Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(38)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: chrome/installer/mac/sign_versioned_dir.sh.in

Issue 1491213009: Revert of mac: Sign app_mode_loader [badly] (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 5 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 #!/bin/bash -p 1 #!/bin/bash -p
2 2
3 # Copyright (c) 2012 The Chromium Authors. All rights reserved. 3 # Copyright (c) 2012 The Chromium Authors. All rights reserved.
4 # Use of this source code is governed by a BSD-style license that can be 4 # Use of this source code is governed by a BSD-style license that can be
5 # found in the LICENSE file. 5 # found in the LICENSE file.
6 6
7 # Using codesign, sign the contents of the versioned directory. Namely, this 7 # Using codesign, sign the contents of the versioned directory. Namely, this
8 # includes the framework and helper app. After signing, the signatures are 8 # includes the framework and helper app. After signing, the signatures are
9 # verified. 9 # verified.
10 10
(...skipping 25 matching lines...) Expand all
36 36
37 # An .app bundle to be signed can be signed directly. Normally, signing a 37 # An .app bundle to be signed can be signed directly. Normally, signing a
38 # framework bundle requires that each version within be signed individually. 38 # framework bundle requires that each version within be signed individually.
39 # http://developer.apple.com/mac/library/technotes/tn2007/tn2206.html#TNTAG13 39 # http://developer.apple.com/mac/library/technotes/tn2007/tn2206.html#TNTAG13
40 # In Chrome's case, the framework bundle is unversioned, so it too can be 40 # In Chrome's case, the framework bundle is unversioned, so it too can be
41 # signed directly. See copy_framework_unversioned.sh. 41 # signed directly. See copy_framework_unversioned.sh.
42 42
43 framework="${versioned_dir}/@MAC_PRODUCT_NAME@ Framework.framework" 43 framework="${versioned_dir}/@MAC_PRODUCT_NAME@ Framework.framework"
44 crashpad_handler="${framework}/Helpers/crashpad_handler" 44 crashpad_handler="${framework}/Helpers/crashpad_handler"
45 helper_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper.app" 45 helper_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper.app"
46 app_mode_loader_app="${framework}/Resources/app_mode_loader.app"
47 app_mode_loader="${app_mode_loader_app}/Contents/MacOS/app_mode_loader"
48 46
49 requirement_suffix="\ 47 requirement_suffix="\
50 and certificate leaf = H\"85cee8254216185620ddc8851c7a9fc4dfe120ef\"\ 48 and certificate leaf = H\"85cee8254216185620ddc8851c7a9fc4dfe120ef\"\
51 " 49 "
52 50
53 enforcement_flags="restrict" 51 enforcement_flags="restrict"
54 52
55 codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \ 53 codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \
56 "${crashpad_handler}" \ 54 "${crashpad_handler}" \
57 -r="designated => identifier \"crashpad_handler\" \ 55 -r="designated => identifier \"crashpad_handler\" \
58 ${requirement_suffix}" --options "${enforcement_flags}" 56 ${requirement_suffix}" --options "${enforcement_flags}"
59
60 # The app mode loader bundle is modified dynamically at runtime. Just sign the
61 # executable, which shouldn't change. In order to do this, the executable needs
62 # to be copied out of the bundle, signed, and then copied back in. The resulting
63 # bundle's signature won't validate normally, but if the executable file is
64 # verified in isolation or with --ignore-resources, it will. Because the
65 # bundle's signature won't validate on its own, don't set any of the enforcement
66 # flags.
67 app_mode_loader_tmp="$(mktemp -t app_mode_loader)"
68 cp "${app_mode_loader}" "${app_mode_loader_tmp}"
69 codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \
70 "${app_mode_loader_tmp}" \
71 -r="designated => identifier \"app_mode_loader\" \
72 ${requirement_suffix}"
73 cp "${app_mode_loader_tmp}" "${app_mode_loader}"
74 rm -f "${app_mode_loader_tmp}"
75
76 codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \ 57 codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \
77 "${framework}" \ 58 "${framework}" \
78 -r="designated => identifier \"com.google.Chrome.framework\" \ 59 -r="designated => identifier \"com.google.Chrome.framework\" \
79 ${requirement_suffix}" 60 ${requirement_suffix}"
80
81 codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \ 61 codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \
82 "${helper_app}" \ 62 "${helper_app}" \
83 -r="designated => identifier \"com.google.Chrome.helper\" \ 63 -r="designated => identifier \"com.google.Chrome.helper\" \
84 ${requirement_suffix}" --options "${enforcement_flags}" 64 ${requirement_suffix}" --options "${enforcement_flags}"
85 65
86 # Verify everything. Don't use --deep on the framework because Keystone's 66 # Verify everything. Don't use --deep on the framework because Keystone's
87 # signature is in a transitional state (radar 18474911). 67 # signature is in a transitional state (radar 18474911).
88 codesign --verify --deep "${crashpad_handler}" 68 codesign --verify --deep "${crashpad_handler}"
89 codesign --verify --ignore-resources "${app_mode_loader}"
90 codesign --verify "${framework}" 69 codesign --verify "${framework}"
91 codesign --verify --deep "${helper_app}" 70 codesign --verify --deep "${helper_app}"
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698