Make the Keystone tag contain -32bit and -full as needed

chrome/installer/mac/keystone_install.sh

 #!/bin/bash -p
 
 # Copyright (c) 2012 The Chromium Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
 # usage: keystone_install.sh update_dmg_mount_point
 #
 # Called by the Keystone system to update the installed application with a new
 # version from a disk image.
@@ skipping 11 matching lines @@
 #  2  Basic sanity check source failure (e.g. no app on disk image)
 #  3  Basic sanity check destination failure (e.g. ticket points to nothing)
 #  4  Update driven by user ticket when a system ticket is also present
 #  5  Could not prepare existing installed version to receive update
 #  6  Patch sanity check failure
 #  7  rsync failed (could not copy new versioned directory to Versions)
 #  8  rsync failed (could not update outer .app bundle)
 #  9  Could not get the version, update URL, or channel after update
 # 10  Updated application does not have the version number from the update
 # 11  ksadmin failure
-# 12  dirpatcher failed for versioned directory
-# 13  dirpatcher failed for outer .app bundle
 #
-# The following exit codes are not used by this script, but can be used to
-# convey special meaning to Keystone:
+# The following exit codes can be used to convey special meaning to Keystone:
 # 66  (unused) success, request reboot
-# 77  (unused) try installation again later
+# 77  try installation again later
 
 set -eu
 
 # http://b/2290916: Keystone runs the installation with a restrictive PATH
 # that only includes the directory containing ksadmin, /bin, and /usr/bin.  It
 # does not include /sbin or /usr/sbin.  This script uses lsof, which is in
 # /usr/sbin, and it's conceivable that it might want to use other tools in an
 # sbin directory.  Adjust the path accordingly.
 export PATH="${PATH}:/sbin:/usr/sbin"
 
 # Environment sanitization.  Clear environment variables that might impact the
 # interpreter's operation.  The |bash -p| invocation on the #! line takes the
 # bite out of BASH_ENV, ENV, and SHELLOPTS (among other features), but
 # clearing them here ensures that they won't impact any shell scripts used as
 # utility programs. SHELLOPTS is read-only and can't be unset, only
 # unexported.
 unset BASH_ENV CDPATH ENV GLOBIGNORE IFS POSIXLY_CORRECT
 export -n SHELLOPTS
 
 set -o pipefail
 shopt -s nullglob
 
 ME="$(basename "${0}")"
 readonly ME
 
+readonly KS_CHANNEL_KEY="KSChannelID"
+
 # Workaround for http://code.google.com/p/chromium/issues/detail?id=83180#c3
 # In bash 4.0, "declare VAR" no longer initializes VAR if not already set.
 : ${GOOGLE_CHROME_UPDATER_DEBUG:=}
 err() {
   local error="${1}"
 
   local id=
   if [[ -n "${GOOGLE_CHROME_UPDATER_DEBUG}" ]]; then
     id=": ${$} $(date "+%Y-%m-%d %H:%M:%S %z")"
   fi
@@ skipping 370 matching lines @@
 
 # Returns 0 (true) if ksadmin supports --version-path and --version-key.
 ksadmin_supports_versionpath_versionkey() {
   # --version-path and --version-key were introduced in Keystone 1.0.9.2318.
   is_ksadmin_version_ge 1.0.9.2318
 
   # The return value of is_ksadmin_version_ge is used as this function's
   # return value.
 }
 
+has_32_bit_only_cpu() {
+  local cpu_64_bit_capable="$(sysctl -n hw.cpu64bit_capable 2>/dev/null)"
+  [[ -z "${cpu_64_bit_capable}" || "${cpu_64_bit_capable}" -eq 0 ]]
+
+  # The return value of the comparison is used as this function's return
+  # value.
+}
+
 # Runs "defaults read" to obtain the value of a key in a property list. As
 # with "defaults read", an absolute path to a plist is supplied, without the
 # ".plist" extension.
 #
 # As of Mac OS X 10.8, defaults (and NSUserDefaults and CFPreferences)
 # normally communicates with cfprefsd to read and write plists. Changes to a
 # plist file aren't necessarily reflected immediately via this API family when
 # not made through this API family, because cfprefsd may return cached data
 # from a former on-disk version of a plist file instead of reading the current
 # version from disk. The old behavior can be restored by setting the
@@ skipping 13 matching lines @@
 # This function exists because the update process delivers new copies of
 # Info.plist files to the disk behind cfprefsd's back, and if cfprefsd becomes
 # aware of the original version of the file for any reason (such as this
 # script reading values from it via "defaults read"), the new version of the
 # file will not be immediately effective or visible via cfprefsd after the
 # update is applied.
 infoplist_read() {
   __CFPREFERENCES_AVOID_DAEMON=1 defaults read "${@}"
 }
 
+# When a patch update fails because the old installed copy doesn't match the
+# expected state, mark_failed_patch_update updates the Keystone ticket by
+# adding "-full" to the tag. The server will see this on a subsequent update
+# attempt and will provide a full update (as opposed to a patch) to the
+# client.
+#
+# Even if mark_failed_patch_update fails to modify the tag, the user will
+# eventually be updated. Patch updates are only provided for successive
+# releases on a particular channel, to update version o to version o+1. If a
+# patch update fails in this case, eventually version o+2 will be released,
+# and no patch update will exist to update o to o+2, so the server will
+# provide a full update package.
+mark_failed_patch_update() {
+  local product_id="${1}"
+  local want_full_installer_path="${2}"
+  local old_ks_plist="${3}"
+  local old_version_app="${4}"
+  local system_ticket="${5}"
+
+  set +e
+
+  note "marking failed patch update"
+
+  local channel
+  channel="$(infoplist_read "${old_ks_plist}" "${KS_CHANNEL_KEY}" 2> /dev/null)"
+
+  local tag="${channel}"
+  local tag_key="${KS_CHANNEL_KEY}"
+  if has_32_bit_only_cpu; then
+    tag="${tag}-32bit"
+    tag_key="${tag_key}-32bit"
+  fi
+
+  tag="${tag}-full"
+  tag_key="${tag_key}-full"
+
+  note "tag = ${tag}"
+  note "tag_key = ${tag_key}"
+
+  # ${old_ks_plist}, used for --tag-path, is the Info.plist for the old
+  # version of Chrome. It may not contain the keys for the "-full" tag suffix.
+  # If it doesn't, just bail out without marking the patch update as failed.
+  local read_tag="$(infoplist_read "${old_ks_plist}" "${tag_key}" 2> /dev/null)"
+  note "read_tag = ${read_tag}"
+  if [[ -z "${read_tag}" ]]; then
+    note "couldn't mark failed patch update"
+    return 0
+  fi
+
+  # Chrome can't easily read its Keystone ticket prior to registration, and
+  # when Chrome registers with Keystone, it obliterates old tag values in its
+  # ticket. Therefore, an alternative mechanism is provided to signal to
+  # Chrome that a full installer is desired. If the .want_full_installer file
+  # is present and it contains Chrome's current version number, Chrome will
+  # include "-full" in its tag when it registers with Keystone. This allows
+  # "-full" to persist in the tag even after Chrome is relaunched, which on a
+  # user ticket, triggers a re-registration.
+  #
+  # .want_full_installer is placed immediately inside the .app bundle as a
+  # sibling to the Contents directory. In this location, it's outside of the
+  # view of the code signing and code signature verification machinery. This
+  # file can safely be added, modified, and removed without affecting the
+  # signature.
+  rm -f "${want_full_installer_path}" 2> /dev/null
+  echo "${old_version_app}" > "${want_full_installer_path}"
+
+  # See the comment below in the "setting permissions" section for an
+  # explanation of the groups and modes selected here.
+  local chmod_mode="644"
+  if [[ -z "${system_ticket}" ]] &&
+     [[ "${want_full_installer_path:0:14}" = "/Applications/" ]] &&
+     chgrp admin "${want_full_installer_path}" 2> /dev/null; then
+    chmod_mode="664"
+  fi
+  note "chmod_mode = ${chmod_mode}"
+  chmod "${chmod_mode}" "${want_full_installer_path}" 2> /dev/null
+
+  local old_ks_plist_path="${old_ks_plist}.plist"
+
+  # Using ksadmin without --register only updates specified values in the
+  # ticket, without changing other existing values.
+  local ksadmin_args=(
+    --productid "${product_id}"
+  )
+
+  if ksadmin_supports_tag; then
+    ksadmin_args+=(
+      --tag "${tag}"
+    )
+  fi
+
+  if ksadmin_supports_tagpath_tagkey; then
+    ksadmin_args+=(
+      --tag-path "${old_ks_plist_path}"
+      --tag-key "${tag_key}"
+    )
+  fi
+
+  note "ksadmin_args = ${ksadmin_args[*]}"
+
+  if ! ksadmin "${ksadmin_args[@]}"; then
+    err "ksadmin failed"
+  fi
+
+  note "marked failed patch update"
+
+  set -e
+}
+
 usage() {
   echo "usage: ${ME} update_dmg_mount_point" >& 2
 }
 
 main() {
   local update_dmg_mount_point="${1}"
 
   # Early steps are critical.  Don't continue past any failure.
   set -e
 
   trap cleanup EXIT HUP INT QUIT TERM
 
   readonly PRODUCT_NAME="Google Chrome"
   readonly APP_DIR="${PRODUCT_NAME}.app"
   readonly ALTERNATE_APP_DIR="${PRODUCT_NAME} Canary.app"
   readonly FRAMEWORK_NAME="${PRODUCT_NAME} Framework"
   readonly FRAMEWORK_DIR="${FRAMEWORK_NAME}.framework"
   readonly PATCH_DIR=".patch"
   readonly CONTENTS_DIR="Contents"
   readonly APP_PLIST="${CONTENTS_DIR}/Info"
   readonly VERSIONS_DIR="${CONTENTS_DIR}/Versions"
   readonly UNROOTED_BRAND_PLIST="Library/Google/Google Chrome Brand"
   readonly UNROOTED_DEBUG_FILE="Library/Google/Google Chrome Updater Debug"
 
   readonly APP_VERSION_KEY="CFBundleShortVersionString"
   readonly APP_BUNDLEID_KEY="CFBundleIdentifier"
   readonly KS_VERSION_KEY="KSVersion"
   readonly KS_PRODUCT_KEY="KSProductID"
   readonly KS_URL_KEY="KSUpdateURL"
-  readonly KS_CHANNEL_KEY="KSChannelID"
   readonly KS_BRAND_KEY="KSBrandID"
 
   readonly QUARANTINE_ATTR="com.apple.quarantine"
   readonly KEYCHAIN_REAUTHORIZE_DIR=".keychain_reauthorize"
 
   # Don't use rsync -a, because -a expands to -rlptgoD.  -g and -o copy owners
   # and groups, respectively, from the source, and that is undesirable in this
   # case.  -D copies devices and special files; copying devices only works
   # when running as root, so for consistency between privileged and
   # unprivileged operation, this option is omitted as well.
@@ skipping 206 matching lines @@
   # Figure out where to install.
   local installed_app
   if ! installed_app="$(ksadmin -pP "${product_id}" | sed -Ene \
       "s%^[[:space:]]+xc=<KSPathExistenceChecker:.* path=(/.+)>\$%\\1%p")" ||
       [[ -z "${installed_app}" ]]; then
     err "couldn't locate installed_app"
     exit 3
   fi
   note "installed_app = ${installed_app}"
 
+  local want_full_installer_path="${installed_app}/.want_full_installer"
+  note "want_full_installer_path = ${want_full_installer_path}"
+
   if [[ "${installed_app:0:1}" != "/" ]] ||
      ! [[ -d "${installed_app}" ]]; then
     err "installed_app must be an absolute path to a directory"
     exit 3
   fi
 
   # If this script is running as root, it's being driven by a system ticket.
   # Otherwise, it's being driven by a user ticket.
   local system_ticket=
   if [[ ${EUID} -eq 0 ]]; then
@@ skipping 142 matching lines @@
       note "versioned_dir_target = ${versioned_dir_target}"
       update_versioned_dir="${versioned_dir_target}"
       note "update_versioned_dir = ${update_versioned_dir}"
     fi
 
     note "dirpatching versioned directory"
     if ! "${dirpatcher}" "${old_versioned_dir}" \
                          "${patch_versioned_dir}" \
                          "${versioned_dir_target}"; then
       err "dirpatcher of versioned directory failed, status ${PIPESTATUS[0]}"
-      exit 12
+      mark_failed_patch_update "${product_id}" \
+                               "${want_full_installer_path}" \
+                               "${old_ks_plist}" \
+                               "${old_version_app}" \
+                               "${system_ticket}"
+      exit 77
     fi
   fi
 
   # Copy the versioned directory.  The new versioned directory should have a
   # different name than any existing one, so this won't harm anything already
   # present in ${installed_versions_dir}, including the versioned directory
   # being used by any running processes.  If this step is interrupted, there
   # will be an incomplete versioned directory left behind, but it won't
   # won't interfere with anything, and it will be replaced or removed during a
   # future update attempt.
@@ skipping 33 matching lines @@
     # dirpatcher creates it.
     ensure_temp_dir
     update_app="${g_temp_dir}/${APP_DIR}"
     note "update_app = ${update_app}"
 
     note "dirpatching app directory"
     if ! "${dirpatcher}" "${installed_app}" \
                          "${patch_app_dir}" \
                          "${update_app}"; then
       err "dirpatcher of app directory failed, status ${PIPESTATUS[0]}"
-      exit 13
+      mark_failed_patch_update "${product_id}" \
+                               "${want_full_installer_path}" \
+                               "${old_ks_plist}" \
+                               "${old_version_app}" \
+                               "${system_ticket}"
+      exit 77
     fi
   fi
 
   # See if the timestamp of what's currently on disk is newer than the
   # update's outer .app's timestamp.  rsync will copy the update's timestamp
   # over, but if that timestamp isn't as recent as what's already on disk, the
   # .app will need to be touched.
   local needs_touch=
   if [[ "${installed_app}" -nt "${update_app}" ]]; then
     needs_touch="y"
@@ skipping 27 matching lines @@
     note "update_app = ${update_app}"
   fi
 
   if [[ -n "${g_temp_dir}" ]]; then
     # The temporary directory, if any, is no longer needed.
     rm -rf "${g_temp_dir}" 2> /dev/null || true
     g_temp_dir=
     note "g_temp_dir = ${g_temp_dir}"
   fi
 
+  # Clean up any old .want_full_installer files from previous dirpatcher
+  # failures. This is not considered a critical step, because this file
+  # normally does not exist at all.
+  rm -f "${want_full_installer_path}" || true
+
   # If necessary, touch the outermost .app so that it appears to the outside
   # world that something was done to the bundle.  This will cause
   # LaunchServices to invalidate the information it has cached about the
   # bundle even if lsregister does not run.  This is not done if rsync already
   # updated the timestamp to something newer than what had been on disk.  This
   # is not considered a critical step, and if it fails, this script will not
   # exit.
   if [[ -n "${needs_touch}" ]]; then
     touch -cf "${installed_app}" || true
   fi
@@ skipping 33 matching lines @@
   fi
   note "update_url = ${update_url}"
 
   # The channel ID is optional.  Suppress stderr to prevent Keystone from
   # seeing possible error output.
   local channel
   channel="$(infoplist_read "${new_ks_plist}" \
                             "${KS_CHANNEL_KEY}" 2> /dev/null || true)"
   note "channel = ${channel}"
 
+  local tag="${channel}"
+  local tag_key="${KS_CHANNEL_KEY}"
+  if has_32_bit_only_cpu; then
+    tag="${tag}-32bit"
+    tag_key="${tag_key}-32bit"
+  fi
+  note "tag = ${tag}"
+  note "tag_key = ${tag_key}"
+
   # Make sure that the update was successful by comparing the version found in
   # the update with the version now on disk.
   if [[ "${new_version_ks}" != "${update_version_ks}" ]]; then
     err "new_version_ks and update_version_ks do not match"
     exit 10
   fi
 
   # Notify LaunchServices.  This is not considered a critical step, and
   # lsregister's exit codes shouldn't be confused with this script's own.
   # Redirect stdout to /dev/null to suppress the useless "ThrottleProcessIO:
@@ skipping 88 matching lines @@
   local ksadmin_args=(
     --register
     --productid "${product_id}"
     --version "${new_version_ks}"
     --xcpath "${installed_app}"
     --url "${update_url}"
   )
 
   if ksadmin_supports_tag; then
     ksadmin_args+=(
-      --tag "${channel}"
+      --tag "${tag}"
     )
   fi
 
   if ksadmin_supports_tagpath_tagkey; then
     ksadmin_args+=(
       --tag-path "${installed_app_plist_path}"
-      --tag-key "${KS_CHANNEL_KEY}"
+      --tag-key "${tag_key}"
     )
   fi
 
   if ksadmin_supports_brandpath_brandkey; then
     ksadmin_args+=(
       --brand-path "${ksadmin_brand_plist_path}"
       --brand-key "${ksadmin_brand_key}"
     )
   fi
 
@@ skipping 219 matching lines @@
 
 # Check "less than" instead of "not equal to" in case Keystone ever changes to
 # pass more arguments.
 if [[ ${#} -lt 1 ]]; then
   usage
   exit 2
 fi
 
 main "${@}"
 exit ${?}