles.length) { + if (foundFiles.length < expectedSigned.length) { final List unfoundFiles = [ - for (final String file in allExpectedFiles) if (!foundFiles.contains(file)) file, + for (final String file in expectedSigned) if (!foundFiles.contains(file)) file, ]; print( 'Expected binaries not found in cache:\n\n${unfoundFiles.join('\n')}\n\n' @@ -196,6 +211,11 @@ Future verifySignatures( if (signedXcframeworks(flutterRoot).contains(pathToCheck)) { verifySignature = true; } + if (unsignedBinaries(flutterRoot).contains(pathToCheck)) { + // Binary is expected to be unsigned. No need to check signature, entitlements. + continue; + } + if (!verifySignature && !verifyEntitlements) { unexpectedFiles.add(pathToCheck); print('Unexpected binary or xcframework $pathToCheck found in cache!');