Skip to content

Commit

Permalink
[resign.sh] only create the archived-expanded-entitlements.xcent file…
Browse files Browse the repository at this point in the history 
… if the version of Xcode < 9.3 (#13685)

* issue-13684 fixes Xcode10 issue where invalid xcent file created

* Standardize 'then' on same line as if
  • Loading branch information
@lyndsey-ferguson
lyndsey-ferguson authored and Josh Holtz committed Nov 18, 2018
1 parent ced1fc4 commit 72f9953
Showing 1 changed file with 39 additions and 63 deletions.
102 changes: 39 additions & 63 deletions sigh/lib/assets/resign.sh
View file
Expand Up @@ -60,6 +60,9 @@
# 4. extracts the entitlements from the provisioning profile
# 5. copy the entitlements as archived-expanded-entitlements.xcent inside the app bundle (because Xcode does too)
#
# new features November 2018
# 1. only create the archived-expanded-entitlements.xcent file if the version of Xcode < 9.3 as Xcode 10 does not create it.
#

# Logging functions

Expand All @@ -81,8 +84,7 @@ warning() {
function checkStatus {

# shellcheck disable=SC2181
if [ $? -ne 0 ];
then
if [ $? -ne 0 ]; then
error "Encountered an error, aborting!"
fi
}
Expand Down Expand Up @@ -154,6 +156,7 @@ PROVISIONS_BY_ID=()
DEFAULT_PROVISION=""
TEMP_DIR="_floatsignTemp"
USE_APP_ENTITLEMENTS=""
XCODE_VERSION="$(xcodebuild -version | grep "Xcode" | /usr/bin/cut -f 2 -d ' ')"

# List of plist keys used for reference to and from nested apps and extensions
NESTED_APP_REFERENCE_KEYS=(":WKCompanionAppBundleIdentifier" ":NSExtension:NSExtensionAttributes:WKAppBundleIdentifier")
Expand Down Expand Up @@ -220,8 +223,7 @@ while [ "$1" != "" ]; do
done

KEYCHAIN_FLAG=
if [ -n "$KEYCHAIN_PATH" ]
then
if [ -n "$KEYCHAIN_PATH" ]; then
KEYCHAIN_FLAG="--keychain $KEYCHAIN_PATH"
fi

Expand Down Expand Up @@ -254,8 +256,7 @@ log "Certificate: '$CERTIFICATE'"
[[ -n "${USE_APP_ENTITLEMENTS}" && -n ${ENTITLEMENTS} ]] && error "--use-app-entitlements option cannot be used in combination with -e, --entitlements option."

# Check output file name
if [ -z "$NEW_FILE" ];
then
if [ -z "$NEW_FILE" ]; then
error "Output file name required"
fi

Expand All @@ -264,8 +265,7 @@ if [[ "${#RAW_PROVISIONS[*]}" == "0" ]]; then
fi

# Check for and remove the temporary directory if it already exists
if [ -d "$TEMP_DIR" ];
then
if [ -d "$TEMP_DIR" ]; then
log "Removing previous temporary directory: '$TEMP_DIR'"
rm -Rf "$TEMP_DIR"
fi
Expand All @@ -275,13 +275,11 @@ extension="${filename##*.}"
filename="${filename%.*}"

# Check if the supplied file is an ipa or an app file
if [ "${extension}" = "ipa" ]
then
if [ "${extension}" = "ipa" ]; then
# Unzip the old ipa quietly
unzip -q "$ORIGINAL_FILE" -d $TEMP_DIR
checkStatus
elif [ "${extension}" = "app" ]
then
elif [ "${extension}" = "app" ]; then
# Copy the app file into an ipa-like structure
mkdir -p "$TEMP_DIR/Payload"
cp -Rf "${ORIGINAL_FILE}" "$TEMP_DIR/Payload/${filename}.app"
Expand All @@ -291,8 +289,7 @@ else
fi

# check the keychain
if [ "${KEYCHAIN}" != "" ];
then
if [ "${KEYCHAIN}" != "" ]; then
security list-keychains -s "$KEYCHAIN"
security unlock "$KEYCHAIN"
security default-keychain -s "$KEYCHAIN"
Expand Down Expand Up @@ -400,8 +397,7 @@ function resign {
fi

# Make sure that the Info.plist file is where we expect it
if [ ! -e "$APP_PATH/Info.plist" ];
then
if [ ! -e "$APP_PATH/Info.plist" ]; then
error "Expected file does not exist: '$APP_PATH/Info.plist'"
fi

Expand Down Expand Up @@ -447,10 +443,8 @@ function resign {
log "New bundle identifier will be: '$BUNDLE_IDENTIFIER'"

# Update the CFBundleDisplayName property in the Info.plist if a new name has been provided
if [ "${DISPLAY_NAME}" != "" ];
then
if [ "${DISPLAY_NAME}" != "${CURRENT_NAME}" ];
then
if [ "${DISPLAY_NAME}" != "" ]; then
if [ "${DISPLAY_NAME}" != "${CURRENT_NAME}" ]; then
log "Changing display name from '$CURRENT_NAME' to '$DISPLAY_NAME'"
PlistBuddy -c "Set :CFBundleDisplayName $DISPLAY_NAME" "$APP_PATH/Info.plist"
fi
Expand All @@ -465,8 +459,7 @@ function resign {
if [ "$APP_IDENTIFIER_PREFIX" == "" ];
then
APP_IDENTIFIER_PREFIX=$(PlistBuddy -c "Print :ApplicationIdentifierPrefix:0" "$TEMP_DIR/profile.plist")
if [ "$APP_IDENTIFIER_PREFIX" == "" ];
then
if [ "$APP_IDENTIFIER_PREFIX" == "" ]; then
error "Failed to extract any app identifier prefix from '$NEW_PROVISION'"
else
warning "WARNING: extracted an app identifier prefix '$APP_IDENTIFIER_PREFIX' from '$NEW_PROVISION', but it was not found in the profile's entitlements"
Expand All @@ -479,11 +472,9 @@ function resign {
PlistBuddy -c "Set :AppIdentifierPrefix $APP_IDENTIFIER_PREFIX." "$APP_PATH/Info.plist" 2>/dev/null

TEAM_IDENTIFIER=$(PlistBuddy -c "Print :Entitlements:com.apple.developer.team-identifier" "$TEMP_DIR/profile.plist" | tr -d '\n')
if [ "$TEAM_IDENTIFIER" == "" ];
then
if [ "$TEAM_IDENTIFIER" == "" ]; then
TEAM_IDENTIFIER=$(PlistBuddy -c "Print :TeamIdentifier:0" "$TEMP_DIR/profile.plist")
if [ "$TEAM_IDENTIFIER" == "" ];
then
if [ "$TEAM_IDENTIFIER" == "" ]; then
warning "Failed to extract team identifier from '$NEW_PROVISION', resigned ipa may fail on iOS 8 and higher"
else
warning "WARNING: extracted a team identifier '$TEAM_IDENTIFIER' from '$NEW_PROVISION', but it was not found in the profile's entitlements, resigned ipa may fail on iOS 8 and higher"
Expand All @@ -499,37 +490,32 @@ function resign {
cp -f "$NEW_PROVISION" "$APP_PATH/embedded.mobileprovision"

#if the current bundle identifier is different from the new one in the provisioning profile, then change it.
if [ "$CURRENT_BUNDLE_IDENTIFIER" != "$BUNDLE_IDENTIFIER" ];
then
if [ "$CURRENT_BUNDLE_IDENTIFIER" != "$BUNDLE_IDENTIFIER" ]; then
log "Updating the bundle identifier from '$CURRENT_BUNDLE_IDENTIFIER' to '$BUNDLE_IDENTIFIER'"
PlistBuddy -c "Set :CFBundleIdentifier $BUNDLE_IDENTIFIER" "$APP_PATH/Info.plist"
checkStatus
fi

# Update the version number properties in the Info.plist if a version number has been provided
if [ "$VERSION_NUMBER" != "" ];
then
if [ "$VERSION_NUMBER" != "" ]; then
CURRENT_VERSION_NUMBER=$(PlistBuddy -c "Print :CFBundleVersion" "$APP_PATH/Info.plist")
if [ "$VERSION_NUMBER" != "$CURRENT_VERSION_NUMBER" ];
then
if [ "$VERSION_NUMBER" != "$CURRENT_VERSION_NUMBER" ]; then
log "Updating the version from '$CURRENT_VERSION_NUMBER' to '$VERSION_NUMBER'"
PlistBuddy -c "Set :CFBundleVersion $VERSION_NUMBER" "$APP_PATH/Info.plist"
PlistBuddy -c "Set :CFBundleShortVersionString $VERSION_NUMBER" "$APP_PATH/Info.plist"
fi
fi

# Update short version string in the Info.plist if provided
if [[ -n "$SHORT_VERSION" ]];
then
if [[ -n "$SHORT_VERSION" ]]; then
CURRENT_VALUE="$(PlistBuddy -c "Print :CFBundleShortVersionString" "$APP_PATH/Info.plist")"
# Even if the old value is same - just update, less code, less debugging
log "Updating the short version string (CFBundleShortVersionString) from '$CURRENT_VALUE' to '$SHORT_VERSION'"
PlistBuddy -c "Set :CFBundleShortVersionString $SHORT_VERSION" "$APP_PATH/Info.plist"
fi

# Update bundle version in the Info.plist if provided
if [[ -n "$BUNDLE_VERSION" ]];
then
if [[ -n "$BUNDLE_VERSION" ]]; then
CURRENT_VALUE="$(PlistBuddy -c "Print :CFBundleVersion" "$APP_PATH/Info.plist")"
# Even if the old value is same - just update, less code, less debugging
log "Updating the bundle version (CFBundleVersion) from '$CURRENT_VALUE' to '$BUNDLE_VERSION'"
Expand All @@ -538,18 +524,15 @@ function resign {

# Check for and resign any embedded frameworks (new feature for iOS 8 and above apps)
FRAMEWORKS_DIR="$APP_PATH/Frameworks"
if [ -d "$FRAMEWORKS_DIR" ];
then
if [ "$TEAM_IDENTIFIER" == "" ];
then
if [ -d "$FRAMEWORKS_DIR" ]; then
if [ "$TEAM_IDENTIFIER" == "" ]; then
error "ERROR: embedded frameworks detected, re-signing iOS 8 (or higher) applications wihout a team identifier in the certificate/profile does not work"
fi

log "Resigning embedded frameworks using certificate: '$CERTIFICATE'"
for framework in "$FRAMEWORKS_DIR"/*
do
if [[ "$framework" == *.framework || "$framework" == *.dylib ]]
then
if [[ "$framework" == *.framework || "$framework" == *.dylib ]]; then
log "Resigning '$framework'"
# Must not qote KEYCHAIN_FLAG because it needs to be unwrapped and passed to codesign with spaces
# shellcheck disable=SC2086
Expand All @@ -566,46 +549,37 @@ function resign {
for key in "${NESTED_APP_REFERENCE_KEYS[@]}"; do
# Check if Info.plist has a reference to another app or extension
REF_BUNDLE_ID=$(PlistBuddy -c "Print ${key}" "$APP_PATH/Info.plist" 2>/dev/null)
if [ -n "$REF_BUNDLE_ID" ];
then
if [ -n "$REF_BUNDLE_ID" ]; then
# Found a reference bundle id, now get the corresponding provisioning profile for this bundle id
REF_PROVISION=$(provision_for_bundle_id "$REF_BUNDLE_ID")
# Map to the new bundle id
NEW_REF_BUNDLE_ID=$(bundle_id_for_provison "$REF_PROVISION")
# Change if not the same and if doesn't contain wildcard
# shellcheck disable=SC2049
if [[ "$REF_BUNDLE_ID" != "$NEW_REF_BUNDLE_ID" ]] && ! [[ "$NEW_REF_BUNDLE_ID" =~ \* ]];
then
if [[ "$REF_BUNDLE_ID" != "$NEW_REF_BUNDLE_ID" ]] && ! [[ "$NEW_REF_BUNDLE_ID" =~ \* ]]; then
log "Updating nested app or extension reference for ${key} key from ${REF_BUNDLE_ID} to ${NEW_REF_BUNDLE_ID}"
PlistBuddy -c "Set ${key} $NEW_REF_BUNDLE_ID" "$APP_PATH/Info.plist"
fi
fi
done

if [ "$ENTITLEMENTS" != "" ];
then
if [ -n "$APP_IDENTIFIER_PREFIX" ];
then
if [ "$ENTITLEMENTS" != "" ]; then
if [ -n "$APP_IDENTIFIER_PREFIX" ]; then
# sanity check the 'application-identifier' is present in the provided entitlements and matches the provisioning profile value
ENTITLEMENTS_APP_ID_PREFIX=$(PlistBuddy -c "Print :application-identifier" "$ENTITLEMENTS" | grep -E '^[A-Z0-9]*' -o | tr -d '\n')
if [ "$ENTITLEMENTS_APP_ID_PREFIX" == "" ];
then
if [ "$ENTITLEMENTS_APP_ID_PREFIX" == "" ]; then
error "Provided entitlements file is missing a value for the required 'application-identifier' key"
elif [ "$ENTITLEMENTS_APP_ID_PREFIX" != "$APP_IDENTIFIER_PREFIX" ];
then
elif [ "$ENTITLEMENTS_APP_ID_PREFIX" != "$APP_IDENTIFIER_PREFIX" ]; then
error "Provided entitlements file's app identifier prefix value '$ENTITLEMENTS_APP_ID_PREFIX' does not match the provided provisioning profile's value '$APP_IDENTIFIER_PREFIX'"
fi
fi

if [ -n "$TEAM_IDENTIFIER" ];
then
if [ -n "$TEAM_IDENTIFIER" ]; then
# sanity check the 'com.apple.developer.team-identifier' is present in the provided entitlements and matches the provisioning profile value
ENTITLEMENTS_TEAM_IDENTIFIER=$(PlistBuddy -c "Print :com.apple.developer.team-identifier" "$ENTITLEMENTS" | tr -d '\n')
if [ "$ENTITLEMENTS_TEAM_IDENTIFIER" == "" ];
then
if [ "$ENTITLEMENTS_TEAM_IDENTIFIER" == "" ]; then
error "Provided entitlements file is missing a value for the required 'com.apple.developer.team-identifier' key"
elif [ "$ENTITLEMENTS_TEAM_IDENTIFIER" != "$TEAM_IDENTIFIER" ];
then
elif [ "$ENTITLEMENTS_TEAM_IDENTIFIER" != "$TEAM_IDENTIFIER" ]; then
error "Provided entitlements file's 'com.apple.developer.team-identifier' '$ENTITLEMENTS_TEAM_IDENTIFIER' does not match the provided provisioning profile's value '$TEAM_IDENTIFIER'"
fi
fi
Expand All @@ -615,8 +589,7 @@ function resign {
cp -f "$ENTITLEMENTS" "$APP_PATH/archived-expanded-entitlements.xcent"
/usr/bin/codesign ${VERBOSE} -f -s "$CERTIFICATE" --entitlements "$ENTITLEMENTS" "$APP_PATH"
checkStatus
elif [[ -n "${USE_APP_ENTITLEMENTS}" ]];
then
elif [[ -n "${USE_APP_ENTITLEMENTS}" ]]; then
# Extract entitlements from provisioning profile and from the app binary
# then combine them together

Expand Down Expand Up @@ -828,7 +801,10 @@ function resign {
checkStatus
log "Resigning application using certificate: '$CERTIFICATE'"
log "and entitlements from provisioning profile: $NEW_PROVISION"
cp -- "$TEMP_DIR/newEntitlements" "$APP_PATH/archived-expanded-entitlements.xcent"
if [[ "${XCODE_VERSION/.*/}" -lt 10 ]]; then
log "Creating an archived-expanded-entitlements.xcent file for Xcode 9 builds or earlier"
cp -- "$TEMP_DIR/newEntitlements" "$APP_PATH/archived-expanded-entitlements.xcent"
fi
# Must not qote KEYCHAIN_FLAG because it needs to be unwrapped and passed to codesign with spaces
# shellcheck disable=SC2086
/usr/bin/codesign ${VERBOSE} ${KEYCHAIN_FLAG} -f -s "$CERTIFICATE" --entitlements "$TEMP_DIR/newEntitlements" "$APP_PATH"
Expand Down

0 comments on commit 72f9953

Please sign in to comment.