| OLD | NEW |
|---|
| 1 #!/bin/bash -p | 1 #!/bin/bash -p |
| 2 | 2 |
| 3 # Copyright (c) 2012 The Chromium Authors. All rights reserved. | 3 # Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 4 # Use of this source code is governed by a BSD-style license that can be | 4 # Use of this source code is governed by a BSD-style license that can be |
| 5 # found in the LICENSE file. | 5 # found in the LICENSE file. |
| 6 | 6 |
| 7 # usage: keystone_install.sh update_dmg_mount_point | 7 # usage: keystone_install.sh update_dmg_mount_point |
| 8 # | 8 # |
| 9 # Called by the Keystone system to update the installed application with a new | 9 # Called by the Keystone system to update the installed application with a new |
| 10 # version from a disk image. | 10 # version from a disk image. |
| (...skipping 702 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 713 readonly UNROOTED_DEBUG_FILE="Library/Google/Google Chrome Updater Debug" | 713 readonly UNROOTED_DEBUG_FILE="Library/Google/Google Chrome Updater Debug" |
| 714 | 714 |
| 715 readonly APP_VERSION_KEY="CFBundleShortVersionString" | 715 readonly APP_VERSION_KEY="CFBundleShortVersionString" |
| 716 readonly APP_BUNDLEID_KEY="CFBundleIdentifier" | 716 readonly APP_BUNDLEID_KEY="CFBundleIdentifier" |
| 717 readonly KS_VERSION_KEY="KSVersion" | 717 readonly KS_VERSION_KEY="KSVersion" |
| 718 readonly KS_PRODUCT_KEY="KSProductID" | 718 readonly KS_PRODUCT_KEY="KSProductID" |
| 719 readonly KS_URL_KEY="KSUpdateURL" | 719 readonly KS_URL_KEY="KSUpdateURL" |
| 720 readonly KS_BRAND_KEY="KSBrandID" | 720 readonly KS_BRAND_KEY="KSBrandID" |
| 721 | 721 |
| 722 readonly QUARANTINE_ATTR="com.apple.quarantine" | 722 readonly QUARANTINE_ATTR="com.apple.quarantine" |
| 723 readonly KEYCHAIN_REAUTHORIZE_DIR=".keychain_reauthorize" | |
| 724 | 723 |
| 725 # Don't use rsync -a, because -a expands to -rlptgoD. -g and -o copy owners | 724 # Don't use rsync -a, because -a expands to -rlptgoD. -g and -o copy owners |
| 726 # and groups, respectively, from the source, and that is undesirable in this | 725 # and groups, respectively, from the source, and that is undesirable in this |
| 727 # case. -D copies devices and special files; copying devices only works | 726 # case. -D copies devices and special files; copying devices only works |
| 728 # when running as root, so for consistency between privileged and | 727 # when running as root, so for consistency between privileged and |
| 729 # unprivileged operation, this option is omitted as well. | 728 # unprivileged operation, this option is omitted as well. |
| 730 # -I, --ignore-times don't skip files that match in size and mod-time | 729 # -I, --ignore-times don't skip files that match in size and mod-time |
| 731 # -l, --links copy symlinks as symlinks | 730 # -l, --links copy symlinks as symlinks |
| 732 # -r, --recursive recurse into directories | 731 # -r, --recursive recurse into directories |
| 733 # -p, --perms preserve permissions | 732 # -p, --perms preserve permissions |
| (...skipping 869 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1603 | 1602 |
| 1604 if os_xattr_supports_r; then | 1603 if os_xattr_supports_r; then |
| 1605 # On 10.6, xattr supports -r for recursive operation. | 1604 # On 10.6, xattr supports -r for recursive operation. |
| 1606 xattr -d -r "${QUARANTINE_ATTR}" "${installed_app}" 2> /dev/null | 1605 xattr -d -r "${QUARANTINE_ATTR}" "${installed_app}" 2> /dev/null |
| 1607 else | 1606 else |
| 1608 # On earlier systems, xattr doesn't support -r, so run xattr via find. | 1607 # On earlier systems, xattr doesn't support -r, so run xattr via find. |
| 1609 find "${installed_app}" -exec xattr -d "${QUARANTINE_ATTR}" {} + \ | 1608 find "${installed_app}" -exec xattr -d "${QUARANTINE_ATTR}" {} + \ |
| 1610 2> /dev/null | 1609 2> /dev/null |
| 1611 fi | 1610 fi |
| 1612 | 1611 |
| 1613 # Do Keychain reauthorization. This involves running a stub executable on | |
| 1614 # the dmg that loads the newly-updated framework and jumps to it to perform | |
| 1615 # the reauthorization. The stub executable can be signed by the old | |
| 1616 # certificate even after the rest of Chrome switches to the new certificate, | |
| 1617 # so it still has access to the old Keychain items. The stub executable is | |
| 1618 # an unbundled flat file executable whose name matches the real | |
| 1619 # application's bundle identifier, so it's permitted access to the Keychain | |
| 1620 # items. Doing a reauthorization step at update time reauthorizes Keychain | |
| 1621 # items for users who never bother restarting Chrome, and provides a | |
| 1622 # mechanism to continue doing reauthorizations even after the certificate | |
| 1623 # changes. However, it only works for non-system ticket installations of | |
| 1624 # Chrome, because the updater runs as root when on a system ticket, and root | |
| 1625 # can't access individual user Keychains. | |
| 1626 # | |
| 1627 # Even if the reauthorization tool is launched, it doesn't necessarily try | |
| 1628 # to do anything. It will only attempt to perform a reauthorization if one | |
| 1629 # hasn't yet been done at update time. | |
| 1630 note "maybe reauthorizing Keychain" | |
| 1631 | |
| 1632 if [[ -z "${system_ticket}" ]]; then | |
| 1633 local new_bundleid_app | |
| 1634 new_bundleid_app="$(infoplist_read "${installed_app_plist}" \ | |
| 1635 "${APP_BUNDLEID_KEY}" || true)" | |
| 1636 note "new_bundleid_app = ${new_bundleid_app}" | |
| 1637 | |
| 1638 local keychain_reauthorize_dir="\ | |
| 1639 ${update_dmg_mount_point}/${KEYCHAIN_REAUTHORIZE_DIR}" | |
| 1640 local keychain_reauthorize_path="\ | |
| 1641 ${keychain_reauthorize_dir}/${new_bundleid_app}" | |
| 1642 note "keychain_reauthorize_path = ${keychain_reauthorize_path}" | |
| 1643 | |
| 1644 if [[ -x "${keychain_reauthorize_path}" ]]; then | |
| 1645 local framework_dir="${new_versioned_dir}/${FRAMEWORK_DIR}" | |
| 1646 local framework_code_path="${framework_dir}/${FRAMEWORK_NAME}" | |
| 1647 note "framework_code_path = ${framework_code_path}" | |
| 1648 | |
| 1649 if [[ -f "${framework_code_path}" ]]; then | |
| 1650 note "reauthorizing Keychain" | |
| 1651 "${keychain_reauthorize_path}" "${framework_code_path}" | |
| 1652 fi | |
| 1653 fi | |
| 1654 else | |
| 1655 note "system ticket, not reauthorizing Keychain" | |
| 1656 fi | |
| 1657 | |
| 1658 # Great success! | 1612 # Great success! |
| 1659 note "done!" | 1613 note "done!" |
| 1660 | 1614 |
| 1661 trap - EXIT | 1615 trap - EXIT |
| 1662 | 1616 |
| 1663 return 0 | 1617 return 0 |
| 1664 } | 1618 } |
| 1665 | 1619 |
| 1666 # Check "less than" instead of "not equal to" in case Keystone ever changes to | 1620 # Check "less than" instead of "not equal to" in case Keystone ever changes to |
| 1667 # pass more arguments. | 1621 # pass more arguments. |
| 1668 if [[ ${#} -lt 1 ]]; then | 1622 if [[ ${#} -lt 1 ]]; then |
| 1669 usage | 1623 usage |
| 1670 exit 2 | 1624 exit 2 |
| 1671 fi | 1625 fi |
| 1672 | 1626 |
| 1673 main "${@}" | 1627 main "${@}" |
| 1674 exit ${?} | 1628 exit ${?} |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 183713003:
Remove keychain_reauthorize (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src