Add entitlement checks to codesigning test (#52919)

8001abec · Jenn Magder · GitHub · 284e3bad · 8001abec
Unverified Commit 8001abec authored Mar 20, 2020 by Jenn Magder Committed by GitHub Mar 20, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 93 additions and 11 deletions

codesign.dart dev/bots/codesign.dart +93 -11

No files found.
--- a/dev/bots/codesign.dart
+++ b/dev/bots/codesign.dart
@@ -61,9 +61,74 @@ bool checkCacheIsCurrent() {
  }
 }

-void main() {
-  final List<String> failures = <String>[];
+List<String> get binariesWithEntitlements => List<String>.unmodifiable(<String>[
+  'idevice_id',
+  'ideviceinfo',
+  'idevicename',
+  'idevicescreenshot',
+  'idevicesyslog',
+  'libimobiledevice.6.dylib',
+  'ideviceinstaller',
+  'libplist.3.dylib',
+  'iproxy',
+  'libusbmuxd.4.dylib',
+  'libssl.1.0.0.dylib',
+  'libcrypto.1.0.0.dylib',
+  'libzip.5.0.dylib',
+  'libzip.5.dylib',
+  'gen_snapshot',
+  'dart',
+  'flutter_tester',
+  'gen_snapshot_arm64',
+  'gen_snapshot_armv7',
+]);
+
+List<String> get expectedEntitlements => List<String>.unmodifiable(<String>[
+  'com.apple.security.cs.allow-jit',
+  'com.apple.security.cs.allow-unsigned-executable-memory',
+  'com.apple.security.cs.allow-dyld-environment-variables',
+  'com.apple.security.network.client',
+  'com.apple.security.network.server',
+  'com.apple.security.cs.disable-library-validation',
+]);
+
+
+/// Check if the binary has the expected entitlements.
+bool hasExpectedEntitlements(String binaryPath) {
+  try {
+    final ProcessResult entitlementResult = Process.runSync(
+      'codesign',
+      <String>[
+        '--display',
+        '--entitlements',
+        ':-',
+        binaryPath,
+      ],
+    );
+
+    if (entitlementResult.exitCode != 0) {
+      print('The `codesign --entitlements` command failed with exit code ${entitlementResult.exitCode}:\n'
+        '${entitlementResult.stderr}\n');
+      return false;
+    }

+    bool passes = true;
+    final String output = entitlementResult.stdout as String;
+    for (final String entitlement in expectedEntitlements) {
+      final bool entitlementExpected = binariesWithEntitlements.contains(path.basename(binaryPath));
+      if (output.contains(entitlement) != entitlementExpected) {
+        print('File "$binaryPath" ${entitlementExpected ? 'does not have expected' : 'has unexpected'} entitlement $entitlement.');
+        passes = false;
+      }
+    }
+    return passes;
+  } catch (e) {
+    print(e);
+    return false;
+  }
+}
+
+void main() {
  if (!Platform.isMacOS) {
    print('Error! Expected operating system "macos", actual operating system '
      'is: "${Platform.operatingSystem}"');
@@ -78,28 +143,45 @@ void main() {
    exit(1);
  }

+  final List<String> unsignedBinaries = <String>[];
+  final List<String> wrongEntitlementBinaries = <String>[];
  for (final String binaryPath in findBinaryPaths(cacheDirectory)) {
    print('Verifying the code signature of $binaryPath');
-    final ProcessResult result = Process.runSync(
+    final ProcessResult codeSignResult = Process.runSync(
      'codesign',
      <String>[
        '-vvv',
        binaryPath,
      ],
    );
-    if (result.exitCode != 0) {
-      failures.add(binaryPath);
+    if (codeSignResult.exitCode != 0) {
+      unsignedBinaries.add(binaryPath);
      print('File "$binaryPath" does not appear to be codesigned.\n'
-            'The `codesign` command failed with exit code ${result.exitCode}:\n'
-            '${result.stderr}\n');
+            'The `codesign` command failed with exit code ${codeSignResult.exitCode}:\n'
+            '${codeSignResult.stderr}\n');
+      continue;
+    } else {
+      print('Verifying entitlements of $binaryPath');
+      if (!hasExpectedEntitlements(binaryPath)) {
+        wrongEntitlementBinaries.add(binaryPath);
+      }
    }
  }

-  if (failures.isNotEmpty) {
-    print('Found ${failures.length} unsigned binaries.');
-    failures.forEach(print);
+  if (unsignedBinaries.isNotEmpty) {
+    print('Found ${unsignedBinaries.length} unsigned binaries:');
+    unsignedBinaries.forEach(print);
+  }
+
+  if (wrongEntitlementBinaries.isNotEmpty) {
+    print('Found ${wrongEntitlementBinaries.length} binaries with unexpected entitlements:');
+    wrongEntitlementBinaries.forEach(print);
+  }
+
+  if (unsignedBinaries.isNotEmpty) {
+    // TODO(jmagman): Also exit if `wrongEntitlementBinaries.isNotEmpty` after https://github.com/flutter/flutter/issues/46704 is done.
    exit(1);
  }

-  print('Verified that binaries are codesigned.');
+  print('Verified that binaries are codesigned and have expected entitlements.');
 }