APPLE: Make codesigning improvements

[dgovil]

Description of Change(s)

This PR overhauls the current code signing setup with the following changes:

1. Developers can now pass in code signing identifiers directly to the build_usd.py script.
2. Codesigning identifiers are now passed to CMake for Xcode targets if they want to sign anything.
3. The code signing identifier is calculated less often
4. Codesigning now supports signing frameworks
5. Codesigning supports checking previous signing status and only re-signing as needed. Note: Since USD's cmake always installs all targets again, they're always re-signed. Future work might help optimize this, but at the least we're not re-signing every dependency.
6. Codesigning is validated earlier to prevent running through a whole build just to find code signing fails

This makes code signing much more reliable and faster overall.

This work is needed to enable properly building OpenUSD as a framework

Checklist

• I have created this PR based on the dev branch

• I have followed the coding conventions

• I have added unit tests that exercise this functionality (Reference:
  testing guidelines)

• I have verified that all unit tests pass with the proposed changes

• I have submitted a signed Contributor License Agreement (Reference:
  Contributor License Agreement instructions)

[jesschimein]

Filed as internal issue #USD-11198

(This is an automated message. See here for more information.)

[sunyab]

Hi @dgovil , left some notes from a first pass review. Thanks!

[dgovil]

Thanks, @sunyab !
I'll take a pass next week at resolving these

[dgovil]

Thanks, @sunyab
I pushed an update that also rebases on top of dev.

Appreciate the notes. Hope you have a good thanksgiving break.

[sunyab]

Hey @dgovil, I ran into an error when testing this change earlier. I was testing the process we follow internally when doing QA for USD releases:

• Create and activate a Python venv
• Install the necessary Python modules into the venv (PySide6 and PyOpenGL)
• Build USD into the venv via build_usd.py

This was the result:

sunya@usd-mac-08 ~ --> /usr/local/bin/python3 -m venv codesign_test    
sunya@usd-mac-08 ~ --> source codesign_test/bin/activate
(codesign_test) sunya@usd-mac-08 ~ --> python -m pip install PyOpenGL PySide6==6.3.1
(codesign_test) sunya@usd-mac-08 ~ --> python OpenUSD/build_scripts/build_usd.py --build-target universal --tests codesign_test 

<snip>

STATUS: Installing USD...
/Users/sunya/codesign_test/lib/python3.9/site-packages/PySide6/Qt/lib/QtWebEngineCore.framework: code object is not signed at all
In subcomponent: /Users/sunya/codesign_test/lib/python3.9/site-packages/PySide6/Qt/lib/QtWebEngineCore.framework/Helpers/QtWebEngineProcess.app
Traceback (most recent call last):
  File "/Users/sunya/dev-cmake/build_scripts/build_usd.py", line 2982, in <module>
    apple_utils.Codesign(context.usdInstDir,
  File "/Users/sunya/dev-cmake/build_scripts/apple_utils.py", line 312, in Codesign
    result = CodesignPath(path, identifier, team_identifier=team_identifier, force=force, is_framework=True)
  File "/Users/sunya/dev-cmake/build_scripts/apple_utils.py", line 270, in CodesignPath
    subprocess.check_call(
  File "/Library/Frameworks/Python.framework/Versions/3.9/lib/python3.9/subprocess.py", line 373, in check_call
    raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['codesign', '--force', '--sign', '-', '--generate-entitlement-der', '--verbose', '/Users/sunya/codesign_test/lib/python3.9/site-packages/PySide6/Qt/lib/QtWebEngineCore.framework']' returned non-zero exit status 1.

Since we're now code-signing frameworks, it looks like we're now picking up some Qt frameworks that are hidden deep in the PySide6 Python module.

I know we were previously recursing over the entire install directory and signing dylibs, but since we're now looking at frameworks too I wonder if we ought to limit the search that the Codesign method does. What do you think?

[dgovil]

Oh good catch. Yeah we should probably only sign the OpenUSD.framework.

I can add a check , but if you need to unblock your teams, just let me know if you add it first.

[dgovil]

Okay, I added what I think should do the trick.

[sunyab]

Instead of hardcoding a list of names, what do you think about just limiting the search to all .dylib, .so, and .framework files/directories in specific paths directory instead of walking the entire directory structure?

So something like:

codesignPaths = [
    os.path.join(install_dir, 'lib'),
    os.path.join(install_dir, 'plugin'),
    os.path.join(install_dir, 'share/usd')
]

for dir in codesignPaths:
    shared_libs = glob.glob(f"{os.path.join(dir, '*.dylib')")
    shared_libs += glob.glob(f"{os.path.join(dir, '*.so')")
    for lib in shared_libs:
        # Codesign..

    frameworks = glob.glob(f"{os.path.join(dir, '*.framework')")
    for framework in frameworks:
        # Codesign...

I like that this is more targeted -- the current implementation winds up signing files in unnecessary places like the build directory.

[dgovil]

Oh yeah that makes sense. I guess I hadn't considered that since I always install into a clean directory, but I'm assuming others may install into a communal directory?

[dgovil]

Oh I see. It's because the usdInstPath is not the final install directory but the full container directory.

[dgovil]

@sunyab Okay, I pushed an update that integrates your solution to filter. I still use my walk within the filtered set because there are some dylibs that are within nested folders that need to be signed.
But it should hopefully resolve what you're seeing