Ignore expired mobile provisioning profiles.

build/config/ios/codesign.py

Index: build/config/ios/codesign.py
diff --git a/build/config/ios/codesign.py b/build/config/ios/codesign.py
index eed914fe0b4bb1567c13ff3ba96178bfdcc4d581..9c0575a9bb10d91b88be0e3e5d9fe7023c1d884b 100644
--- a/build/config/ios/codesign.py
+++ b/build/config/ios/codesign.py
@@ -3,6 +3,7 @@
 # found in the LICENSE file.
 
 import argparse
+import datetime
 import fnmatch
 import glob
 import os
@@ -65,7 +66,8 @@ class ProvisioningProfile(object):
     """Initializes the ProvisioningProfile with data from profile file."""
     self._path = provisioning_profile_path
     self._data = plistlib.readPlistFromString(subprocess.check_output([
-        'xcrun', 'security', 'cms', '-D', '-i', provisioning_profile_path]))
+        'xcrun', 'security', 'cms', '-D', '-u', 'certUsageAnyCA',
+        '-i', provisioning_profile_path]))
 
   @property
   def path(self):
@@ -83,6 +85,10 @@ class ProvisioningProfile(object):
   def entitlements(self):
     return self._data.get('Entitlements', {})
 
+  @property
+  def expiration_date(self):
+    return self._data.get('ExpirationDate', datetime.datetime.now())
+
   def ValidToSignBundle(self, bundle_identifier):
     """Checks whether the provisioning profile can sign bundle_identifier.
 
@@ -157,26 +163,41 @@ def FindProvisioningProfile(bundle_identifier, required):
       os.path.join(GetProvisioningProfilesDir(), '*.mobileprovision'))
 
   # Iterate over all installed mobile provisioning profiles and filter those
-  # that can be used to sign the bundle.
+  # that can be used to sign the bundle, ignoring expired ones.
+  now = datetime.datetime.now()
   valid_provisioning_profiles = []
+  one_hour = datetime.timedelta(0, 3600)
   for provisioning_profile_path in provisioning_profile_paths:
     provisioning_profile = ProvisioningProfile(provisioning_profile_path)
+    if provisioning_profile.expiration_date - now < one_hour:
+      sys.stderr.write(
+          'Warning: ignoring expired provisioning profile: %s.\n' %
+          provisioning_profile_path)
+      continue
     if provisioning_profile.ValidToSignBundle(bundle_identifier):
       valid_provisioning_profiles.append(provisioning_profile)
 
   if not valid_provisioning_profiles:
     if required:
       sys.stderr.write(
-          'No mobile provisioning profile found for "%s".\n' %
+          'Error: no mobile provisioning profile found for "%s".\n' %
           bundle_identifier)
       sys.exit(1)
     return None
 
   # Select the most specific mobile provisioning profile, i.e. the one with
-  # the longest application identifier pattern.
-  return max(
+  # the longest application identifier pattern (prefer the one with the latest
+  # expiration date as a secondary criteria).
+  selected_provisioning_profile = max(
       valid_provisioning_profiles,
-      key=lambda p: len(p.application_identifier_pattern))
+      key=lambda p: (len(p.application_identifier_pattern), p.expiration_date))
+
+  one_week = datetime.timedelta(7)
+  if selected_provisioning_profile.expiration_date - now < 2 * one_week:
+    sys.stderr.write(
+        'Warning: selected provisioning profile will expire soon: %s' %

[justincohen, 2016/10/25 17:41:51]

awesome!

[sdefresne, 2016/10/25 17:54:57]

Acknowledged.

+        selected_provisioning_profile.path)
+  return selected_provisioning_profile
 
 
 def CodeSignBundle(bundle_path, identity, extra_args):