#!/usr/bin/env python2.7
#
# Copyright 2017 Google Inc.
#
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
import glob
import os
import os.path
import re
import shutil
import subprocess
import sys
import tempfile
# Arguments to the script:
# pkg path to application directory, e.g. out/Debug/dm.app
# executable and plist should already be in this directory
# identstr search string (regex fragment) for code signing identity
# profile path or name of provisioning profile
pkg,identstr,profile = sys.argv[1:]
# Find the signing identity.
identity = None
for line in subprocess.check_output([
'security', 'find-identity']).decode('utf-8').split('\n'):
m = re.match(r'''.*\) (.*) "''' + identstr + '"', line)
if m:
identity = m.group(1)
if identity is None:
print("Signing identity matching '" + identstr + "' not found.")
print("Please verify by running 'security find-identity' or checking your keychain.")
sys.exit(1)
# Find the mobile provisioning profile.
mobileprovision = None
if os.path.isfile(profile):
mobileprovision = profile
else:
for p in glob.glob(os.path.join(os.environ['HOME'], 'Library', 'MobileDevice',
'Provisioning Profiles',
'*.mobileprovision')):
if re.search(r'''Name
\t''' + profile + r'''''', open(p).read(), re.MULTILINE):
mobileprovision = p
if mobileprovision is None:
print("Provisioning profile matching '" + profile + "' not found.")
print("Please verify that the correct profile is installed in '${HOME}/Library/MobileDevice/Provisioning Profiles' or specify the path directly.")
sys.exit(1)
# The .mobileprovision just gets copied into the package.
shutil.copy(mobileprovision,
os.path.join(pkg, 'embedded.mobileprovision'))
# Extract the appliciation identitifer prefix from the .mobileprovision.
m = re.search(r'''ApplicationIdentifierPrefix
\t
\t(.*)''', open(mobileprovision).read(), re.MULTILINE)
prefix = m.group(1)
app, _ = os.path.splitext(os.path.basename(pkg))
# Write a minimal entitlements file, then codesign.
with tempfile.NamedTemporaryFile() as f:
f.write('''
application-identifier {prefix}.com.google.{app}
get-task-allow
'''.format(prefix=prefix, app=app))
f.flush()
subprocess.check_call(['codesign',
'--force',
'--sign', identity,
'--entitlements', f.name,
'--timestamp=none',
pkg])