xref: /aosp_15_r20/external/angle/build/mac_toolchain.py (revision 8975f5c5ed3d1c378011245431ada316dfb6f244) 
1#!/usr/bin/env python3
2
3# Copyright 2018 The Chromium Authors
4# Use of this source code is governed by a BSD-style license that can be
5# found in the LICENSE file.
6
7"""
8If should_use_hermetic_xcode.py emits "1", and the current toolchain is out of
9date:
10  * Downloads the hermetic mac toolchain
11    * Requires CIPD authentication. Run `cipd auth-login`, use Google account.
12  * Accepts the license.
13    * If xcode-select and xcodebuild are not passwordless in sudoers, requires
14      user interaction.
15  * Downloads standalone binaries from [a possibly different version of Xcode].
16
17The toolchain version can be overridden by setting MAC_TOOLCHAIN_REVISION with
18the full revision, e.g. 9A235.
19"""
20
21import argparse
22import os
23import platform
24import plistlib
25import shutil
26import subprocess
27import sys
28
29
30def LoadPList(path):
31  """Loads Plist at |path| and returns it as a dictionary."""
32  with open(path, 'rb') as f:
33    return plistlib.load(f)
34
35
36# This contains binaries from Xcode 16.1 16B40 along with the macOS 15.1 SDK
37# (24B75). To build these packages, see comments in build/xcode_binaries.yaml.
38# To update the version numbers, open Xcode's "About Xcode" for the first number
39# and run `xcrun --show-sdk-build-version` for the second. To update the _TAG,
40# use the output of the `cipd create` command mentioned in xcode_binaries.yaml.
41
42MAC_BINARIES_LABEL = 'infra_internal/ios/xcode/xcode_binaries/mac-amd64'
43MAC_BINARIES_TAG = '1hSIN_9-e1B39bYANUy2csRbOpOAXZnYLi2tGiYhkocC'
44
45# The toolchain will not be downloaded if the minimum OS version is not met. 19
46# is the major version number for macOS 10.15. Xcode 15.0 only runs on macOS
47# 13.5 and newer, but some bots are still running older OS versions. macOS
48# 10.15.4, the OS minimum through Xcode 12.4, still seems to work.
49MAC_MINIMUM_OS_VERSION = [19, 4]
50
51BASE_DIR = os.path.abspath(os.path.dirname(__file__))
52TOOLCHAIN_ROOT = os.path.join(BASE_DIR, 'mac_files')
53TOOLCHAIN_BUILD_DIR = os.path.join(TOOLCHAIN_ROOT, 'Xcode.app')
54
55# Always integrity-check the entire SDK. Mac SDK packages are complex and often
56# hit edge cases in cipd (eg https://crbug.com/1033987,
57# https://crbug.com/915278), and generally when this happens it requires manual
58# intervention to fix.
59# Note the trailing \n!
60PARANOID_MODE = '$ParanoidMode CheckIntegrity\n'
61
62
63def PlatformMeetsHermeticXcodeRequirements():
64  if sys.platform != 'darwin':
65    return True
66  needed = MAC_MINIMUM_OS_VERSION
67  major_version = [int(v) for v in platform.release().split('.')[:len(needed)]]
68  return major_version >= needed
69
70
71def _UseHermeticToolchain():
72  current_dir = os.path.dirname(os.path.realpath(__file__))
73  script_path = os.path.join(current_dir, 'mac/should_use_hermetic_xcode.py')
74  proc = subprocess.Popen([script_path, 'mac'], stdout=subprocess.PIPE)
75  return '1' in proc.stdout.readline().decode()
76
77
78def RequestCipdAuthentication():
79  """Requests that the user authenticate to access Xcode CIPD packages."""
80
81  print('Access to Xcode CIPD package requires authentication.')
82  print('-----------------------------------------------------------------')
83  print()
84  print('You appear to be a Googler.')
85  print()
86  print('I\'m sorry for the hassle, but you may need to do a one-time manual')
87  print('authentication. Please run:')
88  print()
89  print('    cipd auth-login')
90  print()
91  print('and follow the instructions.')
92  print()
93  print('NOTE: Use your google.com credentials, not chromium.org.')
94  print()
95  print('-----------------------------------------------------------------')
96  print()
97  sys.stdout.flush()
98
99
100def PrintError(message):
101  # Flush buffers to ensure correct output ordering.
102  sys.stdout.flush()
103  sys.stderr.write(message + '\n')
104  sys.stderr.flush()
105
106
107def InstallXcodeBinaries():
108  """Installs the Xcode binaries needed to build Chrome and accepts the license.
109
110  This is the replacement for InstallXcode that installs a trimmed down version
111  of Xcode that is OS-version agnostic.
112  """
113  # First make sure the directory exists. It will serve as the cipd root. This
114  # also ensures that there will be no conflicts of cipd root.
115  binaries_root = os.path.join(TOOLCHAIN_ROOT, 'xcode_binaries')
116  if not os.path.exists(binaries_root):
117    os.makedirs(binaries_root)
118
119  # 'cipd ensure' is idempotent.
120  args = ['cipd', 'ensure', '-root', binaries_root, '-ensure-file', '-']
121
122  p = subprocess.Popen(args,
123                       universal_newlines=True,
124                       stdin=subprocess.PIPE,
125                       stdout=subprocess.PIPE,
126                       stderr=subprocess.PIPE)
127  stdout, stderr = p.communicate(input=PARANOID_MODE + MAC_BINARIES_LABEL +
128                                 ' ' + MAC_BINARIES_TAG)
129  if p.returncode != 0:
130    print(stdout)
131    print(stderr)
132    RequestCipdAuthentication()
133    return 1
134
135  if sys.platform != 'darwin':
136    return 0
137
138  # Accept the license for this version of Xcode if it's newer than the
139  # currently accepted version.
140  cipd_xcode_version_plist_path = os.path.join(binaries_root,
141                                               'Contents/version.plist')
142  cipd_xcode_version_plist = LoadPList(cipd_xcode_version_plist_path)
143  cipd_xcode_version = cipd_xcode_version_plist['CFBundleShortVersionString']
144
145  cipd_license_path = os.path.join(binaries_root,
146                                   'Contents/Resources/LicenseInfo.plist')
147  cipd_license_plist = LoadPList(cipd_license_path)
148  cipd_license_version = cipd_license_plist['licenseID']
149
150  should_overwrite_license = True
151  current_license_path = '/Library/Preferences/com.apple.dt.Xcode.plist'
152  if os.path.exists(current_license_path):
153    current_license_plist = LoadPList(current_license_path)
154    xcode_version = current_license_plist.get(
155        'IDEXcodeVersionForAgreedToGMLicense')
156    if (xcode_version is not None
157        and xcode_version.split('.') >= cipd_xcode_version.split('.')):
158      should_overwrite_license = False
159
160  if not should_overwrite_license:
161    return 0
162
163  # Use puppet's sudoers script to accept the license if its available.
164  license_accept_script = '/usr/local/bin/xcode_accept_license.sh'
165  if os.path.exists(license_accept_script):
166    args = [
167        'sudo', license_accept_script, cipd_xcode_version, cipd_license_version
168    ]
169    subprocess.check_call(args)
170    return 0
171
172  # Otherwise manually accept the license. This will prompt for sudo.
173  print('Accepting new Xcode license. Requires sudo.')
174  sys.stdout.flush()
175  args = [
176      'sudo', 'defaults', 'write', current_license_path,
177      'IDEXcodeVersionForAgreedToGMLicense', cipd_xcode_version
178  ]
179  subprocess.check_call(args)
180  args = [
181      'sudo', 'defaults', 'write', current_license_path,
182      'IDELastGMLicenseAgreedTo', cipd_license_version
183  ]
184  subprocess.check_call(args)
185  args = ['sudo', 'plutil', '-convert', 'xml1', current_license_path]
186  subprocess.check_call(args)
187
188  return 0
189
190
191def main():
192  if not _UseHermeticToolchain():
193    print('Skipping Mac toolchain installation for mac')
194    return 0
195
196  parser = argparse.ArgumentParser(description='Download hermetic Xcode.')
197  args = parser.parse_args()
198
199  if not PlatformMeetsHermeticXcodeRequirements():
200    print('OS version does not support toolchain.')
201    return 0
202
203  return InstallXcodeBinaries()
204
205
206if __name__ == '__main__':
207  sys.exit(main())
208