Mike Klein | 6d3b7aa | 2017-01-30 14:00:54 -0500 | [diff] [blame] | 1 | #!/usr/bin/env python2.7 |
| 2 | # |
| 3 | # Copyright 2017 Google Inc. |
| 4 | # |
| 5 | # Use of this source code is governed by a BSD-style license that can be |
| 6 | # found in the LICENSE file. |
| 7 | |
Mike Klein | 63afe64 | 2017-01-31 12:07:33 -0500 | [diff] [blame] | 8 | import glob |
Mike Klein | 6d3b7aa | 2017-01-30 14:00:54 -0500 | [diff] [blame] | 9 | import os |
Ben Wagner | 076c50c | 2019-09-27 18:16:02 -0400 | [diff] [blame] | 10 | import os.path |
Mike Klein | 6d3b7aa | 2017-01-30 14:00:54 -0500 | [diff] [blame] | 11 | import re |
| 12 | import shutil |
| 13 | import subprocess |
| 14 | import sys |
| 15 | import tempfile |
| 16 | |
| 17 | # Arguments to the script: |
Jim Van Verth | 443a913 | 2017-11-28 09:45:26 -0500 | [diff] [blame] | 18 | # pkg path to application directory, e.g. out/Debug/dm.app |
| 19 | # executable and plist should already be in this directory |
Jim Van Verth | 4e50297 | 2017-12-07 15:16:10 -0500 | [diff] [blame] | 20 | # identstr search string (regex fragment) for code signing identity |
Ben Wagner | 076c50c | 2019-09-27 18:16:02 -0400 | [diff] [blame] | 21 | # profile path or name of provisioning profile |
Jim Van Verth | 4e50297 | 2017-12-07 15:16:10 -0500 | [diff] [blame] | 22 | pkg,identstr,profile = sys.argv[1:] |
Mike Klein | 63afe64 | 2017-01-31 12:07:33 -0500 | [diff] [blame] | 23 | |
Jim Van Verth | ee1098d | 2020-11-09 12:12:13 -0500 | [diff] [blame] | 24 | # Find the signing identity. |
Mike Klein | 63afe64 | 2017-01-31 12:07:33 -0500 | [diff] [blame] | 25 | identity = None |
| 26 | for line in subprocess.check_output(['security', 'find-identity']).split('\n'): |
Jim Van Verth | 4e50297 | 2017-12-07 15:16:10 -0500 | [diff] [blame] | 27 | m = re.match(r'''.*\) (.*) "''' + identstr + '"', line) |
Mike Klein | 63afe64 | 2017-01-31 12:07:33 -0500 | [diff] [blame] | 28 | if m: |
| 29 | identity = m.group(1) |
Jim Van Verth | ee1098d | 2020-11-09 12:12:13 -0500 | [diff] [blame] | 30 | if identity is None: |
| 31 | print("Signing identity matching '" + identstr + "' not found.") |
| 32 | print("Please verify by running 'security find-identity' or checking your keychain.") |
| 33 | sys.exit(1) |
Mike Klein | 63afe64 | 2017-01-31 12:07:33 -0500 | [diff] [blame] | 34 | |
Jim Van Verth | ee1098d | 2020-11-09 12:12:13 -0500 | [diff] [blame] | 35 | # Find the mobile provisioning profile. |
Mike Klein | 63afe64 | 2017-01-31 12:07:33 -0500 | [diff] [blame] | 36 | mobileprovision = None |
Ben Wagner | 076c50c | 2019-09-27 18:16:02 -0400 | [diff] [blame] | 37 | if os.path.isfile(profile): |
| 38 | mobileprovision = profile |
| 39 | else: |
| 40 | for p in glob.glob(os.path.join(os.environ['HOME'], 'Library', 'MobileDevice', |
| 41 | 'Provisioning Profiles', |
| 42 | '*.mobileprovision')): |
| 43 | if re.search(r'''<key>Name</key> |
Jim Van Verth | 4e50297 | 2017-12-07 15:16:10 -0500 | [diff] [blame] | 44 | \t<string>''' + profile + r'''</string>''', open(p).read(), re.MULTILINE): |
Ben Wagner | 076c50c | 2019-09-27 18:16:02 -0400 | [diff] [blame] | 45 | mobileprovision = p |
Jim Van Verth | ee1098d | 2020-11-09 12:12:13 -0500 | [diff] [blame] | 46 | if mobileprovision is None: |
| 47 | print("Provisioning profile matching '" + profile + "' not found.") |
| 48 | print("Please verify that the correct profile is installed in '${HOME}/Library/MobileDevice/Provisioning Profiles' or specify the path directly.") |
| 49 | sys.exit(1) |
Mike Klein | 6d3b7aa | 2017-01-30 14:00:54 -0500 | [diff] [blame] | 50 | |
Jim Van Verth | 443a913 | 2017-11-28 09:45:26 -0500 | [diff] [blame] | 51 | # The .mobileprovision just gets copied into the package. |
Mike Klein | 6d3b7aa | 2017-01-30 14:00:54 -0500 | [diff] [blame] | 52 | shutil.copy(mobileprovision, |
| 53 | os.path.join(pkg, 'embedded.mobileprovision')) |
| 54 | |
Mike Klein | 6d3b7aa | 2017-01-30 14:00:54 -0500 | [diff] [blame] | 55 | # Extract the appliciation identitifer prefix from the .mobileprovision. |
| 56 | m = re.search(r'''<key>ApplicationIdentifierPrefix</key> |
| 57 | \t<array> |
| 58 | \t<string>(.*)</string>''', open(mobileprovision).read(), re.MULTILINE) |
| 59 | prefix = m.group(1) |
| 60 | |
Jim Van Verth | 443a913 | 2017-11-28 09:45:26 -0500 | [diff] [blame] | 61 | app, _ = os.path.splitext(os.path.basename(pkg)) |
| 62 | |
Mike Klein | 6d3b7aa | 2017-01-30 14:00:54 -0500 | [diff] [blame] | 63 | # Write a minimal entitlements file, then codesign. |
| 64 | with tempfile.NamedTemporaryFile() as f: |
| 65 | f.write(''' |
| 66 | <plist version="1.0"> |
| 67 | <dict> |
| 68 | <key>application-identifier</key> <string>{prefix}.com.google.{app}</string> |
| 69 | <key>get-task-allow</key> <true/> |
| 70 | </dict> |
| 71 | </plist> |
| 72 | '''.format(prefix=prefix, app=app)) |
| 73 | f.flush() |
| 74 | |
| 75 | subprocess.check_call(['codesign', |
| 76 | '--force', |
| 77 | '--sign', identity, |
| 78 | '--entitlements', f.name, |
| 79 | '--timestamp=none', |
| 80 | pkg]) |