Codesign the binaries in
flutter_infra_release/ios-usb-dependencies/unsigned/ from https://ci.chromium.org/p/flutter/builders/prod/ios-usb-dependencies/5 and upload to the
https://docs.google.com/document/d/1ukmoITOt7rixsp8dw7Da95-3WFkKzPMnwzcvd-0UqqU (internal link) says:
./codesign.py --ios-deploy $IOS_DEPLOY_REVISION
I'm not sure if this still works after the recipe change https://flutter-review.googlesource.com/c/recipes/+/32660/
See also https://docs.google.com/document/d/1LZ4k65Xf5wcMD7ProYL6zXRcoBlCkWB67Mu_Uzs-gjU/ (internal link)
update: ignore my initial thoughts below. i need to do more testings.
TLDR: I left a comment in https://flutter-review.googlesource.com/c/recipes/+/32660/ which I believe could be the potential cause.
umm I clicked through each of the ios_deploy_revision in the designated signed buckets at https://pantheon.corp.google.com/storage/browser/flutter_infra_release/ios-usb-dependencies/ios-deploy?authuser=0&pageState=(%22StorageObjectListTable%22:(%22f%22:%22%255B%255D%22))&prefix=&forceOnObjectsSortingFiltering=false, and looks like all of them were created in 2020 or 2021. My understanding is that the binaries Jenn code signed weren't uploaded back to the correct bucket.
From the upload step of ios-deploy in https://logs.chromium.org/logs/flutter/buildbucket/cr-buildbucket/8802457278010945569/+/u/gsutil_upload_of_ios-deploy.zip/execution_details, looks like the codesigned ios-deploy was uploaded back to the bucket flutter_infra_release/ios-usb-dependencies/unsigned/ios-deploy/90bac5343961b10379a41d814820c5aac8145df2 , and i verified that this bucket has a create timestamp of Sep 20 2022. But I am confused as of why a signed binary would be uploaded back to this bucket.
tracing through the code sign script, looks like cloud buckets are set correctly. If using the codesign script, the signed binary would be uploaded back to the flutter_infra_release/ios-usb-dependencies/ios-deploy/revision bucket, as opposed to the flutter_infra_release/ios-usb-dependencies/unsigned/ios-deploy/90bac5343961b10379a41d814820c5aac8145df2 bucket.
I traced through https://flutter-review.googlesource.com/c/recipes/+/32660/ and my understanding is that the codesigned binary is uploaded through the GetCloudPath function, which uses the unsigned binary cloud bucket path, and I left a comment at the line which I believe could potentially be the culprit.
I am kind of confused of how the upload/download to/from google cloud storage is handled by the recipe and not handled by the codesigning script. And it doesn't look like the codesign script was triggered as one of the steps in the recipe. Maybe @christopherfujino would have more idea on how code sign script fits in this recipe?
The artifacts produced by the recipe at https://flutter-review.googlesource.com/c/recipes/+/32660/ are unsigned, and upload to the unsigned bucket.
My understanding is that the binaries Jenn code signed weren't uploaded back to the correct bucket.
I haven't codesigned anything, they need to be codesigned on the codesigning bot, which is what this issue is tracking. If the recipe could handle codesigning and upload to the signed bucket that would be even better, but it doesn't now. Then I will validate
ios-deploy works, and then we can bump the version that the tool downloads.
Now that https://flutter-review.googlesource.com/c/recipes/+/34240 has merged it would be great to have all the binaries codesigned, not just ios-deploy. I'll update the title and description.
|Issue Title||Created Date||Updated Date|