Index: chrome/installer/mac/sign_versioned_dir.sh.in |
diff --git a/chrome/installer/mac/sign_versioned_dir.sh.in b/chrome/installer/mac/sign_versioned_dir.sh.in |
index f68b7aab3a9cc23c433a07a0c7c2b2f3603e8e01..c47cb9547a850f192f5c8901e0bc9e211ffab681 100644 |
--- a/chrome/installer/mac/sign_versioned_dir.sh.in |
+++ b/chrome/installer/mac/sign_versioned_dir.sh.in |
@@ -43,6 +43,8 @@ versioned_dir="${app_path}/Contents/Versions/@VERSION@" |
framework="${versioned_dir}/@MAC_PRODUCT_NAME@ Framework.framework" |
crashpad_handler="${framework}/Helpers/crashpad_handler" |
helper_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper.app" |
+app_mode_loader_app="${framework}/Resources/app_mode_loader.app" |
+app_mode_loader="${app_mode_loader_app}/Contents/MacOS/app_mode_loader" |
requirement_suffix="\ |
and certificate leaf = H\"85cee8254216185620ddc8851c7a9fc4dfe120ef\"\ |
@@ -54,17 +56,38 @@ codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \ |
"${crashpad_handler}" \ |
-r="designated => identifier \"crashpad_handler\" \ |
${requirement_suffix}" --options "${enforcement_flags}" |
+ |
+# The app mode loader bundle is modified dynamically at runtime. Just sign the |
+# executable, which shouldn't change. In order to do this, the executable needs |
+# to be copied out of the bundle, signed, and then copied back in. The resulting |
+# bundle's signature won't validate normally, but if the executable file is |
+# verified in isolation or with --ignore-resources, it will. Because the |
+# bundle's signature won't validate on its own, don't set any of the enforcement |
+# flags. |
+app_mode_loader_tmp="$(mktemp -t app_mode_loader)" |
+cp "${app_mode_loader}" "${app_mode_loader_tmp}" |
+codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \ |
+ "${app_mode_loader_tmp}" \ |
+ -r="designated => identifier \"app_mode_loader\" \ |
+${requirement_suffix}" |
+cp "${app_mode_loader_tmp}" "${app_mode_loader}" |
+rm -f "${app_mode_loader_tmp}" |
+ |
codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \ |
"${framework}" \ |
-r="designated => identifier \"com.google.Chrome.framework\" \ |
${requirement_suffix}" |
+ |
codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \ |
"${helper_app}" \ |
-r="designated => identifier \"com.google.Chrome.helper\" \ |
${requirement_suffix}" --options "${enforcement_flags}" |
# Verify everything. Don't use --deep on the framework because Keystone's |
-# signature is in a transitional state (radar 18474911). |
+# signature is in a transitional state (radar 18474911). Don't verify |
+# app_mode_loader independently because --ignore-resources is unrecognized |
+# before 10.11 (bug 565859). |
codesign --verify --deep "${crashpad_handler}" |
+# codesign --verify --ignore-resources "${app_mode_loader}" |
codesign --verify "${framework}" |
codesign --verify --deep "${helper_app}" |