mirror of
https://github.com/TelegramMessenger/Telegram-iOS.git
synced 2026-07-05 19:28:46 +02:00
Add watch profile guard
This commit is contained in:
parent
dbd53522be
commit
3525bcacb2
1 changed files with 48 additions and 14 deletions
|
|
@ -608,6 +608,53 @@ def generate_project(bazel, arguments):
|
||||||
call_executable(['open', xcodeproj_path])
|
call_executable(['open', xcodeproj_path])
|
||||||
|
|
||||||
|
|
||||||
|
def resolve_watch_provisioning_profile(arguments, base_path):
|
||||||
|
"""Resolve the watchkitapp provisioning profile for an --embedWatchApp build.
|
||||||
|
|
||||||
|
Returns the absolute path of the profile to sign the embedded watch app with, or None
|
||||||
|
to build the watch app UNSIGNED. None is only returned (with a warning) for
|
||||||
|
non-distribution codesigning — a distribution build (appstore/adhoc/enterprise) raises
|
||||||
|
instead, because the host ios_application does NOT re-sign the embedded watch app, so an
|
||||||
|
unsigned Watch/ payload ships as-is and is silently rejected at install time. Failing
|
||||||
|
here turns that silent "won't install" into a build error that names the missing profile.
|
||||||
|
"""
|
||||||
|
is_distribution_codesigning = arguments.gitCodesigningType in ('appstore', 'adhoc', 'enterprise')
|
||||||
|
|
||||||
|
explicit_profile = arguments.watchProvisioningProfile
|
||||||
|
if explicit_profile is not None:
|
||||||
|
if not os.path.exists(explicit_profile):
|
||||||
|
raise Exception('--watchProvisioningProfile was set to a path that does not exist: {}'.format(explicit_profile))
|
||||||
|
return explicit_profile
|
||||||
|
|
||||||
|
# Default to the watchkitapp profile that resolve_configuration() just extracted from the
|
||||||
|
# codesigning material (renamed via the bundle-id mapping in BuildConfiguration.py). This
|
||||||
|
# matches the active codesigning type (e.g. appstore) and the host app's identity, so the
|
||||||
|
# embedded watch app is signed correctly without an explicit --watchProvisioningProfile.
|
||||||
|
# The worker derives the signing identity (cert) from this profile when
|
||||||
|
# --watchSigningIdentity is omitted.
|
||||||
|
resolved_watch_profile = os.path.join(base_path, 'build-input/configuration-repository/provisioning/WatchApp.mobileprovision')
|
||||||
|
if os.path.exists(resolved_watch_profile):
|
||||||
|
return resolved_watch_profile
|
||||||
|
|
||||||
|
if is_distribution_codesigning:
|
||||||
|
raise Exception(
|
||||||
|
'--embedWatchApp is set for a distribution build (--gitCodesigningType={ct}), but no watchkitapp '
|
||||||
|
'provisioning profile resolved (looked for {p}).\n'
|
||||||
|
'The {ct} codesigning material does not contain a `.watchkitapp` profile, so the embedded watch app '
|
||||||
|
'would be UNSIGNED — the host app is not re-signed over it, so it ships unsigned and is silently '
|
||||||
|
'rejected when installing on a watch.\n'
|
||||||
|
'Fix: fetch the latest codesigning material so the watchkitapp profile is present — drop '
|
||||||
|
'--gitCodesigningUseCurrent (it skips the fetch), or run '
|
||||||
|
'`git -C build-input/configuration-repository-workdir/encrypted pull` — or create/register the {ct} '
|
||||||
|
'watchkitapp provisioning profile, or pass an explicit --watchProvisioningProfile.'.format(
|
||||||
|
ct=arguments.gitCodesigningType, p=resolved_watch_profile
|
||||||
|
)
|
||||||
|
)
|
||||||
|
|
||||||
|
print('TelegramBuild: warning: --embedWatchApp is set but no watch provisioning profile was found (pass --watchProvisioningProfile, or use codesigning material that includes the watchkitapp profile; looked for {}). The embedded watch app will be UNSIGNED and rejected by the App Store.'.format(resolved_watch_profile))
|
||||||
|
return None
|
||||||
|
|
||||||
|
|
||||||
def build(bazel, arguments):
|
def build(bazel, arguments):
|
||||||
bazel_command_line = BazelCommandLine(
|
bazel_command_line = BazelCommandLine(
|
||||||
bazel=bazel,
|
bazel=bazel,
|
||||||
|
|
@ -636,20 +683,7 @@ def build(bazel, arguments):
|
||||||
if arguments.configuration in ('debug_arm64', 'release_arm64'):
|
if arguments.configuration in ('debug_arm64', 'release_arm64'):
|
||||||
if arguments.watchApiId is None or arguments.watchApiHash is None:
|
if arguments.watchApiId is None or arguments.watchApiHash is None:
|
||||||
raise Exception('--embedWatchApp requires --watchApiId and --watchApiHash (the embedded watch app build needs API credentials).')
|
raise Exception('--embedWatchApp requires --watchApiId and --watchApiHash (the embedded watch app build needs API credentials).')
|
||||||
watch_provisioning_profile = arguments.watchProvisioningProfile
|
watch_provisioning_profile = resolve_watch_provisioning_profile(arguments=arguments, base_path=os.getcwd())
|
||||||
if watch_provisioning_profile is None:
|
|
||||||
# Default to the watchkitapp profile that resolve_configuration() just
|
|
||||||
# extracted from the codesigning material (renamed via the bundle-id
|
|
||||||
# mapping in BuildConfiguration.py). This matches the active codesigning
|
|
||||||
# type (e.g. appstore) and the host app's identity, so the embedded watch
|
|
||||||
# app is signed correctly without requiring an explicit
|
|
||||||
# --watchProvisioningProfile. The worker derives the signing identity
|
|
||||||
# (cert) from this profile when --watchSigningIdentity is omitted.
|
|
||||||
resolved_watch_profile = os.path.join(os.getcwd(), 'build-input/configuration-repository/provisioning/WatchApp.mobileprovision')
|
|
||||||
if os.path.exists(resolved_watch_profile):
|
|
||||||
watch_provisioning_profile = resolved_watch_profile
|
|
||||||
else:
|
|
||||||
print('TelegramBuild: warning: --embedWatchApp is set but no watch provisioning profile was found (pass --watchProvisioningProfile, or use codesigning material that includes the watchkitapp profile; looked for {}). The embedded watch app will be UNSIGNED and rejected by the App Store.'.format(resolved_watch_profile))
|
|
||||||
bazel_command_line.set_watch_app(
|
bazel_command_line.set_watch_app(
|
||||||
arguments.watchApiId,
|
arguments.watchApiId,
|
||||||
arguments.watchApiHash,
|
arguments.watchApiHash,
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue