APPLE: Make codesigning improvements

dgovil · dgovil · commit be3abb6ec74e · 2025-07-07T11:36:14.000-07:00
diff --git a/build_scripts/apple_utils.py b/build_scripts/apple_utils.py
@@ -15,10 +15,11 @@
 import sys
 import locale
 import os
+import re
 import platform
 import shlex
 import subprocess
-from typing import Optional, List
+from typing import Optional, List, Dict
 
 TARGET_NATIVE = "native"
 TARGET_X86 = "x86_64"
@@ -115,10 +116,8 @@ def GetTargetArchPair(context):
 def SupportsMacOSUniversalBinaries():
     if not MacOS():
         return False
-    XcodeOutput = GetCommandOutput(["/usr/bin/xcodebuild", "-version"])
-    XcodeFind = XcodeOutput.rfind('Xcode ', 0, len(XcodeOutput))
-    XcodeVersion = XcodeOutput[XcodeFind:].split(' ')[1]
-    return (XcodeVersion > '11.0')
+    XcodeVersion = GetXcodeVersion()[0]
+    return (XcodeVersion > 11)
 
 def GetSDKRoot(context) -> Optional[str]:
     sdk = "macosx"
@@ -163,36 +162,162 @@ def ExtractFilesRecursive(path, cond):
                 files.append(os.path.join(r, file))
     return files
 
-def CodesignFiles(files):
-    SDKVersion  = subprocess.check_output(
-        ['xcodebuild', '-version']).strip()[6:10]
-    codeSignIDs = subprocess.check_output(
-        ['security', 'find-identity', '-vp', 'codesigning'])
-
-    codeSignID = "-"
-    if os.environ.get('CODE_SIGN_ID'):
-        codeSignID = os.environ.get('CODE_SIGN_ID')
-    elif float(SDKVersion) >= 11.0 and \
-                codeSignIDs.find(b'Apple Development') != -1:
-        codeSignID = "Apple Development"
-    elif codeSignIDs.find(b'Mac Developer') != -1:
-        codeSignID = "Mac Developer"
-
-    for f in files:
-        subprocess.call(['codesign', '-f', '-s', '{codesignid}'
-                              .format(codesignid=codeSignID), f],
-                        stdout=devout, stderr=devout)
-
-def Codesign(install_path, verbose_output=False):
+def _GetCodeSignStringFromTerminal():
+    """Return the output from the string codesigning variables"""
+    codeSignIDs = GetCommandOutput(['security', 'find-identity', '-vp', 'codesigning'])
+    return codeSignIDs
+
+
+def GetXcodeVersion():
+    output = GetCommandOutput(['xcodebuild', '-version']).split()
+    version = float(output[1])
+    build = output[-1]
+
+    return version, build
+
+
+def GetCodeSigningIdentifiers() -> Dict[str, str]:
+    """Returns a dictionary of codesigning identifiers and their hashes"""
+    XcodeVersion = GetXcodeVersion()[0]
+    codeSignIDs = _GetCodeSignStringFromTerminal()
+
+    if not codeSignIDs:
+        return {"-": None}
+
+    identifiers = {}
+    for codeSignID in codeSignIDs.splitlines():
+        if "CSSMERR_TP_CERT_REVOKED" in codeSignID:
+            continue
+        if ")" not in codeSignID:
+            continue
+        if (XcodeVersion >= 11 and "Apple Development" in codeSignID) or "Mac Developer" in codeSignID:
+            identifier = codeSignID.split()[1]
+            identifier_hash = re.search(r'\(.*?\)', codeSignID)
+            if identifier_hash:
+                identifier_hash = identifier_hash[0][1:-1]
+            else:
+                identifier_hash = None
+
+            identifiers[identifier] = identifier_hash
+
+    if not identifiers:
+        raise RuntimeError("Could not find a valid codesigning ID. Try re-logging into your Xcode developer account.")
+
+    return identifiers
+
+
+def GetCodeSignID() -> str:
+    """Return the first code signing identifier"""
+    identifiers = GetCodeSigningIdentifiers()
+    env_signing_id = os.environ.get('CODE_SIGN_ID')
+    if env_signing_id:
+        if env_signing_id in identifiers:
+            return env_signing_id
+        raise RuntimeError(
+            f"Could not find environment specified identifier {env_signing_id} in registered code signing identifiers")
+
+    return list(GetCodeSigningIdentifiers().keys())[0]
+
+
+def GetDevelopmentTeamID(identifier=None):
+    if os.environ.get("DEVELOPMENT_TEAM"):
+        return os.environ.get("DEVELOPMENT_TEAM")
+
+    if not identifier:
+        identifier = GetCodeSignID()
+
+    identifier_hash = GetCodeSigningIdentifiers().get(identifier)
+    if not identifier_hash:
+        raise RuntimeError("Could not get identifiers hash")
+
+    certs = subprocess.check_output(["security", "find-certificate", "-c", identifier_hash, "-p"])
+    subject = GetCommandOutput(["openssl", "x509", "-subject"], input=certs)
+    subject = subject.splitlines()[0]
+    match = re.search("OU\s*=\s*(?P<team>([A-Za-z0-9_])+)", subject)
+    if not match:
+        raise RuntimeError("Could not parse the output certificate to find the team ID")
+
+    groups = match.groupdict()
+    team = groups.get("team")
+
+    if not team:
+        raise RuntimeError("Could not extract team id from certificate")
+
+    return team
+
+
+def CodesignPath(path, identifier, team_identifier, force=False) -> bool:
+    resign = force
+    if not force:
+        codesigning_info = GetCommandOutput(["codesign", "-vd", path])
+        if not codesigning_info:
+            resign = True
+        else:
+            for line in codesigning_info.splitlines():
+                if line.startswith("TeamIdentifier="):
+                    current_team_identifier = line.split("=")[-1]
+                    if not team_identifier and "not set" in team_identifier:
+                        break
+                    elif team_identifier == current_team_identifier:
+                        break
+            else:
+                resign = True
+
+    if not resign:
+        return False
+
+    # Frameworks need to be signed with different parameters than loose binaries
+    if path.endswith(".framework"):
+        subprocess.check_output(
+            ["codesign", "--force", "--sign", identifier, "--generate-entitlement-der", "--verbose", path])
+    else:
+        subprocess.check_call(["codesign", "--force", "--sign", identifier, path], stdout=devout, stderr=devout)
+    return True
+
+
+def Codesign(install_path, identifier=None, force=False, verbose_output=False) -> bool:
     if not MacOS():
         return False
+
+    codeSignID = identifier or GetCodeSignID()
+
     if verbose_output:
         global devout
         devout = sys.stdout
+        print(f"Code-signing files in {install_path} with {identifier}", file=devout)
 
-    files = ExtractFilesRecursive(install_path,
-                 (lambda file: '.so' in file or '.dylib' in file))
-    CodesignFiles(files)
+    try:
+        team_identifier = GetDevelopmentTeamID(codeSignID)
+    except:
+        team_identifier = None
+
+    for root, dirs, files in os.walk(install_path, topdown=True):
+        for f in files:
+
+            _, ext = os.path.splitext(f)
+            if ext in (".dylib", ".so"):
+                path = os.path.join(root, f)
+                result = CodesignPath(path, identifier, team_identifier=team_identifier, force=force)
+                if verbose_output:
+                    if result:
+                        print(f"Code-signed binary: {path}")
+                    else:
+                        print(f"Did not code-sign binary: {path}")
+
+        # Bit annoying to have to do this twice, but seems the fastest way to skip traversing frameworks
+        frameworks = [d for d in dirs if d.endswith(".framework")]
+        dirs[:] = [d for d in dirs if not d.endswith(".framework")]
+
+        for framework in frameworks:
+            path = os.path.join(root, framework)
+            result = CodesignPath(path, identifier, team_identifier=team_identifier, force=force)
+            if verbose_output:
+                if result:
+                    print(f"Code-signed framework: {path}")
+                else:
+                    print(f"Did not code-sign framework: {path}")
+
+    return True
 
 def CreateUniversalBinaries(context, libNames, x86Dir, armDir):
     if not MacOS():
diff --git a/build_scripts/build_usd.py b/build_scripts/build_usd.py
@@ -2002,6 +2002,7 @@ def InstallUSD(context, force, buildArgs):
                        default=codesignDefault, action="store_true",
                        help=("Enable code signing for macOS builds "
                              "(defaults to enabled on Apple Silicon)"))
+    group.add_argument("--codesign-id", dest="macos_codesign_id", type=str)
 
 if Linux():
     group.add_argument("--use-cxx11-abi", type=int, choices=[0, 1],
@@ -2310,9 +2311,9 @@ def __init__(self, args):
             self.buildTarget = args.build_target
             apple_utils.SetTarget(self, self.buildTarget)
 
-            self.macOSCodesign = \
-                (args.macos_codesign if hasattr(args, "macos_codesign")
-                 else False)
+            self.macOSCodesign = False
+            if args.macos_codesign:
+                self.macOSCodesign = args.macos_codesign_id or apple_utils.GetCodeSignID()
             if apple_utils.IsHostArm() and args.ignore_homebrew:
                 self.ignorePaths.append("/opt/homebrew")
         else:
@@ -2843,7 +2844,9 @@ def FormatBuildArguments(buildArgs):
 
 if MacOS():
     if context.macOSCodesign:
-        apple_utils.Codesign(context.usdInstDir, verbosity > 1)
+        apple_utils.Codesign(context.usdInstDir,
+                             identifier=context.macOSCodesign,
+                             verbose_output=verbosity > 1)
 
 additionalInstructions = any([context.buildPython, context.buildTools, context.buildPrman])
 if additionalInstructions:
