| #!/usr/bin/env python3 |
| # |
| # Copyright (c) 2023, the Dart project authors. Please see the AUTHORS file |
| # for details. All rights reserved. Use of this source code is governed by a |
| # BSD-style license that can be found in the LICENSE file. |
| # |
| # Sign given binaries with using the specified signing identity and |
| # using entitlements from runtime/tools/entitlement/${binary_name}.plist |
| # if any. |
| # |
| |
| import optparse |
| import os |
| import subprocess |
| |
| SCRIPT_DIR = os.path.dirname(os.path.realpath(__file__)) |
| |
| |
| def SignBinary(identity, binary): |
| codesign_args = [ |
| "--deep", "--force", "--verify", "--verbose", "--timestamp", |
| "--options", "runtime", "--sign", identity |
| ] |
| |
| name = os.path.basename(binary) |
| |
| # Check if we have a matching entitlements file and apply it. |
| # It would be simpler if we could specify it from outside but |
| # GN does not give us tools for doing that: executable target can't |
| # push arbitrary configuration down to the link tool where |
| # we would like to perform code signing. |
| entitlements_file = os.path.join(SCRIPT_DIR, "entitlements", |
| name + ".plist") |
| if os.path.exists(entitlements_file): |
| codesign_args += ["--entitlements", entitlements_file] |
| cmd = ["codesign"] + codesign_args + [binary] |
| result = subprocess.run(cmd, capture_output=True, encoding="utf8") |
| if result.returncode != 0: |
| print("failed to run: " + " ".join(cmd)) |
| print(f"exit code: {result.returncode}") |
| print("stdout:") |
| print(result.stdout) |
| print("stdout:") |
| print(result.stderr) |
| raise Exception("failed to codesign") |
| |
| |
| parser = optparse.OptionParser() |
| parser.add_option("--identity", type="string", help="Code signing identity") |
| parser.add_option("--binary", |
| type="string", |
| action="append", |
| help="Binary to sign") |
| options = parser.parse_args()[0] |
| |
| if not options.identity: |
| raise Exception("Missing code signing identity (--identity)") |
| |
| if not options.binary: |
| raise Exception("Missing binaries to sign (--binary)") |
| |
| for binary in options.binary: |
| SignBinary(options.identity, binary) |