[macOS] codesign native assets during embed (#148310)

Fixes https://github.com/flutter/flutter/issues/148051 Currently only the "embed" phase, which is run during the Runner target build have access to code-signing identity. The flutter assemble target, which does the main build (and also builds native assets) does not have access to the code-signing identity. ## Pre-launch Checklist - [x] I read the [Contributor Guide] and followed the process outlined there for submitting PRs. - [x] I read the [Tree Hygiene] wiki page, which explains my responsibilities. - [x] I read and followed the [Flutter Style Guide], including [Features we expect every widget to implement]. - [x] I signed the [CLA]. - [x] I listed at least one issue that this PR fixes in the description above. - [x] I updated/added relevant documentation (doc comments with `///`). - [x] I added new tests to check the change I am making, or this PR is [test-exempt]. - [x] I followed the [breaking change policy] and added [Data Driven Fixes] where supported. - [x] All existing and new tests are passing. If you need help, consider asking for advice on the #hackers-new channel on [Discord].  [Contributor Guide]: https://github.com/flutter/flutter/wiki/Tree-hygiene#overview [Tree Hygiene]: https://github.com/flutter/flutter/wiki/Tree-hygiene [test-exempt]: https://github.com/flutter/flutter/wiki/Tree-hygiene#tests [Flutter Style Guide]: https://github.com/flutter/flutter/wiki/Style-guide-for-Flutter-repo [Features we expect every widget to implement]: https://github.com/flutter/flutter/wiki/Style-guide-for-Flutter-repo#features-we-expect-every-widget-to-implement [CLA]: https://cla.developers.google.com/ [flutter/tests]: https://github.com/flutter/tests [breaking change policy]: https://github.com/flutter/flutter/wiki/Tree-hygiene#handling-breaking-changes [Discord]: https://github.com/flutter/flutter/wiki/Chat [Data Driven Fixes]: https://github.com/flutter/flutter/wiki/Data-driven-Fixes
2025-06-03 00:51:18 +00:00 · 2024-05-16 18:12:33 +02:00 · 2024-05-16 18:12:33 +02:00 · c719f03ded
commit c719f03ded
parent 0d22d9101a
3 changed files with 31 additions and 1 deletions
--- a/packages/flutter_tools/bin/macos_assemble.sh
+++ b/packages/flutter_tools/bin/macos_assemble.sh
@ -191,6 +191,12 @@ EmbedFrameworks() {
  local native_assets_path="${project_path}/${FLUTTER_BUILD_DIR}/native_assets/macos/"
  if [[ -d "$native_assets_path" ]]; then
    RunCommand rsync -av --filter "- .DS_Store" --filter "- native_assets.yaml" "${native_assets_path}" "${xcode_frameworks_dir}"
+
+    # Iterate through all .frameworks in native assets directory.
+    for native_asset in "${native_assets_path}"*.framework; do
+      # Codesign the framework inside the app bundle.
+      RunCommand codesign --force --verbose --sign "${EXPANDED_CODE_SIGN_IDENTITY}" -- "${xcode_frameworks_dir}/$(basename "$native_asset")"
+    done
  fi
 }

--- a/packages/flutter_tools/lib/src/isolated/native_assets/macos/native_assets.dart
+++ b/packages/flutter_tools/lib/src/isolated/native_assets/macos/native_assets.dart
@ -304,7 +304,12 @@ Future<void> _copyNativeAssetsMacOS(
      ));
      await setInstallNameDylib(dylibFile);
      await createInfoPlist(name, resourcesDir);
-      await codesignDylib(codesignIdentity, buildMode, frameworkDir);
+      // Do not code-sign the libraries here with identity. Code-signing
+      // for bundled dylibs is done in `macos_assemble.sh embed` because the
+      // "Flutter Assemble" target does not have access to the signing identity.
+      if (codesignIdentity != null) {
+        await codesignDylib(codesignIdentity, buildMode, frameworkDir);
+      }
    }
    globals.logger.printTrace('Copying native assets done.');
  }
--- a/packages/flutter_tools/test/integration.shard/isolated/native_assets_test.dart
+++ b/packages/flutter_tools/test/integration.shard/isolated/native_assets_test.dart
@ -207,6 +207,7 @@ void main() {
          switch (buildSubcommand) {
            case 'macos':
              expectDylibIsBundledMacOS(exampleDirectory, buildMode);
+              expectDylibIsCodeSignedMacOS(exampleDirectory, buildMode);
            case 'ios':
              expectDylibIsBundledIos(exampleDirectory, buildMode);
            case 'linux':
@ -290,6 +291,24 @@ void main() {
  }
 }

+void expectDylibIsCodeSignedMacOS(Directory appDirectory, String buildMode) {
+  final Directory appBundle = appDirectory.childDirectory('build/$hostOs/Build/Products/${buildMode.upperCaseFirst()}/$exampleAppName.app');
+  final Directory frameworksFolder = appBundle.childDirectory('Contents/Frameworks');
+  expect(frameworksFolder, exists);
+  const String frameworkName = packageName;
+  final Directory frameworkDir = frameworksFolder.childDirectory('$frameworkName.framework');
+  final ProcessResult codesign =
+      processManager.runSync(<String>['codesign', '-dv', frameworkDir.absolute.path]);
+  expect(codesign.exitCode, 0);
+
+  // Expect adhoc signature, but not linker-signed (which would mean no code-signing happened after linking).
+  final List<String> lines = codesign.stderr.toString().split('\n');
+  final bool isLinkerSigned = lines.any((String line) => line.contains('linker-signed'));
+  final bool isAdhoc = lines.any((String line) => line.contains('Signature=adhoc'));
+  expect(isAdhoc, isTrue);
+  expect(isLinkerSigned, isFalse);
+}
+
 /// For `flutter build` we can't easily test whether running the app works.
 /// Check that we have the dylibs in the app.
 void expectDylibIsBundledMacOS(Directory appDirectory, String buildMode) {