diff options
author | 2015-10-08 14:59:04 +0000 | |
---|---|---|
committer | 2015-10-09 14:39:59 +0000 | |
commit | 3caa2b2425172c1515c6df0a34c188987be7aa11 (patch) | |
tree | 16307c0eae9f99ada60e01cfdb4d77ec2aaf95b3 /src/main/java/com/google/devtools/build/lib/rules/objc | |
parent | c97ee9c33285b36926ed560e4c089b6bc28f4a25 (diff) |
Allow use of signing certificate name for iOS app signing.
The value of new flag --ios_signing_cert_name takes precedence over any specified
provisioning profilefor purposes of signing.
RELNOTES: --ios_signing_cert_name allows specifying a cert for iOS app signing
--
MOS_MIGRATED_REVID=104961817
Diffstat (limited to 'src/main/java/com/google/devtools/build/lib/rules/objc')
3 files changed, 44 insertions, 11 deletions
diff --git a/src/main/java/com/google/devtools/build/lib/rules/objc/ObjcCommandLineOptions.java b/src/main/java/com/google/devtools/build/lib/rules/objc/ObjcCommandLineOptions.java index e3324cb882..1eb9d66d10 100644 --- a/src/main/java/com/google/devtools/build/lib/rules/objc/ObjcCommandLineOptions.java +++ b/src/main/java/com/google/devtools/build/lib/rules/objc/ObjcCommandLineOptions.java @@ -194,6 +194,17 @@ public class ObjcCommandLineOptions extends FragmentOptions { category = "undocumented") public ConfigurationDistinguisher configurationDistinguisher; + @Option( + name = "ios_signing_cert_name", + defaultValue = "null", + category = "flags", + help = + "Certificate name to use for iOS signing. If not set will fall back to provisioning " + + "profile. May be the certificate's keychain identity preference or (substring) of " + + "the certificate's common name, as per codesign's man page (SIGNING IDENTITIES)." + ) + public String iosSigningCertName; + @VisibleForTesting static final String DEFAULT_MINIMUM_IOS = "7.0"; @VisibleForTesting static final String DEFAULT_IOS_CPU = "x86_64"; diff --git a/src/main/java/com/google/devtools/build/lib/rules/objc/ObjcConfiguration.java b/src/main/java/com/google/devtools/build/lib/rules/objc/ObjcConfiguration.java index 2c71164a53..3af0e97d6c 100644 --- a/src/main/java/com/google/devtools/build/lib/rules/objc/ObjcConfiguration.java +++ b/src/main/java/com/google/devtools/build/lib/rules/objc/ObjcConfiguration.java @@ -69,6 +69,7 @@ public class ObjcConfiguration extends BuildConfiguration.Fragment { private final boolean enableBinaryStripping; private final boolean moduleMapsEnabled; private final ConfigurationDistinguisher configurationDistinguisher; + @Nullable private final String signingCertName; @Nullable private final Path clientWorkspaceRoot; // We only load these labels if the mode which uses them is enabled. That is known as part of the @@ -110,6 +111,7 @@ public class ObjcConfiguration extends BuildConfiguration.Fragment { this.moduleMapsEnabled = objcOptions.enableModuleMaps; this.configurationDistinguisher = objcOptions.configurationDistinguisher; this.clientWorkspaceRoot = directories != null ? directories.getWorkspace() : null; + this.signingCertName = objcOptions.iosSigningCertName; } public Map<String, String> getEnvironmentForDarwin() { @@ -326,4 +328,13 @@ public class ObjcConfiguration extends BuildConfiguration.Fragment { @Nullable public Path getClientWorkspaceRoot() { return this.clientWorkspaceRoot; } + + /** + * Returns the flag-supplied certificate name to be used in signing or {@code null} if no such + * certificate was specified. + */ + @Nullable + public String getSigningCertName() { + return this.signingCertName; + } } diff --git a/src/main/java/com/google/devtools/build/lib/rules/objc/ReleaseBundlingSupport.java b/src/main/java/com/google/devtools/build/lib/rules/objc/ReleaseBundlingSupport.java index ee4c26a074..51366a0363 100644 --- a/src/main/java/com/google/devtools/build/lib/rules/objc/ReleaseBundlingSupport.java +++ b/src/main/java/com/google/devtools/build/lib/rules/objc/ReleaseBundlingSupport.java @@ -580,7 +580,7 @@ public final class ReleaseBundlingSupport { StringBuilder codesignCommandLineBuilder = new StringBuilder(); for (String dir : dirsToSign.build()) { codesignCommandLineBuilder - .append(codesignCommand(attributes.provisioningProfile(), entitlements, "${t}/" + dir)) + .append(codesignCommand(entitlements, "${t}/" + dir)) .append(" && "); } @@ -770,17 +770,28 @@ public final class ReleaseBundlingSupport { return "security cms -D -i " + ShellUtils.shellEscape(provisioningProfile.getExecPathString()); } - private String codesignCommand( - Artifact provisioningProfile, Artifact entitlements, String appDir) { - String fingerprintCommand = - "PLIST=$(mktemp -t cert.plist) && trap \"rm ${PLIST}\" EXIT && " - + extractPlistCommand(provisioningProfile) + " > ${PLIST} && " - + "/usr/libexec/PlistBuddy -c 'Print DeveloperCertificates:0' ${PLIST} | " - + "openssl x509 -inform DER -noout -fingerprint | " - + "cut -d= -f2 | sed -e 's#:##g'"; + private String codesignCommand(Artifact entitlements, String appDir) { + String signingCertName = ObjcRuleClasses.objcConfiguration(ruleContext).getSigningCertName(); + + final String identity; + if (signingCertName != null) { + identity = '"' + signingCertName + '"'; + } else { + // Extracts an identity hash from the configured provisioning profile. Note that this will use + // the first certificate identity in the profile, regardless of how many identities are + // configured in it (DeveloperCertificates:0). + identity = + "$(PLIST=$(mktemp -t cert.plist) && trap \"rm ${PLIST}\" EXIT && " + + extractPlistCommand(attributes.provisioningProfile()) + + " > ${PLIST} && " + + "/usr/libexec/PlistBuddy -c 'Print DeveloperCertificates:0' ${PLIST} | " + + "openssl x509 -inform DER -noout -fingerprint | " + + "cut -d= -f2 | sed -e 's#:##g')"; + } + return String.format( - "/usr/bin/codesign --force --sign $(%s) --entitlements %s %s", - fingerprintCommand, + "/usr/bin/codesign --force --sign %s --entitlements %s %s", + identity, entitlements.getShellEscapedExecPathString(), appDir); } |