--no-check-certificates option for codesign_bundle

benb · facebook-github-bot · commit 70c921608ebf · 2025-10-01T06:11:59.000-07:00
Summary:
We want to reuse this code to select a profile before signing, for use in Orchard.
This diff allows disabling the check on installed certs (assuming the enterprise certs are not installed on CI macs).

Reviewed By: milend

Differential Revision: D83574802

fbshipit-source-id: f4c983cf84909747a0e4c916597e10bd463e0e60
diff --git a/prelude/apple/tools/code_signing/codesign_bundle.py b/prelude/apple/tools/code_signing/codesign_bundle.py
@@ -109,6 +109,7 @@ def _select_provisioning_profile(
     should_use_fast_provisioning_profile_parsing: bool,
     strict_provisioning_profile_search: bool,
     provisioning_profile_filter: Optional[str],
+    no_check_certificates: bool = False,
     log_file_path: Optional[Path] = None,
 ) -> SelectedProvisioningProfileInfo:
     read_provisioning_profile_command_factory = (
@@ -150,6 +151,7 @@ def _select_provisioning_profile(
         platform,
         strict_provisioning_profile_search,
         provisioning_profile_filter,
+        no_check_certificates,
     )
     if selected_profile_info is None:
         if not mismatches:
@@ -201,6 +203,7 @@ def signing_context_with_profile_selection(
     should_use_fast_provisioning_profile_parsing: bool = False,
     strict_provisioning_profile_search: bool = False,
     provisioning_profile_filter: Optional[str] = None,
+    no_check_certificates: bool = False,
 ) -> SigningContextWithProfileSelection:
     with open(info_plist_source, mode="rb") as info_plist_file:
         info_plist_metadata = InfoPlistMetadata.from_file(info_plist_file)
@@ -214,6 +217,7 @@ def signing_context_with_profile_selection(
         should_use_fast_provisioning_profile_parsing=should_use_fast_provisioning_profile_parsing,
         strict_provisioning_profile_search=strict_provisioning_profile_search,
         provisioning_profile_filter=provisioning_profile_filter,
+        no_check_certificates=no_check_certificates,
     )
 
     return SigningContextWithProfileSelection(
diff --git a/prelude/apple/tools/code_signing/main.py b/prelude/apple/tools/code_signing/main.py
@@ -45,6 +45,7 @@ class Arguments(Tap):
     strict_provisioning_profile_search: bool = False
     provisioning_profile_filter: Optional[str] = None
     only_select_provisioning_profile: bool = False
+    no_check_certificates: bool = False
 
     def configure(self) -> None:
         """
@@ -131,6 +132,12 @@ def configure(self) -> None:
             required=False,
             help="Skip codesigning and just output the path to the selected provisioning profile to stdout.",
         )
+        self.add_argument(
+            "--no-check-certificates",
+            action="store_true",
+            required=False,
+            help="Skip the check on code signing identities when selecting provisioning profile.",
+        )
 
 
 # Add emoji to beginning of actionable error message so it stands out more.
@@ -164,6 +171,7 @@ def _main() -> None:
                 should_use_fast_provisioning_profile_parsing=args.fast_provisioning_profile_parsing,
                 strict_provisioning_profile_search=args.strict_provisioning_profile_search,
                 provisioning_profile_filter=args.provisioning_profile_filter,
+                no_check_certificates=args.no_check_certificates,
             )
 
             if args.only_select_provisioning_profile:
diff --git a/prelude/apple/tools/code_signing/provisioning_profile_selection.py b/prelude/apple/tools/code_signing/provisioning_profile_selection.py
@@ -195,6 +195,7 @@ def select_best_provisioning_profile(
     platform: ApplePlatform,
     strict_search: bool,
     provisioning_profile_filter: Optional[str],
+    no_check_certificates: bool = False,
 ) -> Tuple[
     Optional[SelectedProvisioningProfileInfo], List[IProvisioningProfileDiagnostics]
 ]:
@@ -286,14 +287,20 @@ def log_mismatched_profile(mismatch: IProvisioningProfileDiagnostics) -> None:
             log_mismatched_profile(cast(EntitlementsMismatch, mismatch))
             continue
 
-        certificate, mismatch = _check_developer_certificates_match(
-            profile=profile,
-            identities=code_signing_identities,
-            bundle_id_match_length=current_match_length,
-        )
-        if not certificate:
-            log_mismatched_profile(cast(DeveloperCertificateMismatch, mismatch))
-            continue
+        if no_check_certificates:
+            certificate = CodeSigningIdentity(
+                fingerprint=next(iter(profile.developer_certificate_fingerprints)),
+                subject_common_name="Unknown",
+            )
+        else:
+            certificate, mismatch = _check_developer_certificates_match(
+                profile=profile,
+                identities=code_signing_identities,
+                bundle_id_match_length=current_match_length,
+            )
+            if not certificate:
+                log_mismatched_profile(cast(DeveloperCertificateMismatch, mismatch))
+                continue
 
         _LOGGER.info(
             f"Matching provisioning profile `{profile.file_path.name}` with score {current_match_length}"
