codesign: do not sign intermediate products when multiplexing

We should only sign the resulting binary during the lipo step. Change-Id: If4d508bcdf347bf2fc68d345ed8d5913a7457f8d Reviewed-by: Christian Kandeler <christian.kandeler@qt.io>
author: Ivan Komissarov <abbapoh@gmail.com> 2021-03-20 20:16:57 +0300
committer: Ivan Komissarov <ABBAPOH@gmail.com> 2021-03-30 14:32:46 +0000
commit: 5160a0b6e386b157fc1f5375efd881b8433b29ee (patch)
tree: 44dc163382dea5d28844239db863e97b07dcfd23
parent: 980a5fc3f61f42bdd8cdee832235861e095e8e01 (diff)
7 files changed, 46 insertions, 10 deletions
diff --git a/share/qbs/modules/cpp/DarwinGCC.qbs b/share/qbs/modules/cpp/DarwinGCC.qbs
index 3249b552f..158c3c061 100644
--- a/share/qbs/modules/cpp/DarwinGCC.qbs
+++ b/share/qbs/modules/cpp/DarwinGCC.qbs
@@ -216,7 +216,8 @@ UnixGCC {
         multiplex: true
 
         outputFileTags: ["bundle.input", "application", "primary", "debuginfo_app",
-                         "debuginfo_bundle", "bundle.variant_symlink", "debuginfo_plist"]
+                         "debuginfo_bundle", "bundle.variant_symlink", "debuginfo_plist",
+                         "codesign.signed_artifact"]
         outputArtifacts: Darwin.lipoOutputArtifacts(product, inputs, "application", "app")
 
         prepare: Darwin.prepareLipo.apply(Darwin, arguments)
@@ -228,7 +229,7 @@ UnixGCC {
         multiplex: true
 
         outputFileTags: ["bundle.input", "loadablemodule", "primary", "debuginfo_loadablemodule",
-                         "debuginfo_bundle", "debuginfo_plist"]
+                         "debuginfo_bundle", "debuginfo_plist", "codesign.signed_artifact"]
         outputArtifacts: Darwin.lipoOutputArtifacts(product, inputs, "loadablemodule",
                                                                      "loadablemodule")
 
@@ -242,7 +243,7 @@ UnixGCC {
 
         outputFileTags: ["bundle.input", "dynamiclibrary", "dynamiclibrary_symbols", "primary",
                          "debuginfo_dll","debuginfo_bundle","bundle.variant_symlink",
-                         "debuginfo_plist"]
+                         "debuginfo_plist", "codesign.signed_artifact"]
         outputArtifacts: Darwin.lipoOutputArtifacts(product, inputs, "dynamiclibrary", "dll")
 
         prepare: Darwin.prepareLipo.apply(Darwin, arguments)
@@ -253,7 +254,7 @@ UnixGCC {
         inputsFromDependencies: ["staticlibrary"]
         multiplex: true
 
-        outputFileTags: ["bundle.input", "staticlibrary", "primary"]
+        outputFileTags: ["bundle.input", "staticlibrary", "primary", "codesign.signed_artifact"]
         outputArtifacts: Darwin.lipoOutputArtifacts(product, inputs, "staticlibrary")
 
         prepare: Darwin.prepareLipo.apply(Darwin, arguments)
diff --git a/share/qbs/modules/cpp/GenericGCC.qbs b/share/qbs/modules/cpp/GenericGCC.qbs
index 3b6e5b106..e2d9eeab5 100644
--- a/share/qbs/modules/cpp/GenericGCC.qbs
+++ b/share/qbs/modules/cpp/GenericGCC.qbs
@@ -214,6 +214,8 @@ CppModule {
 
     readonly property bool shouldSignArtifacts: codesign._canSignArtifacts
                                                 && codesign.enableCodeSigning
+                                                // codesigning is done during the lipo step
+                                                && !product.multiplexed
 
     property string internalVersion: {
         if (product.version === undefined)
diff --git a/share/qbs/modules/cpp/darwin.js b/share/qbs/modules/cpp/darwin.js
index 6373b57c4..7f7e9a05d 100644
--- a/share/qbs/modules/cpp/darwin.js
+++ b/share/qbs/modules/cpp/darwin.js
@@ -28,6 +28,7 @@
 **
 ****************************************************************************/
 
+var Codesign = require("../codesign/codesign.js");
 var File = require("qbs.File");
 var FileInfo = require("qbs.FileInfo");
 var Gcc = require("./gcc.js");
@@ -99,6 +100,9 @@ function lipoOutputArtifacts(product, inputs, fileTag, debugSuffix) {
         else
             tags.push(fileTag, "primary");
 
+        if (product.codesign.enableCodeSigning)
+            tags.push("codesign.signed_artifact");
+
         return {
             filePath: FileInfo.joinPaths(product.destinationDirectory,
                                          PathTools.linkerOutputFilePath(fileTag, product,
@@ -188,6 +192,12 @@ function prepareLipo(project, product, inputs, outputs, input, output) {
     commands.push(cmd);
     if (outputs.dynamiclibrary_symbols)
         Array.prototype.push.apply(commands, Gcc.createSymbolCheckingCommands(product, outputs));
+
+    if (product.codesign.enableCodeSigning) {
+        Array.prototype.push.apply(
+                commands, Codesign.prepareSign(project, product, inputs, outputs, input, output));
+    }
+
     return commands;
 }
 
diff --git a/tests/auto/blackbox/testdata-apple/apple-multiconfig/apple-multiconfig.qbs b/tests/auto/blackbox/testdata-apple/apple-multiconfig/apple-multiconfig.qbs
index c1d35eb8c..6b7fab390 100644
--- a/tests/auto/blackbox/testdata-apple/apple-multiconfig/apple-multiconfig.qbs
+++ b/tests/auto/blackbox/testdata-apple/apple-multiconfig/apple-multiconfig.qbs
@@ -1,6 +1,6 @@
 import qbs.Utilities
 
-import "helpers.js" as Helpers
+import "../multiarch-helpers.js" as Helpers
 
 Project {
     minimumQbsVersion: "1.8"
diff --git a/tests/auto/blackbox/testdata-apple/codesign/codesign.qbs b/tests/auto/blackbox/testdata-apple/codesign/codesign.qbs
index 312e9f001..eafb0be84 100644
--- a/tests/auto/blackbox/testdata-apple/codesign/codesign.qbs
+++ b/tests/auto/blackbox/testdata-apple/codesign/codesign.qbs
@@ -1,5 +1,8 @@
+import "../multiarch-helpers.js" as Helpers
+
 Project {
     name: "p"
+    property string xcodeVersion
 
     property bool isBundle: true
     property bool enableSigning: true
@@ -12,6 +15,9 @@ Project {
         codesign.signingType: "ad-hoc"
         install: true
         installDir: ""
+
+        qbs.architectures:
+            project.xcodeVersion ? Helpers.getArchitectures(qbs, project.xcodeVersion) : []
     }
 
     DynamicLibrary {
@@ -23,6 +29,8 @@ Project {
         codesign.signingType: "ad-hoc"
         install: true
         installDir: ""
+        qbs.architectures:
+            project.xcodeVersion ? Helpers.getArchitectures(qbs, project.xcodeVersion) : []
     }
 
     LoadableModule {
@@ -34,5 +42,7 @@ Project {
         codesign.signingType: "ad-hoc"
         install: true
         installDir: ""
+        qbs.architectures:
+            project.xcodeVersion ? Helpers.getArchitectures(qbs, project.xcodeVersion) : []
     }
 }
diff --git a/tests/auto/blackbox/testdata-apple/apple-multiconfig/helpers.js b/tests/auto/blackbox/testdata-apple/multiarch-helpers.js
index 5d1c0f273..5d1c0f273 100644
--- a/tests/auto/blackbox/testdata-apple/apple-multiconfig/helpers.js
+++ b/tests/auto/blackbox/testdata-apple/multiarch-helpers.js
diff --git a/tests/auto/blackbox/tst_blackboxapple.cpp b/tests/auto/blackbox/tst_blackboxapple.cpp
index 8915ac8b2..884d2c077 100644
--- a/tests/auto/blackbox/tst_blackboxapple.cpp
+++ b/tests/auto/blackbox/tst_blackboxapple.cpp
@@ -717,6 +717,9 @@ void TestBlackboxApple::codesign()
 {
     QFETCH(bool, isBundle);
     QFETCH(bool, enableSigning);
+    QFETCH(bool, multiArch);
+
+    const auto xcodeVersion = findXcodeVersion();
 
     QDir::setCurrent(testDataDir + "/codesign");
     QbsRunParameters params(QStringList{"qbs.installPrefix:''"});
@@ -724,10 +727,17 @@ void TestBlackboxApple::codesign()
             << QStringLiteral("project.isBundle:%1").arg(isBundle ? "true" : "false");
     params.arguments
             << QStringLiteral("project.enableSigning:%1").arg(enableSigning ? "true" : "false");
+    if (multiArch)
+        params.arguments << QStringLiteral("project.xcodeVersion:") + xcodeVersion.toString();
 
     rmDirR(relativeBuildDir());
     QCOMPARE(runQbs(params), 0);
 
+    const int codeSignCount =
+            QString::fromUtf8(m_qbsStdout).count(QStringLiteral("codesign"));
+    // We have 3 products, we have to sign each exactly once, even in the multiplexed case
+    QCOMPARE(codeSignCount, enableSigning ? 3 : 0);
+
     const auto appName = isBundle ? QStringLiteral("A.app") : QStringLiteral("A");
     const auto appPath = defaultInstallRoot + "/" + appName;
     QVERIFY(QFileInfo(appPath).exists());
@@ -772,11 +782,14 @@ void TestBlackboxApple::codesign_data()
 {
     QTest::addColumn<bool>("isBundle");
     QTest::addColumn<bool>("enableSigning");
-
-    QTest::newRow("bundle, unsigned") << true << false;
-    QTest::newRow("standalone, unsigned") << false << false;
-    QTest::newRow("bundle, signed") << true << true;
-    QTest::newRow("standalone, signed") << false << true;
+    QTest::addColumn<bool>("multiArch");
+
+    QTest::newRow("bundle, unsigned") << true << false << false;
+    QTest::newRow("standalone, unsigned") << false << false << false;
+    QTest::newRow("bundle, signed") << true << true << false;
+    QTest::newRow("standalone, signed") << false << true << false;
+    QTest::newRow("bundle, signed, multiarch") << true << true << true;
+    QTest::newRow("standalone, signed, multiarch") << false << true << true;
 }
 
 void TestBlackboxApple::deploymentTarget()
author	Ivan Komissarov <abbapoh@gmail.com>	2021-03-20 20:16:57 +0300
committer	Ivan Komissarov <ABBAPOH@gmail.com>	2021-03-30 14:32:46 +0000
commit	5160a0b6e386b157fc1f5375efd881b8433b29ee (patch)
tree	44dc163382dea5d28844239db863e97b07dcfd23
parent	980a5fc3f61f42bdd8cdee832235861e095e8e01 (diff)