Ignore expired mobile provisioning profiles.

build/config/ios/codesign.py

 # Copyright 2016 The Chromium Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
 import argparse
+import datetime
 import fnmatch
 import glob
 import os
 import plistlib
 import shutil
 import subprocess
 import sys
 import tempfile
 
 
@@ skipping 42 matching lines @@
     return os.path.join(self._path, self._data['CFBundleExecutable'])
 
 
 class ProvisioningProfile(object):
   """Wraps a mobile provisioning profile file."""
 
   def __init__(self, provisioning_profile_path):
     """Initializes the ProvisioningProfile with data from profile file."""
     self._path = provisioning_profile_path
     self._data = plistlib.readPlistFromString(subprocess.check_output([
-        'xcrun', 'security', 'cms', '-D', '-i', provisioning_profile_path]))
+        'xcrun', 'security', 'cms', '-D', '-u', 'certUsageAnyCA',
+        '-i', provisioning_profile_path]))
 
   @property
   def path(self):
     return self._path
 
   @property
   def application_identifier_pattern(self):
     return self._data.get('Entitlements', {}).get('application-identifier', '')
 
   @property
   def team_identifier(self):
     return self._data.get('TeamIdentifier', [''])[0]
 
   @property
   def entitlements(self):
     return self._data.get('Entitlements', {})
 
+  @property
+  def expiration_date(self):
+    return self._data.get('ExpirationDate', datetime.datetime.now())
+
   def ValidToSignBundle(self, bundle_identifier):
     """Checks whether the provisioning profile can sign bundle_identifier.
 
     Args:
       bundle_identifier: the identifier of the bundle that needs to be signed.
 
     Returns:
       True if the mobile provisioning profile can be used to sign a bundle
       with the corresponding bundle_identifier, False otherwise.
     """
     return fnmatch.fnmatch(
         '%s.%s' % (self.team_identifier, bundle_identifier),
         self.application_identifier_pattern)

[justincohen, 2016/10/25 17:41:51]

can application identifier pattern include a star, etc com.chromium.*?  Will
this support that?

[sdefresne, 2016/10/25 17:54:57]

Yes and yes (this is why I'm using fnmatch.fnmatch which implements shell
pattern matching rules for * which are exactly what is needed here).

 
   def Install(self, installation_path):
     """Copies mobile provisioning profile info to |installation_path|."""
     shutil.copy2(self.path, installation_path)
 
 
 class Entitlements(object):
   """Wraps an Entitlement plist file."""
 
   def __init__(self, entitlements_path):
@@ skipping 41 matching lines @@
     bundle_identifier: the identifier of the bundle to sign.
 
   Returns:
     The ProvisioningProfile object that can be used to sign the Bundle
     object or None if no matching provisioning profile was found.
   """
   provisioning_profile_paths = glob.glob(
       os.path.join(GetProvisioningProfilesDir(), '*.mobileprovision'))
 
   # Iterate over all installed mobile provisioning profiles and filter those
-  # that can be used to sign the bundle.
+  # that can be used to sign the bundle, ignoring expired ones.
+  now = datetime.datetime.now()
   valid_provisioning_profiles = []
+  one_hour = datetime.timedelta(0, 3600)
   for provisioning_profile_path in provisioning_profile_paths:
     provisioning_profile = ProvisioningProfile(provisioning_profile_path)
+    if provisioning_profile.expiration_date - now < one_hour:
+      sys.stderr.write(
+          'Warning: ignoring expired provisioning profile: %s.\n' %
+          provisioning_profile_path)
+      continue
     if provisioning_profile.ValidToSignBundle(bundle_identifier):
       valid_provisioning_profiles.append(provisioning_profile)
 
   if not valid_provisioning_profiles:
     if required:
       sys.stderr.write(
-          'No mobile provisioning profile found for "%s".\n' %
+          'Error: no mobile provisioning profile found for "%s".\n' %
           bundle_identifier)
       sys.exit(1)
     return None
 
   # Select the most specific mobile provisioning profile, i.e. the one with
-  # the longest application identifier pattern.
-  return max(
+  # the longest application identifier pattern (prefer the one with the latest
+  # expiration date as a secondary criteria).
+  selected_provisioning_profile = max(
       valid_provisioning_profiles,
-      key=lambda p: len(p.application_identifier_pattern))
+      key=lambda p: (len(p.application_identifier_pattern), p.expiration_date))
+
+  one_week = datetime.timedelta(7)
+  if selected_provisioning_profile.expiration_date - now < 2 * one_week:
+    sys.stderr.write(
+        'Warning: selected provisioning profile will expire soon: %s' %

[justincohen, 2016/10/25 17:41:51]

awesome!

[sdefresne, 2016/10/25 17:54:57]

Acknowledged.

+        selected_provisioning_profile.path)
+  return selected_provisioning_profile
 
 
 def CodeSignBundle(bundle_path, identity, extra_args):
   process = subprocess.Popen(['xcrun', 'codesign', '--force', '--sign',
       identity, '--timestamp=none'] + list(extra_args) + [bundle_path],
       stderr=subprocess.PIPE)
   _, stderr = process.communicate()
   if process.returncode:
     sys.stderr.write(stderr)
     sys.exit(process.returncode)
@@ skipping 213 matching lines @@
 
   for action in actions:
     action.Register(subparsers)
 
   args = parser.parse_args()
   args.func(args)
 
 
 if __name__ == '__main__':
   sys.exit(Main())