Sign Mac diff patcher tools: goobspatch, xzdec, liblzma_decompress.dylib

chrome/installer/mac/sign_installer_tools.sh

Index: chrome/installer/mac/sign_installer_tools.sh
diff --git a/chrome/installer/mac/sign_installer_tools.sh b/chrome/installer/mac/sign_installer_tools.sh
new file mode 100755
index 0000000000000000000000000000000000000000..4b0834d466465ec62d39af88452d03c4504859b6
--- /dev/null
+++ b/chrome/installer/mac/sign_installer_tools.sh
@@ -0,0 +1,58 @@
+#!/bin/bash -p
+
+# Copyright 2015 The Chromium Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Using codesign, sign the installer tools. After signing, the signatures are
+# verified.
+
+set -eu
+
+# Environment sanitization. Set a known-safe PATH. Clear environment variables
+# that might impact the interpreter's operation. The |bash -p| invocation
+# on the #! line takes the bite out of BASH_ENV, ENV, and SHELLOPTS (among
+# other features), but clearing them here ensures that they won't impact any
+# shell scripts used as utility programs. SHELLOPTS is read-only and can't be
+# unset, only unexported.
+export PATH="/usr/bin:/bin:/usr/sbin:/sbin"
+unset BASH_ENV CDPATH ENV GLOBIGNORE IFS POSIXLY_CORRECT
+export -n SHELLOPTS
+
+ME="$(basename "${0}")"
+readonly ME
+
+if [[ ${#} -ne 3 ]]; then
+  echo "usage: ${ME} packaging_dir codesign_keychain codesign_id" >& 2
+  exit 1
+fi
+
+packaging_dir="${1}"
+codesign_keychain="${2}"
+codesign_id="${3}"
+
+enforcement_flags="restrict,library-validation,kill"

[Greg K, 2015/11/23 15:28:39]

I'm all about setting library-validation on the installer tools, but I assume
this means we are confident that they have no need to load plugins or third
party code?

[Mark Mentovai, 2015/11/23 15:42:28]

Greg Kerr wrote:
Right. The tools are just goobspatch and xzdec. They both link against
liblzma_decompress.dylib, which we also sign here with the same certificate.
Other than that, they only use system libraries.

goobspatch is so simple, it’s just a single source file:
https://chromium.googlesource.com/chromium/src/+/b12075910604ddb2b8c79b366784...

xzdec is also a single source file:
http://git.tukaani.org/?p=xz.git;a=blob;f=src/xzdec/xzdec.c;h=5cb7530afce4dfe...

Running nm -u on liblzma_decompress.dylib to see what it uses from other
libraries, it’s really the simplest stuff:

___stack_chk_fail
___stack_chk_guard
_free
_malloc
_memcmp
_memcpy
_memmove
_memset_pattern16
_pthread_once
_sysctl
dyld_stub_binder

I don’t envision any problems with library validation here, but if there are,
we’ll hear about the errors by seeing an increase in Omaha pings with the
discrete failure codes that correspond to dirpatcher failures (failed diff
update applications). Users won’t be stuck because the updater will just fall
back to a full update.

+
+executables=(goobspatch xzdec)
+libraries=(liblzma_decompress.dylib)
+declare -a everything
+
+for executable in "${executables[@]}"; do
+  sign_path="${packaging_dir}/${executable}"
+  everything+=("${sign_path}")
+
+  codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \
+      "${sign_path}" --options "${enforcement_flags}"
+done
+
+for library in "${libraries[@]}"; do
+  sign_path="${packaging_dir}/${library}"
+  everything+=("${sign_path}")
+
+  codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \
+      "${sign_path}"
+done
+
+for sign_path in "${everything[@]}"; do
+  codesign --verify --deep -vvvvvv "${sign_path}"
+done