Codesign and upload new ios-usb-dependencies binary

This issue has been tracked since 2022-09-23.

Codesign the binaries in flutter_infra_release/ios-usb-dependencies/unsigned/ from https://ci.chromium.org/p/flutter/builders/prod/ios-usb-dependencies/5 and upload to the signed bucket.

https://docs.google.com/document/d/1ukmoITOt7rixsp8dw7Da95-3WFkKzPMnwzcvd-0UqqU (internal link) says:

./codesign.py --ios-deploy $IOS_DEPLOY_REVISION

I'm not sure if this still works after the recipe change https://flutter-review.googlesource.com/c/recipes/+/32660/

See also https://docs.google.com/document/d/1LZ4k65Xf5wcMD7ProYL6zXRcoBlCkWB67Mu_Uzs-gjU/ (internal link)

Blocking #111988

@XilaiZhang

XilaiZhang wrote this answer on 2022-09-23

update: ignore my initial thoughts below. i need to do more testings.

TLDR: I left a comment in https://flutter-review.googlesource.com/c/recipes/+/32660/ which I believe could be the potential cause.

umm I clicked through each of the ios_deploy_revision in the designated signed buckets at https://pantheon.corp.google.com/storage/browser/flutter_infra_release/ios-usb-dependencies/ios-deploy?authuser=0&pageState=(%22StorageObjectListTable%22:(%22f%22:%22%255B%255D%22))&prefix=&forceOnObjectsSortingFiltering=false, and looks like all of them were created in 2020 or 2021. My understanding is that the binaries Jenn code signed weren't uploaded back to the correct bucket.

From the upload step of ios-deploy in https://logs.chromium.org/logs/flutter/buildbucket/cr-buildbucket/8802457278010945569/+/u/gsutil_upload_of_ios-deploy.zip/execution_details, looks like the codesigned ios-deploy was uploaded back to the bucket flutter_infra_release/ios-usb-dependencies/unsigned/ios-deploy/90bac5343961b10379a41d814820c5aac8145df2 , and i verified that this bucket has a create timestamp of Sep 20 2022. But I am confused as of why a signed binary would be uploaded back to this bucket.

tracing through the code sign script, looks like cloud buckets are set correctly. If using the codesign script, the signed binary would be uploaded back to the flutter_infra_release/ios-usb-dependencies/ios-deploy/revision bucket, as opposed to the flutter_infra_release/ios-usb-dependencies/unsigned/ios-deploy/90bac5343961b10379a41d814820c5aac8145df2 bucket.

I traced through https://flutter-review.googlesource.com/c/recipes/+/32660/ and my understanding is that the codesigned binary is uploaded through the GetCloudPath function, which uses the unsigned binary cloud bucket path, and I left a comment at the line which I believe could potentially be the culprit.

I am kind of confused of how the upload/download to/from google cloud storage is handled by the recipe and not handled by the codesigning script. And it doesn't look like the codesign script was triggered as one of the steps in the recipe. Maybe @christopherfujino would have more idea on how code sign script fits in this recipe?

jmagman wrote this answer on 2022-09-23

The artifacts produced by the recipe at https://flutter-review.googlesource.com/c/recipes/+/32660/ are unsigned, and upload to the unsigned bucket.

My understanding is that the binaries Jenn code signed weren't uploaded back to the correct bucket.

I haven't codesigned anything, they need to be codesigned on the codesigning bot, which is what this issue is tracking. If the recipe could handle codesigning and upload to the signed bucket that would be even better, but it doesn't now. Then I will validate ios-deploy works, and then we can bump the version that the tool downloads.

XilaiZhang wrote this answer on 2022-09-23

Ohhh i see. sorry I misunderstood. So this would be a tracking issue, and not a bug that requires inspection or fix?

jmagman wrote this answer on 2022-09-23

Exactly, the unsigned ios-deploy binary is built, and now it needs to be codesigned with the distribution cert, and uploaded to the signed bucket.

XilaiZhang wrote this answer on 2022-09-23

Perfect prefect, thanks for explaining!

jmagman wrote this answer on 2022-09-27

Now that https://flutter-review.googlesource.com/c/recipes/+/34240 has merged it would be great to have all the binaries codesigned, not just ios-deploy. I'll update the title and description.

XilaiZhang wrote this answer on 2022-09-27

Will do, yeah I will experiment with repo modules a few more times. If it doesn’t work I will just remove the else block to unblock myself.

XilaiZhang wrote this answer on 2022-09-28

this issue is added to release blockers to track the progress per @CaseyHillers request

More Details About Repo
Owner Name flutter
Repo Name flutter
Full Name flutter/flutter
Language Dart
Created Date 2015-03-06
Updated Date 2022-09-30
Star Count 145381
Watcher Count 3565
Fork Count 23363
Issue Count 11208

YOU MAY BE INTERESTED

Issue Title Created Date Updated Date