-
Notifications
You must be signed in to change notification settings - Fork 26.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[macOS] Code-signing native assets #148051
Comments
We should be code signing already: flutter/packages/flutter_tools/lib/src/isolated/native_assets/macos/native_assets.dart Line 307 in 607a3da
flutter/packages/flutter_tools/lib/src/isolated/native_assets/macos/native_assets.dart Line 345 in 607a3da
flutter/packages/flutter_tools/lib/src/isolated/native_assets/ios/native_assets.dart Line 234 in 607a3da
Are we missing a code path? Or are we using the wrong codesign ID? For my own reference: https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection |
@dcharkes, could it be that |
It seems like it would be missing |
So missing It is set in the build script in main target that embeds frameworks ( I don't know what the best fix for this is. Either we can try to get "Flutter Assemble" target to set the @dcharkes, any ideas? |
Maybe there was no use of it before. I believe I've made some other PRs that thread some extra variables through in the past.
My gut feeling is that I'd rather do things in Dart than in
We have code for migrations, https://github.com/flutter/flutter/tree/master/packages/flutter_tools/lib/src/migrations, so that shouldn't be an issue. So if it's possible to forward the |
We can do codesigning in Dart, I'm just not sure we can do it as a part of |
Ah, we have multiple invocations of flutter/packages/flutter_tools/bin/macos_assemble.sh Lines 197 to 210 in c336c2a
And you're saying that Yeah, I'm not sure if it's worth invoking a dart script that only does code signing. Maybe migrating it to Dart when flutter/packages/flutter_tools/bin/macos_assemble.sh Lines 6 to 7 in c336c2a
is addressed is better. (The referenced xcode_backend.sh is already migrated to I wouldn't trust myself to write a loop over all files in a directory in a shell script to code sign em, but if you can please do! 👌 😆 |
Fixes #148051 Currently only the "embed" phase, which is run during the Runner target build have access to code-signing identity. The flutter assemble target, which does the main build (and also builds native assets) does not have access to the code-signing identity. ## Pre-launch Checklist - [x] I read the [Contributor Guide] and followed the process outlined there for submitting PRs. - [x] I read the [Tree Hygiene] wiki page, which explains my responsibilities. - [x] I read and followed the [Flutter Style Guide], including [Features we expect every widget to implement]. - [x] I signed the [CLA]. - [x] I listed at least one issue that this PR fixes in the description above. - [x] I updated/added relevant documentation (doc comments with `///`). - [x] I added new tests to check the change I am making, or this PR is [test-exempt]. - [x] I followed the [breaking change policy] and added [Data Driven Fixes] where supported. - [x] All existing and new tests are passing. If you need help, consider asking for advice on the #hackers-new channel on [Discord]. <!-- Links --> [Contributor Guide]: https://github.com/flutter/flutter/wiki/Tree-hygiene#overview [Tree Hygiene]: https://github.com/flutter/flutter/wiki/Tree-hygiene [test-exempt]: https://github.com/flutter/flutter/wiki/Tree-hygiene#tests [Flutter Style Guide]: https://github.com/flutter/flutter/wiki/Style-guide-for-Flutter-repo [Features we expect every widget to implement]: https://github.com/flutter/flutter/wiki/Style-guide-for-Flutter-repo#features-we-expect-every-widget-to-implement [CLA]: https://cla.developers.google.com/ [flutter/tests]: https://github.com/flutter/tests [breaking change policy]: https://github.com/flutter/flutter/wiki/Tree-hygiene#handling-breaking-changes [Discord]: https://github.com/flutter/flutter/wiki/Chat [Data Driven Fixes]: https://github.com/flutter/flutter/wiki/Data-driven-Fixes
Fixes flutter#148051 Currently only the "embed" phase, which is run during the Runner target build have access to code-signing identity. The flutter assemble target, which does the main build (and also builds native assets) does not have access to the code-signing identity. ## Pre-launch Checklist - [x] I read the [Contributor Guide] and followed the process outlined there for submitting PRs. - [x] I read the [Tree Hygiene] wiki page, which explains my responsibilities. - [x] I read and followed the [Flutter Style Guide], including [Features we expect every widget to implement]. - [x] I signed the [CLA]. - [x] I listed at least one issue that this PR fixes in the description above. - [x] I updated/added relevant documentation (doc comments with `///`). - [x] I added new tests to check the change I am making, or this PR is [test-exempt]. - [x] I followed the [breaking change policy] and added [Data Driven Fixes] where supported. - [x] All existing and new tests are passing. If you need help, consider asking for advice on the #hackers-new channel on [Discord]. <!-- Links --> [Contributor Guide]: https://github.com/flutter/flutter/wiki/Tree-hygiene#overview [Tree Hygiene]: https://github.com/flutter/flutter/wiki/Tree-hygiene [test-exempt]: https://github.com/flutter/flutter/wiki/Tree-hygiene#tests [Flutter Style Guide]: https://github.com/flutter/flutter/wiki/Style-guide-for-Flutter-repo [Features we expect every widget to implement]: https://github.com/flutter/flutter/wiki/Style-guide-for-Flutter-repo#features-we-expect-every-widget-to-implement [CLA]: https://cla.developers.google.com/ [flutter/tests]: https://github.com/flutter/tests [breaking change policy]: https://github.com/flutter/flutter/wiki/Tree-hygiene#handling-breaking-changes [Discord]: https://github.com/flutter/flutter/wiki/Chat [Data Driven Fixes]: https://github.com/flutter/flutter/wiki/Data-driven-Fixes
This thread has been automatically locked since there has not been any recent activity after it was closed. If you are still experiencing a similar issue, please open a new bug, including the output of |
Currently App.framework and FlutterMacOS.framework are codesigned in
macos_assemble.sh
:flutter/packages/flutter_tools/bin/macos_assemble.sh
Lines 180 to 183 in 607a3da
I think same thing should be done for native assets, otherwise they keep the adhoc signature, which fails to load at runtime with SIP enabled:
(not sure if this is also relevant for iOS, but if the codesigning is part of assemble it might)
cc @dcharkes
The text was updated successfully, but these errors were encountered: