OLD | NEW |
1 #!/bin/bash -p | 1 #!/bin/bash -p |
2 | 2 |
3 # Copyright (c) 2012 The Chromium Authors. All rights reserved. | 3 # Copyright (c) 2012 The Chromium Authors. All rights reserved. |
4 # Use of this source code is governed by a BSD-style license that can be | 4 # Use of this source code is governed by a BSD-style license that can be |
5 # found in the LICENSE file. | 5 # found in the LICENSE file. |
6 | 6 |
7 # Using codesign, sign the contents of the versioned directory. Namely, this | 7 # Using codesign, sign the contents of the versioned directory. Namely, this |
8 # includes the framework and helper app. After signing, the signatures are | 8 # includes the framework and helper app. After signing, the signatures are |
9 # verified. | 9 # verified. |
10 | 10 |
(...skipping 25 matching lines...) Expand all Loading... |
36 | 36 |
37 # An .app bundle to be signed can be signed directly. Normally, signing a | 37 # An .app bundle to be signed can be signed directly. Normally, signing a |
38 # framework bundle requires that each version within be signed individually. | 38 # framework bundle requires that each version within be signed individually. |
39 # http://developer.apple.com/mac/library/technotes/tn2007/tn2206.html#TNTAG13 | 39 # http://developer.apple.com/mac/library/technotes/tn2007/tn2206.html#TNTAG13 |
40 # In Chrome's case, the framework bundle is unversioned, so it too can be | 40 # In Chrome's case, the framework bundle is unversioned, so it too can be |
41 # signed directly. See copy_framework_unversioned.sh. | 41 # signed directly. See copy_framework_unversioned.sh. |
42 | 42 |
43 framework="${versioned_dir}/@MAC_PRODUCT_NAME@ Framework.framework" | 43 framework="${versioned_dir}/@MAC_PRODUCT_NAME@ Framework.framework" |
44 crashpad_handler="${framework}/Helpers/crashpad_handler" | 44 crashpad_handler="${framework}/Helpers/crashpad_handler" |
45 helper_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper.app" | 45 helper_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper.app" |
46 app_mode_loader_app="${framework}/Resources/app_mode_loader.app" | |
47 app_mode_loader="${app_mode_loader_app}/Contents/MacOS/app_mode_loader" | |
48 | 46 |
49 requirement_suffix="\ | 47 requirement_suffix="\ |
50 and certificate leaf = H\"85cee8254216185620ddc8851c7a9fc4dfe120ef\"\ | 48 and certificate leaf = H\"85cee8254216185620ddc8851c7a9fc4dfe120ef\"\ |
51 " | 49 " |
52 | 50 |
53 enforcement_flags="restrict" | 51 enforcement_flags="restrict" |
54 | 52 |
55 codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \ | 53 codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \ |
56 "${crashpad_handler}" \ | 54 "${crashpad_handler}" \ |
57 -r="designated => identifier \"crashpad_handler\" \ | 55 -r="designated => identifier \"crashpad_handler\" \ |
58 ${requirement_suffix}" --options "${enforcement_flags}" | 56 ${requirement_suffix}" --options "${enforcement_flags}" |
59 | |
60 # The app mode loader bundle is modified dynamically at runtime. Just sign the | |
61 # executable, which shouldn't change. In order to do this, the executable needs | |
62 # to be copied out of the bundle, signed, and then copied back in. The resulting | |
63 # bundle's signature won't validate normally, but if the executable file is | |
64 # verified in isolation or with --ignore-resources, it will. Because the | |
65 # bundle's signature won't validate on its own, don't set any of the enforcement | |
66 # flags. | |
67 app_mode_loader_tmp="$(mktemp -t app_mode_loader)" | |
68 cp "${app_mode_loader}" "${app_mode_loader_tmp}" | |
69 codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \ | |
70 "${app_mode_loader_tmp}" \ | |
71 -r="designated => identifier \"app_mode_loader\" \ | |
72 ${requirement_suffix}" | |
73 cp "${app_mode_loader_tmp}" "${app_mode_loader}" | |
74 rm -f "${app_mode_loader_tmp}" | |
75 | |
76 codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \ | 57 codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \ |
77 "${framework}" \ | 58 "${framework}" \ |
78 -r="designated => identifier \"com.google.Chrome.framework\" \ | 59 -r="designated => identifier \"com.google.Chrome.framework\" \ |
79 ${requirement_suffix}" | 60 ${requirement_suffix}" |
80 | |
81 codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \ | 61 codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \ |
82 "${helper_app}" \ | 62 "${helper_app}" \ |
83 -r="designated => identifier \"com.google.Chrome.helper\" \ | 63 -r="designated => identifier \"com.google.Chrome.helper\" \ |
84 ${requirement_suffix}" --options "${enforcement_flags}" | 64 ${requirement_suffix}" --options "${enforcement_flags}" |
85 | 65 |
86 # Verify everything. Don't use --deep on the framework because Keystone's | 66 # Verify everything. Don't use --deep on the framework because Keystone's |
87 # signature is in a transitional state (radar 18474911). | 67 # signature is in a transitional state (radar 18474911). |
88 codesign --verify --deep "${crashpad_handler}" | 68 codesign --verify --deep "${crashpad_handler}" |
89 codesign --verify --ignore-resources "${app_mode_loader}" | |
90 codesign --verify "${framework}" | 69 codesign --verify "${framework}" |
91 codesign --verify --deep "${helper_app}" | 70 codesign --verify --deep "${helper_app}" |
OLD | NEW |