[codesign] hide codesign credentials from logs (flutter#3322)

context: b/311427184

replace codesign credentials in logs with placeholders. 
The log will now look like `this command failed: blah blah ... --apple-id <appleID> --password <appSpecificPassword> --team-id <teamID> ... blah blah` instead of printing the literal passwords.

refactored test to be more stable and reliable.

cipd_packages/codesign/lib/src/file_codesign_visitor.dart

@@ -71,6 +71,7 @@ class FileCodesignVisitor {
     'CODESIGN_TEAM_ID': '',
     'APP_SPECIFIC_PASSWORD': '',
   };
+  Map<String, String> redactedCredentials = {};
 
   late final File entitlementsFile;
 
@@ -131,12 +132,20 @@ update these file paths accordingly.
     return fileSystem.file(passwordFilePath).readAsString();
   }
 
+  void redactPasswords() {
+    redactedCredentials[codesignAppstoreId] = '<appleID-redacted>';
+    redactedCredentials[codesignTeamId] = '<teamID-redacted>';
+    redactedCredentials[appSpecificPassword] = '<appSpecificPassword-redacted>';
+  }
+
   /// The entrance point of examining and code signing an engine artifact.
   Future<void> validateAll() async {
     codesignAppstoreId = await readPassword(codesignAppstoreIDFilePath);
     codesignTeamId = await readPassword(codesignTeamIDFilePath);
     appSpecificPassword = await readPassword(appSpecificPasswordFilePath);
 
+    redactPasswords();
+
     await processRemoteZip();
 
     log.info('Codesign completed. Codesigned zip is located at $outputZipPath.'
@@ -416,23 +425,27 @@ update these file paths accordingly.
       'notarytool',
       'info',
       uuid,
-      '--password',
-      appSpecificPassword,
       '--apple-id',
       codesignAppstoreId,
+      '--password',
+      appSpecificPassword,
       '--team-id',
       codesignTeamId,
     ];
 
-    log.info('checking notary status with ${args.join(' ')}');
+    String argsWithoutCredentials = args.join(' ');
+    for (var key in redactedCredentials.keys) {
+      argsWithoutCredentials = argsWithoutCredentials.replaceAll(key, redactedCredentials[key]!);
+    }
+    log.info('checking notary info: $argsWithoutCredentials');
     final io.ProcessResult result = processManager.runSync(args);
     final String combinedOutput = (result.stdout as String) + (result.stderr as String);
 
     final RegExpMatch? match = _notarytoolStatusCheckPattern.firstMatch(combinedOutput);
 
     if (match == null) {
       throw CodesignException(
-        'Malformed output from "${args.join(' ')}"\n${combinedOutput.trim()}',
+        'Malformed output from "$argsWithoutCredentials"\n${combinedOutput.trim()}',
       );
     }
 
@@ -465,11 +478,15 @@ update these file paths accordingly.
         '--verbose',
       ];
 
-      log.info('uploading ${args.join(' ')}');
+      String argsWithoutCredentials = args.join(' ');
+      for (var key in redactedCredentials.keys) {
+        argsWithoutCredentials = argsWithoutCredentials.replaceAll(key, redactedCredentials[key]!);
+      }
+      log.info('uploading to notary: $argsWithoutCredentials');
       final io.ProcessResult result = processManager.runSync(args);
       if (result.exitCode != 0) {
         throw CodesignException(
-          'Command "${args.join(' ')}" failed with exit code ${result.exitCode}\nStdout: ${result.stdout}\nStderr: ${result.stderr}',
+          'Command "$argsWithoutCredentials" failed with exit code ${result.exitCode}\nStdout: ${result.stdout}\nStderr: ${result.stderr}',
         );
       }
 
@@ -478,7 +495,7 @@ update these file paths accordingly.
       match = _notarytoolRequestPattern.firstMatch(combinedOutput);
 
       if (match == null) {
-        log.warning('Failed to upload to the notary service with args: ${args.join(' ')}');
+        log.warning('Failed to upload to the notary service with args: $argsWithoutCredentials');
         log.warning('{combinedOutput.trim()}');
         retryCount -= 1;
         log.warning('Trying again $retryCount more time${retryCount > 1 ? 's' : ''}...');