Refactor mac signing scripts for development workflow

chrome/installer/mac/sign_app.sh.in

 #!/bin/bash -p
 
 # Copyright (c) 2012 The Chromium Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
 # Using codesign, sign the application. After signing, the signatures on the
 # inner bundle components are verified, and the application's own signature is
 # verified. Inner bundle components are expected to be signed before this
 # script is called. See sign_versioned_dir.sh.in.
 
 set -eu
 
 # Environment sanitization. Set a known-safe PATH. Clear environment variables
 # that might impact the interpreter's operation. The |bash -p| invocation
 # on the #! line takes the bite out of BASH_ENV, ENV, and SHELLOPTS (among
 # other features), but clearing them here ensures that they won't impact any
 # shell scripts used as utility programs. SHELLOPTS is read-only and can't be
 # unset, only unexported.
 export PATH="/usr/bin:/bin:/usr/sbin:/sbin"
 unset BASH_ENV CDPATH ENV GLOBIGNORE IFS POSIXLY_CORRECT
 export -n SHELLOPTS
 
 ME="$(basename "${0}")"
 readonly ME
 
-if [[ ${#} -ne 3 ]]; then
-  echo "usage: ${ME} app_path codesign_keychain codesign_id" >& 2
+if [[ ${#} -ne 3 && ${#} -ne 4 ]]; then
+  echo "usage: ${ME} app_path codesign_keychain codesign_id [--development]" >& 2

[Mark Mentovai, 2017/04/24 15:00:23]

Stay within 80 characters.

[Greg K, 2017/04/25 00:55:01]

Done.

   exit 1
 fi
 
 app_path="${1}"
 codesign_keychain="${2}"
 codesign_id="${3}"
+is_development=false

[Mark Mentovai, 2017/04/24 15:00:23]

It’d be more normal for this to either be blank or non-blank, and then you’d
test with [[ -z "${is_development}" ]] (meaning production) or [[ -n
"${is_development}" ]] (meaning development).

[Greg K, 2017/04/25 00:55:01]

Done.

+
+if [[ ${#} == 4 && ${4} == "--development" ]]; then
+  is_development=true
+fi
+
+script_dir="$(dirname "${0}")"
+source "${script_dir}/variables.sh"
 
 # Use custom resource rules for the browser application.
-script_dir="$(dirname "${0}")"
 browser_app_rules="${script_dir}/app_resource_rules.plist"
 
 versioned_dir="${app_path}/Contents/Versions/@VERSION@"
 
 browser_app="${app_path}"
 framework="${versioned_dir}/@MAC_PRODUCT_NAME@ Framework.framework"
 notification_service="${framework}/XPCServices/AlertNotificationService.xpc"
 crashpad_handler="${framework}/Helpers/crashpad_handler"
 helper_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper.app"
 app_mode_loader_app="${framework}/Resources/app_mode_loader.app"
 app_mode_loader="${app_mode_loader_app}/Contents/MacOS/app_mode_loader"
 
 requirement_string="\
 designated => \
 (identifier \"com.google.Chrome\" or \
 identifier \"com.google.Chrome.beta\" or \
 identifier \"com.google.Chrome.dev\" or \
 identifier \"com.google.Chrome.canary\") \
-and (certificate leaf = H\"85cee8254216185620ddc8851c7a9fc4dfe120ef\" or \
-certificate leaf = H\"c9a99324ca3fcb23dbcc36bd5fd4f9753305130a\") \
+${requirement_suffix} \
 "
 
-enforcement_flags="restrict"
-
-codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \
-    "${browser_app}" \
-    --options "${enforcement_flags}" \
-    --resource-rules "${browser_app_rules}" \
-    -r="${requirement_string}"
+if [[ $is_development = false ]]; then
+  codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \

[Mark Mentovai, 2017/04/24 15:00:23]

You can build up the codesign --sign command line in an array, and append -r= to
the array only if you’re not ${is_development}

[Mark Mentovai, 2017/04/24 22:29:17]

You can also write it a bit more directly by using an array to hold the optional
extra argument(s), and have the array be empty if they're not present. That's
probably better than building up the entire command in an array.

[Greg K, 2017/04/25 00:55:01]

Done.

+      "${browser_app}" \
+      --options "${enforcement_flags_app}" \
+      --resource-rules "${browser_app_rules}" \
+      -r="${requirement_string}"
+else
+  codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \
+      "${browser_app}" \
+      --options "${enforcement_flags_app}" \
+      --resource-rules "${browser_app_rules}" 
+fi
 
 # Show the signature.
 codesign --display --verbose=5 -r- "${browser_app}"
 
 # Verify everything. Check the framework and helper apps to make sure that the
 # signatures are present and weren't altered by the signing process. Use
 # --ignore-resources on the app mode loader because its signature only covers
 # the main executable, not its containing .app bundle. Use --no-strict on the
 # outermost browser .app because it uses custom resource rules.
 codesign --verify --verbose=6 --deep --no-strict "${browser_app}"
 codesign --verify --verbose=6 --deep "${crashpad_handler}"
 codesign --verify --verbose=6 --ignore-resources "${app_mode_loader}"
 codesign --verify --verbose=6 --deep "${notification_service}"
 codesign --verify --verbose=6 --deep "${framework}"
 codesign --verify --verbose=6 --deep "${helper_app}"
 
 # Verify with spctl, which uses the same rules that Gatekeeper does for

[Mark Mentovai, 2017/04/24 15:00:23]

Why bother making a temp_dir that you never use? Begin the !development
conditional here, indent all of this stuff that follows.

[Greg K, 2017/04/25 00:55:01]

Done.

 # validation. This is unreliable on 10.11 where syspolicyd caches assessments
 # and becomes confused when a bundle's CFExecutableName changes
 # (https://openradar.appspot.com/23614087), so verify a copy at a unique path.
 temp_dir="$(mktemp -d -t "$(basename "${0}")")"
 
 cleanup() {
   set +e
   rm -rf "${temp_dir}"
 }
 trap cleanup EXIT
 
-temp_browser_app="${temp_dir}/$(basename "${browser_app}")"
-rsync -a "${browser_app}/" "${temp_browser_app}"
-spctl --assess -vv "${temp_browser_app}"
+if [[ $is_development = false ]]; then
+  temp_browser_app="${temp_dir}/$(basename "${browser_app}")"
+  rsync -a "${browser_app}/" "${temp_browser_app}"
+  spctl --assess -vv "${temp_browser_app}"
+fi