Allow use of signing certificate name for iOS app signing.

The value of new flag --ios_signing_cert_name takes precedence over any specified
provisioning profilefor purposes of signing.

RELNOTES: --ios_signing_cert_name allows specifying a cert for iOS app signing

--
MOS_MIGRATED_REVID=104961817

3 files changed, 44 insertions, 11 deletions

diff --git a/src/main/java/com/google/devtools/build/lib/rules/objc/ObjcCommandLineOptions.java b/src/main/java/com/google/devtools/build/lib/rules/objc/ObjcCommandLineOptions.java
index e3324cb882..1eb9d66d10 100644
--- a/src/main/java/com/google/devtools/build/lib/rules/objc/ObjcCommandLineOptions.java
+++ b/src/main/java/com/google/devtools/build/lib/rules/objc/ObjcCommandLineOptions.java
@@ -194,6 +194,17 @@ public class ObjcCommandLineOptions extends FragmentOptions {
       category = "undocumented")
   public ConfigurationDistinguisher configurationDistinguisher;
 
+  @Option(
+    name = "ios_signing_cert_name",
+    defaultValue = "null",
+    category = "flags",
+    help =
+        "Certificate name to use for iOS signing. If not set will fall back to provisioning "
+            + "profile. May be the certificate's keychain identity preference or (substring) of "
+            + "the certificate's common name, as per codesign's man page (SIGNING IDENTITIES)."
+  )
+  public String iosSigningCertName;
+
   @VisibleForTesting static final String DEFAULT_MINIMUM_IOS = "7.0";
   @VisibleForTesting static final String DEFAULT_IOS_CPU = "x86_64";
 
diff --git a/src/main/java/com/google/devtools/build/lib/rules/objc/ObjcConfiguration.java b/src/main/java/com/google/devtools/build/lib/rules/objc/ObjcConfiguration.java
index 2c71164a53..3af0e97d6c 100644
--- a/src/main/java/com/google/devtools/build/lib/rules/objc/ObjcConfiguration.java
+++ b/src/main/java/com/google/devtools/build/lib/rules/objc/ObjcConfiguration.java
@@ -69,6 +69,7 @@ public class ObjcConfiguration extends BuildConfiguration.Fragment {
   private final boolean enableBinaryStripping;
   private final boolean moduleMapsEnabled;
   private final ConfigurationDistinguisher configurationDistinguisher;
+  @Nullable private final String signingCertName;
   @Nullable private final Path clientWorkspaceRoot;
 
   // We only load these labels if the mode which uses them is enabled. That is known as part of the
@@ -110,6 +111,7 @@ public class ObjcConfiguration extends BuildConfiguration.Fragment {
     this.moduleMapsEnabled = objcOptions.enableModuleMaps;
     this.configurationDistinguisher = objcOptions.configurationDistinguisher;
     this.clientWorkspaceRoot = directories != null ? directories.getWorkspace() : null;
+    this.signingCertName = objcOptions.iosSigningCertName;
   }
 
   public Map<String, String> getEnvironmentForDarwin() {
@@ -326,4 +328,13 @@ public class ObjcConfiguration extends BuildConfiguration.Fragment {
   @Nullable public Path getClientWorkspaceRoot() {
     return this.clientWorkspaceRoot;
   }
+
+  /**
+   * Returns the flag-supplied certificate name to be used in signing or {@code null} if no such
+   * certificate was specified.
+   */
+  @Nullable
+  public String getSigningCertName() {
+    return this.signingCertName;
+  }
 }
diff --git a/src/main/java/com/google/devtools/build/lib/rules/objc/ReleaseBundlingSupport.java b/src/main/java/com/google/devtools/build/lib/rules/objc/ReleaseBundlingSupport.java
index ee4c26a074..51366a0363 100644
--- a/src/main/java/com/google/devtools/build/lib/rules/objc/ReleaseBundlingSupport.java
+++ b/src/main/java/com/google/devtools/build/lib/rules/objc/ReleaseBundlingSupport.java
@@ -580,7 +580,7 @@ public final class ReleaseBundlingSupport {
     StringBuilder codesignCommandLineBuilder = new StringBuilder();
     for (String dir : dirsToSign.build()) {
       codesignCommandLineBuilder
-          .append(codesignCommand(attributes.provisioningProfile(), entitlements, "${t}/" + dir))
+          .append(codesignCommand(entitlements, "${t}/" + dir))
           .append(" && ");
     }
 
@@ -770,17 +770,28 @@ public final class ReleaseBundlingSupport {
     return "security cms -D -i " + ShellUtils.shellEscape(provisioningProfile.getExecPathString());
   }
 
-  private String codesignCommand(
-      Artifact provisioningProfile, Artifact entitlements, String appDir) {
-    String fingerprintCommand =
-        "PLIST=$(mktemp -t cert.plist) && trap \"rm ${PLIST}\" EXIT && "
-            + extractPlistCommand(provisioningProfile) + " > ${PLIST} && "
-            + "/usr/libexec/PlistBuddy -c 'Print DeveloperCertificates:0' ${PLIST} | "
-            + "openssl x509 -inform DER -noout -fingerprint | "
-            + "cut -d= -f2 | sed -e 's#:##g'";
+  private String codesignCommand(Artifact entitlements, String appDir) {
+    String signingCertName = ObjcRuleClasses.objcConfiguration(ruleContext).getSigningCertName();
+
+    final String identity;
+    if (signingCertName != null) {
+      identity = '"' + signingCertName + '"';
+    } else {
+      // Extracts an identity hash from the configured provisioning profile. Note that this will use
+      // the first certificate identity in the profile, regardless of how many identities are
+      // configured in it (DeveloperCertificates:0).
+      identity =
+          "$(PLIST=$(mktemp -t cert.plist) && trap \"rm ${PLIST}\" EXIT && "
+              + extractPlistCommand(attributes.provisioningProfile())
+              + " > ${PLIST} && "
+              + "/usr/libexec/PlistBuddy -c 'Print DeveloperCertificates:0' ${PLIST} | "
+              + "openssl x509 -inform DER -noout -fingerprint | "
+              + "cut -d= -f2 | sed -e 's#:##g')";
+    }
+
     return String.format(
-        "/usr/bin/codesign --force --sign $(%s) --entitlements %s %s",
-        fingerprintCommand,
+        "/usr/bin/codesign --force --sign %s --entitlements %s %s",
+        identity,
         entitlements.getShellEscapedExecPathString(),
         appDir);
   }