Skip to content

feat(cef_host): content-hash-keyed signed prebuilt on GCS#16

Merged
wenkaifan0720 merged 3 commits into
mainfrom
feat/signed-cef-host-gcs
Jul 1, 2026
Merged

feat(cef_host): content-hash-keyed signed prebuilt on GCS#16
wenkaifan0720 merged 3 commits into
mainfrom
feat/signed-cef-host-gcs

Conversation

@wenkaifan0720

@wenkaifan0720 wenkaifan0720 commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

Makes flutter_cef turnkey — pub get + flutter build macos embeds a working, Developer-ID signed, sandboxed cef_host (no make cef-host, no FLUTTER_CEF_HOST, no pin/host drift) — replacing the ad-hoc GitHub-release prebuilt that shipped the agent_ui-breaking host.

Design

  • Keyed by a content hash of the build inputs (native/cef_host/ + build_cef_host.sh), not the plugin commit — release-model-agnostic (SHA/branch/tag pins that check out the same native sources resolve to the same object); a Dart-only change rebuilds nothing. tool/cef_host_hash.sh is sourced by both fetch and publish so they can't drift.
  • Public GCS at gs://flutterflow-downloads/campus_prebuilt_cef_host/<hash>/… (+ .sha256), anonymous public-read.
  • Published locally via make publish-cef-host (tool/publish-cef-host.sh): builds the sandboxed variant (CEF_HOST_ADHOC=OFF, Developer-ID — renders agent_ui), hashes, idempotently uploads. Signing material never touches this public repo; the host changes rarely so a local publish suffices (the script is CI-agnostic for later automation).
  • Fetch fails open on network/missing (co-dev/offline build from source) and closed on checksum mismatch.
  • Deletes the ad-hoc cef_host_prebuilt.json + .github/workflows/release-cef-host.yml.

Validated end-to-end (staging GCS prefix)

deterministic hash (stable / moves on source change / ignores build outputs) ✔ · make publish-cef-host → sandboxed Developer-ID build → hash 85a8824… → 120 MB tarball + .sha256 uploaded ✔ · anonymous curl -fIHTTP/2 200, cache-control: immutable ✔ · fetch → same hash → download → sha256-verify → extract (Developer-ID confirmed) ✔ · idempotent both sides ✔

After merge (go-live)

  1. make publish-cef-host once to seed the production prefix.
  2. work_canvas adopts self-bundling (bump its pin past feat: self-bundling cef_host — pub get + flutter build, no make/host steps #14) — the turnkey payoff.
  3. gh release delete cef-host-v0.2.0 --cleanup-tag (retire the ad-hoc host).

🤖 Generated with Claude Code

wenkaifan0720 and others added 3 commits June 30, 2026 23:14
Replaces the ad-hoc GitHub-release + committed-manifest prebuilt with a
content-hash-keyed, Developer-ID-signed cef_host published to public GCS by a
private Codemagic workflow.

- tool/cef_host_hash.sh: deterministic hash of the build inputs (native/cef_host
  + build_cef_host.sh), sourced by both fetch + publish so they can't drift.
- tool/fetch_cef_host.sh: derive the GCS URL from the hash, download + sha256
  verify, extract. No manifest. Fail-open on network, fail-closed on mismatch.
- tool/publish-cef-host.sh: build the SANDBOXED (CEF_HOST_ADHOC=OFF, Developer-ID)
  variant -- the one that renders agent_ui -- hash it, idempotently upload to
  gs://flutterflow-downloads/campus_prebuilt_cef_host/<hash>/.
- codemagic.yaml: private publish pipeline (push-to-main + cef-host-v* tags);
  signing material + GCS service account live only in Codemagic, not the repo.
- Delete cef_host_prebuilt.json + .github/workflows/release-cef-host.yml (the
  ad-hoc CI that shipped the agent_ui-breaking host).

Keying by build-input hash makes the artifact release-model-agnostic (SHA,
branch, or a future release tag all resolve to the same object) and rebuilds
only when the host actually changes. Requires the `cef_host_publish` Codemagic
env group (GCP SA + Developer-ID P12) -- see specs/prebuilt-cef-host/PLAN.md.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- Makefile target auto-resolves the Developer ID Application identity and runs
  tool/publish-cef-host.sh — the local zero-CI publish, run when cef_host changes.
- Harden the publish signature check: capture codesign output and string-match
  instead of piping into grep under `set -o pipefail` (codesign -dvv can exit
  non-zero on a valid signature, which false-failed the check).

Validated end-to-end against a staging GCS prefix: build sandboxed + Developer-ID
host -> hash -> upload -> anonymous public-read fetch -> sha256-verify -> extract
(Developer-ID confirmed); fetch and publish both idempotent.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…lish-cef-host`

The flutter_cef Codemagic app isn't available, so publishing is the local
`make publish-cef-host` target (zero CI; the host changes rarely). Removed the
non-functional codemagic.yaml — publish-cef-host.sh stays CI-agnostic for any
future automation in a repo that holds the signing + GCS creds. Doc note updated.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@wenkaifan0720 wenkaifan0720 changed the title feat(cef_host): content-hash-keyed signed prebuilt on GCS via Codemagic feat(cef_host): content-hash-keyed signed prebuilt on GCS Jul 1, 2026
@wenkaifan0720 wenkaifan0720 merged commit 82f8186 into main Jul 1, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant