OLD | NEW |
1 #!/bin/bash -p | 1 #!/bin/bash -p |
2 | 2 |
3 # Copyright (c) 2012 The Chromium Authors. All rights reserved. | 3 # Copyright (c) 2012 The Chromium Authors. All rights reserved. |
4 # Use of this source code is governed by a BSD-style license that can be | 4 # Use of this source code is governed by a BSD-style license that can be |
5 # found in the LICENSE file. | 5 # found in the LICENSE file. |
6 | 6 |
7 # usage: keystone_install.sh update_dmg_mount_point | 7 # usage: keystone_install.sh update_dmg_mount_point |
8 # | 8 # |
9 # Called by the Keystone system to update the installed application with a new | 9 # Called by the Keystone system to update the installed application with a new |
10 # version from a disk image. | 10 # version from a disk image. |
(...skipping 702 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
713 readonly UNROOTED_DEBUG_FILE="Library/Google/Google Chrome Updater Debug" | 713 readonly UNROOTED_DEBUG_FILE="Library/Google/Google Chrome Updater Debug" |
714 | 714 |
715 readonly APP_VERSION_KEY="CFBundleShortVersionString" | 715 readonly APP_VERSION_KEY="CFBundleShortVersionString" |
716 readonly APP_BUNDLEID_KEY="CFBundleIdentifier" | 716 readonly APP_BUNDLEID_KEY="CFBundleIdentifier" |
717 readonly KS_VERSION_KEY="KSVersion" | 717 readonly KS_VERSION_KEY="KSVersion" |
718 readonly KS_PRODUCT_KEY="KSProductID" | 718 readonly KS_PRODUCT_KEY="KSProductID" |
719 readonly KS_URL_KEY="KSUpdateURL" | 719 readonly KS_URL_KEY="KSUpdateURL" |
720 readonly KS_BRAND_KEY="KSBrandID" | 720 readonly KS_BRAND_KEY="KSBrandID" |
721 | 721 |
722 readonly QUARANTINE_ATTR="com.apple.quarantine" | 722 readonly QUARANTINE_ATTR="com.apple.quarantine" |
723 readonly KEYCHAIN_REAUTHORIZE_DIR=".keychain_reauthorize" | |
724 | 723 |
725 # Don't use rsync -a, because -a expands to -rlptgoD. -g and -o copy owners | 724 # Don't use rsync -a, because -a expands to -rlptgoD. -g and -o copy owners |
726 # and groups, respectively, from the source, and that is undesirable in this | 725 # and groups, respectively, from the source, and that is undesirable in this |
727 # case. -D copies devices and special files; copying devices only works | 726 # case. -D copies devices and special files; copying devices only works |
728 # when running as root, so for consistency between privileged and | 727 # when running as root, so for consistency between privileged and |
729 # unprivileged operation, this option is omitted as well. | 728 # unprivileged operation, this option is omitted as well. |
730 # -I, --ignore-times don't skip files that match in size and mod-time | 729 # -I, --ignore-times don't skip files that match in size and mod-time |
731 # -l, --links copy symlinks as symlinks | 730 # -l, --links copy symlinks as symlinks |
732 # -r, --recursive recurse into directories | 731 # -r, --recursive recurse into directories |
733 # -p, --perms preserve permissions | 732 # -p, --perms preserve permissions |
(...skipping 869 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1603 | 1602 |
1604 if os_xattr_supports_r; then | 1603 if os_xattr_supports_r; then |
1605 # On 10.6, xattr supports -r for recursive operation. | 1604 # On 10.6, xattr supports -r for recursive operation. |
1606 xattr -d -r "${QUARANTINE_ATTR}" "${installed_app}" 2> /dev/null | 1605 xattr -d -r "${QUARANTINE_ATTR}" "${installed_app}" 2> /dev/null |
1607 else | 1606 else |
1608 # On earlier systems, xattr doesn't support -r, so run xattr via find. | 1607 # On earlier systems, xattr doesn't support -r, so run xattr via find. |
1609 find "${installed_app}" -exec xattr -d "${QUARANTINE_ATTR}" {} + \ | 1608 find "${installed_app}" -exec xattr -d "${QUARANTINE_ATTR}" {} + \ |
1610 2> /dev/null | 1609 2> /dev/null |
1611 fi | 1610 fi |
1612 | 1611 |
1613 # Do Keychain reauthorization. This involves running a stub executable on | |
1614 # the dmg that loads the newly-updated framework and jumps to it to perform | |
1615 # the reauthorization. The stub executable can be signed by the old | |
1616 # certificate even after the rest of Chrome switches to the new certificate, | |
1617 # so it still has access to the old Keychain items. The stub executable is | |
1618 # an unbundled flat file executable whose name matches the real | |
1619 # application's bundle identifier, so it's permitted access to the Keychain | |
1620 # items. Doing a reauthorization step at update time reauthorizes Keychain | |
1621 # items for users who never bother restarting Chrome, and provides a | |
1622 # mechanism to continue doing reauthorizations even after the certificate | |
1623 # changes. However, it only works for non-system ticket installations of | |
1624 # Chrome, because the updater runs as root when on a system ticket, and root | |
1625 # can't access individual user Keychains. | |
1626 # | |
1627 # Even if the reauthorization tool is launched, it doesn't necessarily try | |
1628 # to do anything. It will only attempt to perform a reauthorization if one | |
1629 # hasn't yet been done at update time. | |
1630 note "maybe reauthorizing Keychain" | |
1631 | |
1632 if [[ -z "${system_ticket}" ]]; then | |
1633 local new_bundleid_app | |
1634 new_bundleid_app="$(infoplist_read "${installed_app_plist}" \ | |
1635 "${APP_BUNDLEID_KEY}" || true)" | |
1636 note "new_bundleid_app = ${new_bundleid_app}" | |
1637 | |
1638 local keychain_reauthorize_dir="\ | |
1639 ${update_dmg_mount_point}/${KEYCHAIN_REAUTHORIZE_DIR}" | |
1640 local keychain_reauthorize_path="\ | |
1641 ${keychain_reauthorize_dir}/${new_bundleid_app}" | |
1642 note "keychain_reauthorize_path = ${keychain_reauthorize_path}" | |
1643 | |
1644 if [[ -x "${keychain_reauthorize_path}" ]]; then | |
1645 local framework_dir="${new_versioned_dir}/${FRAMEWORK_DIR}" | |
1646 local framework_code_path="${framework_dir}/${FRAMEWORK_NAME}" | |
1647 note "framework_code_path = ${framework_code_path}" | |
1648 | |
1649 if [[ -f "${framework_code_path}" ]]; then | |
1650 note "reauthorizing Keychain" | |
1651 "${keychain_reauthorize_path}" "${framework_code_path}" | |
1652 fi | |
1653 fi | |
1654 else | |
1655 note "system ticket, not reauthorizing Keychain" | |
1656 fi | |
1657 | |
1658 # Great success! | 1612 # Great success! |
1659 note "done!" | 1613 note "done!" |
1660 | 1614 |
1661 trap - EXIT | 1615 trap - EXIT |
1662 | 1616 |
1663 return 0 | 1617 return 0 |
1664 } | 1618 } |
1665 | 1619 |
1666 # Check "less than" instead of "not equal to" in case Keystone ever changes to | 1620 # Check "less than" instead of "not equal to" in case Keystone ever changes to |
1667 # pass more arguments. | 1621 # pass more arguments. |
1668 if [[ ${#} -lt 1 ]]; then | 1622 if [[ ${#} -lt 1 ]]; then |
1669 usage | 1623 usage |
1670 exit 2 | 1624 exit 2 |
1671 fi | 1625 fi |
1672 | 1626 |
1673 main "${@}" | 1627 main "${@}" |
1674 exit ${?} | 1628 exit ${?} |
OLD | NEW |