// Copyright 2014 The Flutter Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
import 'dart:io';
import 'package:path/path.dart' as path;
String get repoRoot => path.normalize(path.join(path.dirname(Platform.script.toFilePath()), '..', '..'));
String get cacheDirectory => path.normalize(path.join(repoRoot, 'bin', 'cache'));
/// Check mime-type of file at [filePath] to determine if it is binary
bool isBinary(String filePath) {
final ProcessResult result = Process.runSync(
'file',
<String>[
'--mime-type',
'-b', // is binary
filePath,
],
);
return (result.stdout as String).contains('application/x-mach-binary');
}
/// Find every binary file in the given [rootDirectory]
List<String> findBinaryPaths([String rootDirectory]) {
rootDirectory ??= cacheDirectory;
final ProcessResult result = Process.runSync(
'find',
<String>[
rootDirectory,
'-type',
'f',
'-perm',
'+111', // is executable
],
);
final List<String> allFiles = (result.stdout as String).split('\n').where((String s) => s.isNotEmpty).toList();
return allFiles.where(isBinary).toList();
}
/// Given the path to a stamp file, read the contents.
///
/// Will throw if the file doesn't exist.
String readStamp(String filePath) {
final File file = File(filePath);
if (!file.existsSync()) {
throw 'Error! Stamp file $filePath does not exist!';
}
return file.readAsStringSync().trim();
}
/// Return whether or not the flutter cache is up to date.
bool checkCacheIsCurrent() {
try {
final String dartSdkStamp = readStamp(path.join(cacheDirectory, 'engine-dart-sdk.stamp'));
final String engineVersion = readStamp(path.join(repoRoot, 'bin', 'internal', 'engine.version'));
return dartSdkStamp == engineVersion;
} catch (e) {
print(e);
return false;
}
}
List<String> get binariesWithEntitlements => List<String>.unmodifiable(<String>[
'ideviceinfo',
'idevicename',
'idevicescreenshot',
'idevicesyslog',
'libimobiledevice.6.dylib',
'libplist.3.dylib',
'iproxy',
'libusbmuxd.4.dylib',
'libssl.1.0.0.dylib',
'libcrypto.1.0.0.dylib',
'libzip.5.0.dylib',
'libzip.5.dylib',
'gen_snapshot',
'dart',
'flutter_tester',
'gen_snapshot_arm64',
'gen_snapshot_armv7',
]);
List<String> get expectedEntitlements => List<String>.unmodifiable(<String>[
'com.apple.security.cs.allow-jit',
'com.apple.security.cs.allow-unsigned-executable-memory',
'com.apple.security.cs.allow-dyld-environment-variables',
'com.apple.security.network.client',
'com.apple.security.network.server',
'com.apple.security.cs.disable-library-validation',
]);
/// Check if the binary has the expected entitlements.
bool hasExpectedEntitlements(String binaryPath) {
try {
final ProcessResult entitlementResult = Process.runSync(
'codesign',
<String>[
'--display',
'--entitlements',
':-',
binaryPath,
],
);
if (entitlementResult.exitCode != 0) {
print('The `codesign --entitlements` command failed with exit code ${entitlementResult.exitCode}:\n'
'${entitlementResult.stderr}\n');
return false;
}
bool passes = true;
final String output = entitlementResult.stdout as String;
for (final String entitlement in expectedEntitlements) {
final bool entitlementExpected = binariesWithEntitlements.contains(path.basename(binaryPath));
if (output.contains(entitlement) != entitlementExpected) {
print('File "$binaryPath" ${entitlementExpected ? 'does not have expected' : 'has unexpected'} entitlement $entitlement.');
passes = false;
}
}
return passes;
} catch (e) {
print(e);
return false;
}
}
void main() {
if (!Platform.isMacOS) {
print('Error! Expected operating system "macos", actual operating system '
'is: "${Platform.operatingSystem}"');
exit(1);
}
if (!checkCacheIsCurrent()) {
print(
'Warning! Your cache is either not present or not matching your flutter\n'
'version. Run a `flutter` command to update your cache, and re-try this\n'
'test.');
exit(1);
}
final List<String> unsignedBinaries = <String>[];
final List<String> wrongEntitlementBinaries = <String>[];
for (final String binaryPath in findBinaryPaths(cacheDirectory)) {
print('Verifying the code signature of $binaryPath');
final ProcessResult codeSignResult = Process.runSync(
'codesign',
<String>[
'-vvv',
binaryPath,
],
);
if (codeSignResult.exitCode != 0) {
unsignedBinaries.add(binaryPath);
print('File "$binaryPath" does not appear to be codesigned.\n'
'The `codesign` command failed with exit code ${codeSignResult.exitCode}:\n'
'${codeSignResult.stderr}\n');
continue;
} else {
print('Verifying entitlements of $binaryPath');
if (!hasExpectedEntitlements(binaryPath)) {
wrongEntitlementBinaries.add(binaryPath);
}
}
}
if (unsignedBinaries.isNotEmpty) {
print('Found ${unsignedBinaries.length} unsigned binaries:');
unsignedBinaries.forEach(print);
}
if (wrongEntitlementBinaries.isNotEmpty) {
print('Found ${wrongEntitlementBinaries.length} binaries with unexpected entitlements:');
wrongEntitlementBinaries.forEach(print);
}
if (unsignedBinaries.isNotEmpty) {
// TODO(jmagman): Also exit if `wrongEntitlementBinaries.isNotEmpty` after https://github.com/flutter/flutter/issues/46704 is done.
exit(1);
}
print('Verified that binaries are codesigned and have expected entitlements.');
}