add test to verify binaries are signed on release branches (#50074)

105582ed · Christopher Fujino · GitHub · 1c15cd86 · 105582ed · 105582ed
Unverified Commit 105582ed authored Feb 05, 2020 by Christopher Fujino Committed by GitHub Feb 05, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 76 additions and 0 deletions

.cirrus.yml .cirrus.yml +9 -0

codesign.dart dev/bots/codesign.dart +67 -0

No files found.
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -652,6 +652,15 @@ task:
        - ulimit -S -n 2048 # https://github.com/flutter/flutter/issues/2976
        - ./dev/bots/deploy_gallery.sh
+    - name: verify_binaries_codesigned-macos # macos-only
+      # TODO(fujino): remove this `only_if` after https://github.com/flutter/flutter/issues/44372
+      only_if: "$CIRRUS_BRANCH == 'dev' || $CIRRUS_BRANCH == 'beta' || $CIRRUS_BRANCH == 'stable' || $CIRRUS_BRANCH =~ '.*hotfix.*'"
+      depends_on:
+        - analyze-linux
+      script:
+        - ulimit -S -n 2048 # https://github.com/flutter/flutter/issues/2976
+        - dart --enable-asserts ./dev/bots/codesign.dart
 docker_builder:
  # Only build a new docker image when we tag a release (for dev, beta, or
  # stable). Note: tagging a commit and pushing to a release branch are

--- a/dev/bots/codesign.dart
+++ b/dev/bots/codesign.dart
+// Copyright 2014 The Flutter Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+import 'dart:io';
+import 'package:path/path.dart' as path;
+String get cacheDirectory {
+  final String flutterRepoRoot = path.normalize(path.join(path.dirname(Platform.script.path), '..', '..'));
+  return path.normalize(path.join(flutterRepoRoot, 'bin', 'cache'));
+}
+bool isBinary(String filePath) {
+  final ProcessResult result = Process.runSync(
+    'file',
+    <String>[
+      '--mime-type',
+      '-b', // is binary
+      filePath,
+    ],
+  );
+  return (result.stdout as String).contains('application/x-mach-binary');
+}
+List<String> findBinaryPaths() {
+  final ProcessResult result = Process.runSync(
+    'find',
+    <String>[
+      cacheDirectory,
+      '-type',
+      'f',
+      '-perm',
+      '+111', // is executable
+    ],
+  );
+  final List<String> allFiles = (result.stdout as String).split('\n').where((String s) => s.isNotEmpty).toList();
+  return allFiles.where(isBinary).toList();
+}
+void main() {
+  final List<String> failures = <String>[];
+  for (final String binaryPath in findBinaryPaths()) {
+    print('Verifying the code signature of $binaryPath');
+    final ProcessResult result = Process.runSync(
+      'codesign',
+      <String>[
+        '-vvv',
+        binaryPath,
+      ],
+    );
+    if (result.exitCode != 0) {
+      failures.add(binaryPath);
+      print('File "$binaryPath" does not appear to be codesigned.\n'
+            'The `codesign` command failed with exit code ${result.exitCode}:\n'
+            '${result.stderr}\n');
+    }
+  }
+  if (failures.isNotEmpty) {
+    print('Found ${failures.length} unsigned binaries.');
+    failures.forEach(print);
+    exit(1);
+  }
+  print('Verified that binaries are codesigned.');
+}