[macOS] Code-signing native assets #148051

knopp · 2024-05-09T11:33:08Z

Currently App.framework and FlutterMacOS.framework are codesigned in macos_assemble.sh:

flutter/packages/flutter_tools/bin/macos_assemble.sh

Lines 180 to 183 in 607a3da

    
           if [[ -n "${EXPANDED_CODE_SIGN_IDENTITY:-}" ]]; then 
        
             RunCommand codesign --force --verbose --sign "${EXPANDED_CODE_SIGN_IDENTITY}" -- "${xcode_frameworks_dir}/App.framework/App" 
        
             RunCommand codesign --force --verbose --sign "${EXPANDED_CODE_SIGN_IDENTITY}" -- "${xcode_frameworks_dir}/FlutterMacOS.framework/FlutterMacOS" 
        
           fi

I think same thing should be done for native assets, otherwise they keep the adhoc signature, which fails to load at runtime with SIP enabled:

`.../native_regex_pcre2.framework/Versions/A/native_regex_pcre2` not valid for use in process: mapping process and mapped file (non-platform) have different Team IDs)

(not sure if this is also relevant for iOS, but if the codesigning is part of assemble it might)

cc @dcharkes

The text was updated successfully, but these errors were encountered:

dcharkes · 2024-05-09T13:26:23Z

We should be code signing already:

flutter/packages/flutter_tools/lib/src/isolated/native_assets/macos/native_assets.dart

Line 307 in 607a3da

await codesignDylib(codesignIdentity, buildMode, frameworkDir);

flutter/packages/flutter_tools/lib/src/isolated/native_assets/macos/native_assets.dart

Line 345 in 607a3da

await codesignDylib(codesignIdentity, buildMode, dylibFile);

flutter/packages/flutter_tools/lib/src/isolated/native_assets/ios/native_assets.dart

Line 234 in 607a3da

await codesignDylib(codesignIdentity, buildMode, frameworkDir);

Are we missing a code path? Or are we using the wrong codesign ID?

For my own reference: https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection

knopp · 2024-05-09T13:41:43Z

@dcharkes, could it be that kCodesignIdentity is not set properly in Environment? I had a brief look but I couldn't find where it is set. It should match EXPANDED_CODE_SIGN_IDENTITY from env but maybe it doesn't.

knopp · 2024-05-09T18:37:44Z

It seems like it would be missing "-dCodesignIdentity=${EXPANDED_CODE_SIGN_IDENTITY}" inside macos_assemble.sh, but for some reason it still doesn't codesign.

knopp · 2024-05-09T19:04:59Z

So missing -dCodesignIdentity when invoking flutter assemble is a part of the problem. But there is another one - the macos_assembe.sh script, the part where the native assets and rest of the app are being build, is executed from a separate XCode target (Flutter Assemble), which doesn't seem to have access to the codesign identity of the application main target. I'm not sure why, but the EXPANDED_CODE_SIGN_IDENTITY variable is not set in the build script.

It is set in the build script in main target that embeds frameworks (macos_assemble.sh embed), that's why code signing of App.framework and FlutterMacOS.framework works.

I don't know what the best fix for this is. Either we can try to get "Flutter Assemble" target to set the EXPANDED_CODE_SIGN_IDENTITY variable for the buildscript (might require project migration, if even possible), or we can codesign all native assets inside macos_assemble.sh EmbedFrameworks, where we have access to EXPANDED_CODE_SIGN_IDENTITY.

@dcharkes, any ideas?

dcharkes · 2024-05-13T07:26:53Z

I'm not sure why, but the EXPANDED_CODE_SIGN_IDENTITY variable is not set in the build script.

Maybe there was no use of it before. I believe I've made some other PRs that thread some extra variables through in the past.

I don't know what the best fix for this is. Either we can try to get "Flutter Assemble" target to set the EXPANDED_CODE_SIGN_IDENTITY variable for the buildscript (might require project migration, if even possible), or we can codesign all native assets inside macos_assemble.sh EmbedFrameworks, where we have access to EXPANDED_CODE_SIGN_IDENTITY.

My gut feeling is that I'd rather do things in Dart than in .sh. @vashworth and @jmagman any preferences?

might require project migration

We have code for migrations, https://github.com/flutter/flutter/tree/master/packages/flutter_tools/lib/src/migrations, so that shouldn't be an issue.

So if it's possible to forward the EXPANDED_CODE_SIGN_IDENTITY that would be best.

knopp · 2024-05-13T07:35:43Z

We can do codesigning in Dart, I'm just not sure we can do it as a part of Flutter Assemble. I didn't find any way to specify code signing information for aggregate targets (Flutter Assemble). We can still do it macos_assemble.sh embed from the Runner target, but it would have to be separate step in the Dart code.

dcharkes · 2024-05-13T07:56:46Z

Ah, we have multiple invocations of macos_assemble.sh:

flutter/packages/flutter_tools/bin/macos_assemble.sh

Lines 197 to 210 in c336c2a

    
           # Main entry point. 
        
           if [[ $# == 0 ]]; then 
        
             # Unnamed entry point defaults to build. 
        
             BuildApp 
        
           else 
        
             case $1 in 
        
               "build") 
        
                 BuildApp ;; 
        
               "embed") 
        
                 EmbedFrameworks ;; 
        
               "prepare") 
        
                 PrepareFramework ;; 
        
             esac 
        
           fi

And you're saying that EXPANDED_CODE_SIGN_IDENTITY is only available in the embed phase.

Yeah, I'm not sure if it's worth invoking a dart script that only does code signing.

Maybe migrating it to Dart when

flutter/packages/flutter_tools/bin/macos_assemble.sh

Lines 6 to 7 in c336c2a

    
           # TODO(zanderso): refactor this and xcode_backend.sh into one script 
        
           # once iOS is using 'assemble'.

is addressed is better. (The referenced xcode_backend.sh is already migrated to .dart.)

I wouldn't trust myself to write a loop over all files in a directory in a shell script to code sign em, but if you can please do! 👌 😆

Fixes #148051 Currently only the "embed" phase, which is run during the Runner target build have access to code-signing identity. The flutter assemble target, which does the main build (and also builds native assets) does not have access to the code-signing identity. ## Pre-launch Checklist - [x] I read the [Contributor Guide] and followed the process outlined there for submitting PRs. - [x] I read the [Tree Hygiene] wiki page, which explains my responsibilities. - [x] I read and followed the [Flutter Style Guide], including [Features we expect every widget to implement]. - [x] I signed the [CLA]. - [x] I listed at least one issue that this PR fixes in the description above. - [x] I updated/added relevant documentation (doc comments with `///`). - [x] I added new tests to check the change I am making, or this PR is [test-exempt]. - [x] I followed the [breaking change policy] and added [Data Driven Fixes] where supported. - [x] All existing and new tests are passing. If you need help, consider asking for advice on the #hackers-new channel on [Discord].  [Contributor Guide]: https://github.com/flutter/flutter/wiki/Tree-hygiene#overview [Tree Hygiene]: https://github.com/flutter/flutter/wiki/Tree-hygiene [test-exempt]: https://github.com/flutter/flutter/wiki/Tree-hygiene#tests [Flutter Style Guide]: https://github.com/flutter/flutter/wiki/Style-guide-for-Flutter-repo [Features we expect every widget to implement]: https://github.com/flutter/flutter/wiki/Style-guide-for-Flutter-repo#features-we-expect-every-widget-to-implement [CLA]: https://cla.developers.google.com/ [flutter/tests]: https://github.com/flutter/tests [breaking change policy]: https://github.com/flutter/flutter/wiki/Tree-hygiene#handling-breaking-changes [Discord]: https://github.com/flutter/flutter/wiki/Chat [Data Driven Fixes]: https://github.com/flutter/flutter/wiki/Data-driven-Fixes

Fixes flutter#148051 Currently only the "embed" phase, which is run during the Runner target build have access to code-signing identity. The flutter assemble target, which does the main build (and also builds native assets) does not have access to the code-signing identity. ## Pre-launch Checklist - [x] I read the [Contributor Guide] and followed the process outlined there for submitting PRs. - [x] I read the [Tree Hygiene] wiki page, which explains my responsibilities. - [x] I read and followed the [Flutter Style Guide], including [Features we expect every widget to implement]. - [x] I signed the [CLA]. - [x] I listed at least one issue that this PR fixes in the description above. - [x] I updated/added relevant documentation (doc comments with `///`). - [x] I added new tests to check the change I am making, or this PR is [test-exempt]. - [x] I followed the [breaking change policy] and added [Data Driven Fixes] where supported. - [x] All existing and new tests are passing. If you need help, consider asking for advice on the #hackers-new channel on [Discord].  [Contributor Guide]: https://github.com/flutter/flutter/wiki/Tree-hygiene#overview [Tree Hygiene]: https://github.com/flutter/flutter/wiki/Tree-hygiene [test-exempt]: https://github.com/flutter/flutter/wiki/Tree-hygiene#tests [Flutter Style Guide]: https://github.com/flutter/flutter/wiki/Style-guide-for-Flutter-repo [Features we expect every widget to implement]: https://github.com/flutter/flutter/wiki/Style-guide-for-Flutter-repo#features-we-expect-every-widget-to-implement [CLA]: https://cla.developers.google.com/ [flutter/tests]: https://github.com/flutter/tests [breaking change policy]: https://github.com/flutter/flutter/wiki/Tree-hygiene#handling-breaking-changes [Discord]: https://github.com/flutter/flutter/wiki/Chat [Data Driven Fixes]: https://github.com/flutter/flutter/wiki/Data-driven-Fixes

github-actions · 2024-05-31T07:01:04Z

This thread has been automatically locked since there has not been any recent activity after it was closed. If you are still experiencing a similar issue, please open a new bug, including the output of flutter doctor -v and a minimal reproduction of the issue.

dcharkes mentioned this issue May 9, 2024

☂️ Native assets support #129757

Open

19 tasks

knopp mentioned this issue May 14, 2024

[macOS] codesign native assets during embed #148310

Merged

9 tasks

andrewkolos added P2 Important issues not at the top of the work list triaged-tool Triaged by Flutter Tool team labels May 14, 2024

andrewkolos assigned andrewkolos and knopp and unassigned andrewkolos May 14, 2024

knopp closed this as completed in #148310 May 16, 2024

danagbemava-nc added the r: fixed Issue is closed as already fixed in a newer version label May 17, 2024

github-actions bot locked as resolved and limited conversation to collaborators May 31, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[macOS] Code-signing native assets #148051

[macOS] Code-signing native assets #148051

knopp commented May 9, 2024

dcharkes commented May 9, 2024 •

edited

knopp commented May 9, 2024

knopp commented May 9, 2024

knopp commented May 9, 2024 •

edited

dcharkes commented May 13, 2024

knopp commented May 13, 2024

dcharkes commented May 13, 2024

github-actions bot commented May 31, 2024

[macOS] Code-signing native assets #148051

[macOS] Code-signing native assets #148051

Comments

knopp commented May 9, 2024

dcharkes commented May 9, 2024 • edited

knopp commented May 9, 2024

knopp commented May 9, 2024

knopp commented May 9, 2024 • edited

dcharkes commented May 13, 2024

knopp commented May 13, 2024

dcharkes commented May 13, 2024

github-actions bot commented May 31, 2024

dcharkes commented May 9, 2024 •

edited

knopp commented May 9, 2024 •

edited