From c3cb44fdef04d87d4c19b5114748e625a95b9b40 Mon Sep 17 00:00:00 2001 From: Elias Naur Date: Sat, 7 Apr 2018 17:22:43 +0200 Subject: [PATCH] misc/ios: make detect.go more robust To enable the exec wrapper go_darwin_arm_exec.go to run binaries on iOS devices, the GOIOS_DEV_ID variable needs to be set to a code signing identity. The program detect.go attempts to detect suitable values for GOIOS_DEV_ID (along with GOIOS_APP_ID and GOIOS_TEAM_ID). Before this change, detect.go would use "security find-identity -p codesigning -v" to list all available identities for code signing and pick the first one with "iPhone Developer" in its name. However, that pick might be invalid since if it was replaced by an identity issued later. For example, on the mobile builder: $ security find-identity -p codesigning -v 1) 0E251DE41FE4490574E475AC320B47F58D6D3635 "lldb_codesign" 2) 0358588D07AA6A19478981BA405F40A97F95F187 "iPhone Developer: xxx@xxx (2754T98W8E)" 3) FC6D96F24A3223C98BF7A2C2C5194D82E04CD23E "iPhone Developer: xxx@xxx (2754T98W8E)" 3 valid identities found In this case, the identity 0358588D07AA6A19478981BA405F40A97F95F187 is picked by detect.go even though it has been invalidated by FC6D96F24A3223C98BF7A2C2C5194D82E04CD23E. Instead of attempting to find an identity from the "security find-identity" list, use the identity from the CommonName in the embedded certificate in the provisioning file. The CommonName only lists the identity name (iPhone Developer: xxx@xxx (2754T98W8E)), not the fingerprint (FC6D96F24A3223C98BF7A2C2C5194D82E04CD23E), but fortunately the codesign tool accepts both. Identity names may not be unique, as demonstrated by the example, but that will result in an ambiguity error at codesigning instead of a more obscure error about an invalid identity when go_darwin_arm_exec.go runs a binary. The fix is then to delete the invalid identity from the system keychain. While here, find all connected devices instead of the first connected and only consider provision files that covers them all. This matters for the mobile builder where two devices are connected. Change-Id: I6beb59ace3fc5e071ba76222a20a607765943989 Reviewed-on: https://go-review.googlesource.com/105436 Run-TryBot: Elias Naur TryBot-Result: Gobot Gobot Reviewed-by: Hyang-Ah Hana Kim --- misc/ios/detect.go | 71 +++++++++++++++++++--------------------------- 1 file changed, 29 insertions(+), 42 deletions(-) diff --git a/misc/ios/detect.go b/misc/ios/detect.go index 7e4e6f60e9..2594185c11 100644 --- a/misc/ios/detect.go +++ b/misc/ios/detect.go @@ -14,6 +14,7 @@ package main import ( "bytes" + "crypto/x509" "fmt" "io/ioutil" "os" @@ -22,12 +23,14 @@ import ( ) func main() { - devID := detectDevID() + udids := getLines(exec.Command("idevice_id", "-l")) + if len(udids) == 0 { + fail("no udid found; is a device connected?") + } - udid := detectUDID() - mps := detectMobileProvisionFiles(udid) + mps := detectMobileProvisionFiles(udids) if len(mps) == 0 { - fail("did not find mobile provision matching device udid %s", udid) + fail("did not find mobile provision matching device udids %q", udids) } fmt.Println("Available provisioning profiles below.") @@ -35,7 +38,6 @@ func main() { fmt.Println("will be overwritten when running Go programs.") for _, mp := range mps { fmt.Println() - fmt.Printf("export GOIOS_DEV_ID=%s\n", devID) f, err := ioutil.TempFile("", "go_ios_detect_") check(err) fname := f.Name() @@ -46,6 +48,12 @@ func main() { check(err) check(f.Close()) + cert, err := plistExtract(fname, "DeveloperCertificates:0") + check(err) + pcert, err := x509.ParseCertificate(cert) + check(err) + fmt.Printf("export GOIOS_DEV_ID=\"%s\"\n", pcert.Subject.CommonName) + appID, err := plistExtract(fname, "Entitlements:application-identifier") check(err) fmt.Printf("export GOIOS_APP_ID=%s\n", appID) @@ -56,39 +64,7 @@ func main() { } } -func detectDevID() string { - cmd := exec.Command("security", "find-identity", "-p", "codesigning", "-v") - lines := getLines(cmd) - - for _, line := range lines { - if !bytes.Contains(line, []byte("iPhone Developer")) { - continue - } - if bytes.Contains(line, []byte("REVOKED")) { - continue - } - fields := bytes.Fields(line) - return string(fields[1]) - } - fail("no code signing identity found") - panic("unreachable") -} - -var udidPrefix = []byte("UniqueDeviceID: ") - -func detectUDID() []byte { - cmd := exec.Command("ideviceinfo") - lines := getLines(cmd) - for _, line := range lines { - if bytes.HasPrefix(line, udidPrefix) { - return bytes.TrimPrefix(line, udidPrefix) - } - } - fail("udid not found; is the device connected?") - panic("unreachable") -} - -func detectMobileProvisionFiles(udid []byte) []string { +func detectMobileProvisionFiles(udids [][]byte) []string { cmd := exec.Command("mdfind", "-name", ".mobileprovision") lines := getLines(cmd) @@ -98,11 +74,17 @@ func detectMobileProvisionFiles(udid []byte) []string { continue } xmlLines := getLines(parseMobileProvision(string(line))) - for _, xmlLine := range xmlLines { - if bytes.Contains(xmlLine, udid) { - files = append(files, string(line)) + matches := 0 + for _, udid := range udids { + for _, xmlLine := range xmlLines { + if bytes.Contains(xmlLine, udid) { + matches++ + } } } + if matches == len(udids) { + files = append(files, string(line)) + } } return files } @@ -121,7 +103,12 @@ func plistExtract(fname string, path string) ([]byte, error) { func getLines(cmd *exec.Cmd) [][]byte { out := output(cmd) - return bytes.Split(out, []byte("\n")) + lines := bytes.Split(out, []byte("\n")) + // Skip the empty line at the end. + if len(lines[len(lines)-1]) == 0 { + lines = lines[:len(lines)-1] + } + return lines } func output(cmd *exec.Cmd) []byte { -- 2.50.0