Handle ambiguous signer in codesigningtool.py

bazelbuild · Jul 10, 2019 · 24fff17 · 24fff17
1 parent 1e0972c
commit 24fff17
Showing 1 changed file with 22 additions and 6 deletions.
diff --git a/tools/codesigningtool/codesigningtool.py b/tools/codesigningtool/codesigningtool.py
@@ -127,18 +127,18 @@ def _find_codesign_identities(identity=None):
     m = regex.search(line)
     if m:
       groups = m.groupdict()
-      id = groups.get("full_name") or groups["hash"]
+      id = (groups["hash"], groups.get("full_name"))
       ids.append(id)
   return ids
 
 
 def _find_codesign_identity(mobileprovision):
   """Finds a valid identity on the system given a mobileprovision file."""
   mpf = _parse_mobileprovision_file(mobileprovision)
-  ids_codesign = set(_find_codesign_identities())
+  ids_codesign = dict(_find_codesign_identities())
   for id_mpf in _get_identities_from_provisioning_profile(mpf):
     if id_mpf in ids_codesign:
-      return id_mpf
+      return (id_mpf, ids_codesign[id_mpf])
 
 
 def _filter_codesign_output(codesign_output):
@@ -149,6 +149,21 @@ def _filter_codesign_output(codesign_output):
       filtered_lines.append(line)
   return "\n".join(filtered_lines)
 
+def _sign_flags(identity):
+  """Produce codesign --sign flags for an identity"""
+  if isinstance(identity, tuple):
+    hash_id, name_id = identity
+    # Include both name and hash of the signing identity. The name is for
+    # debuggability, and the hash avoids a codesign error when given an
+    # ambiguous name. The name goes first, the hash overrides the name.
+    flags = []
+    if name_id:
+      flags.extend(["--sign", name_id])
+    flags.extend(["--sign", hash_id])
+    return flags
+  else:
+    return ["--sign", identity]
+
 def main(argv):
   parser = argparse.ArgumentParser(description="codesign wrapper")
   parser.add_argument(
@@ -171,12 +186,13 @@ def main(argv):
           file=sys.stderr)
       return -1
   # No identity was found, fail
-  if identity == None:
+  if identity is None:
     print("ERROR: Unable to find an identity on the system matching the "\
         "ones in %s" % args.mobileprovision, file=sys.stderr)
     return 1
-  stdout, stderr = _check_output([args.codesign, "-v", "--sign", identity] +
-                                 codesign_args,)
+  sign_args = _sign_flags(identity)
+  stdout, stderr = _check_output([args.codesign, "-v"] + sign_args
+                                  + codesign_args)
   if stdout:
     filtered_stdout = _filter_codesign_output(stdout)
     if filtered_stdout: