Chromium Code Reviews| OLD | NEW |
|---|---|
| 1 #!/bin/bash -p | 1 #!/bin/bash -p |
| 2 | 2 |
| 3 # Copyright (c) 2012 The Chromium Authors. All rights reserved. | 3 # Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 4 # Use of this source code is governed by a BSD-style license that can be | 4 # Use of this source code is governed by a BSD-style license that can be |
| 5 # found in the LICENSE file. | 5 # found in the LICENSE file. |
| 6 | 6 |
| 7 # Using codesign, sign the application. After signing, the signatures on the | 7 # Using codesign, sign the application. After signing, the signatures on the |
| 8 # inner bundle components are verified, and the application's own signature is | 8 # inner bundle components are verified, and the application's own signature is |
| 9 # verified. Inner bundle components are expected to be signed before this | 9 # verified. Inner bundle components are expected to be signed before this |
| 10 # script is called. See sign_versioned_dir.sh.in. | 10 # script is called. See sign_versioned_dir.sh.in. |
| 11 | 11 |
| 12 set -eu | 12 set -eu |
| 13 | 13 |
| 14 # Environment sanitization. Set a known-safe PATH. Clear environment variables | 14 # Environment sanitization. Set a known-safe PATH. Clear environment variables |
| 15 # that might impact the interpreter's operation. The |bash -p| invocation | 15 # that might impact the interpreter's operation. The |bash -p| invocation |
| 16 # on the #! line takes the bite out of BASH_ENV, ENV, and SHELLOPTS (among | 16 # on the #! line takes the bite out of BASH_ENV, ENV, and SHELLOPTS (among |
| 17 # other features), but clearing them here ensures that they won't impact any | 17 # other features), but clearing them here ensures that they won't impact any |
| 18 # shell scripts used as utility programs. SHELLOPTS is read-only and can't be | 18 # shell scripts used as utility programs. SHELLOPTS is read-only and can't be |
| 19 # unset, only unexported. | 19 # unset, only unexported. |
| 20 export PATH="/usr/bin:/bin:/usr/sbin:/sbin" | 20 export PATH="/usr/bin:/bin:/usr/sbin:/sbin" |
| 21 unset BASH_ENV CDPATH ENV GLOBIGNORE IFS POSIXLY_CORRECT | 21 unset BASH_ENV CDPATH ENV GLOBIGNORE IFS POSIXLY_CORRECT |
| 22 export -n SHELLOPTS | 22 export -n SHELLOPTS |
| 23 | 23 |
| 24 ME="$(basename "${0}")" | 24 ME="$(basename "${0}")" |
| 25 readonly ME | 25 readonly ME |
| 26 | 26 |
| 27 if [[ ${#} -ne 3 ]]; then | 27 if [[ ${#} -ne 3 && ${#} -ne 4 ]]; then |
| 28 echo "usage: ${ME} app_path codesign_keychain codesign_id" >& 2 | 28 echo "usage: ${ME} app_path codesign_keychain codesign_id [--development]" >& 2 |
|
Mark Mentovai
2017/04/24 15:00:23
Stay within 80 characters.
Greg K
2017/04/25 00:55:01
Done.
| |
| 29 exit 1 | 29 exit 1 |
| 30 fi | 30 fi |
| 31 | 31 |
| 32 app_path="${1}" | 32 app_path="${1}" |
| 33 codesign_keychain="${2}" | 33 codesign_keychain="${2}" |
| 34 codesign_id="${3}" | 34 codesign_id="${3}" |
| 35 is_development=false | |
|
Mark Mentovai
2017/04/24 15:00:23
It’d be more normal for this to either be blank or
Greg K
2017/04/25 00:55:01
Done.
| |
| 36 | |
| 37 if [[ ${#} == 4 && ${4} == "--development" ]]; then | |
| 38 is_development=true | |
| 39 fi | |
| 40 | |
| 41 script_dir="$(dirname "${0}")" | |
| 42 source "${script_dir}/variables.sh" | |
| 35 | 43 |
| 36 # Use custom resource rules for the browser application. | 44 # Use custom resource rules for the browser application. |
| 37 script_dir="$(dirname "${0}")" | |
| 38 browser_app_rules="${script_dir}/app_resource_rules.plist" | 45 browser_app_rules="${script_dir}/app_resource_rules.plist" |
| 39 | 46 |
| 40 versioned_dir="${app_path}/Contents/Versions/@VERSION@" | 47 versioned_dir="${app_path}/Contents/Versions/@VERSION@" |
| 41 | 48 |
| 42 browser_app="${app_path}" | 49 browser_app="${app_path}" |
| 43 framework="${versioned_dir}/@MAC_PRODUCT_NAME@ Framework.framework" | 50 framework="${versioned_dir}/@MAC_PRODUCT_NAME@ Framework.framework" |
| 44 notification_service="${framework}/XPCServices/AlertNotificationService.xpc" | 51 notification_service="${framework}/XPCServices/AlertNotificationService.xpc" |
| 45 crashpad_handler="${framework}/Helpers/crashpad_handler" | 52 crashpad_handler="${framework}/Helpers/crashpad_handler" |
| 46 helper_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper.app" | 53 helper_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper.app" |
| 47 app_mode_loader_app="${framework}/Resources/app_mode_loader.app" | 54 app_mode_loader_app="${framework}/Resources/app_mode_loader.app" |
| 48 app_mode_loader="${app_mode_loader_app}/Contents/MacOS/app_mode_loader" | 55 app_mode_loader="${app_mode_loader_app}/Contents/MacOS/app_mode_loader" |
| 49 | 56 |
| 50 requirement_string="\ | 57 requirement_string="\ |
| 51 designated => \ | 58 designated => \ |
| 52 (identifier \"com.google.Chrome\" or \ | 59 (identifier \"com.google.Chrome\" or \ |
| 53 identifier \"com.google.Chrome.beta\" or \ | 60 identifier \"com.google.Chrome.beta\" or \ |
| 54 identifier \"com.google.Chrome.dev\" or \ | 61 identifier \"com.google.Chrome.dev\" or \ |
| 55 identifier \"com.google.Chrome.canary\") \ | 62 identifier \"com.google.Chrome.canary\") \ |
| 56 and (certificate leaf = H\"85cee8254216185620ddc8851c7a9fc4dfe120ef\" or \ | 63 ${requirement_suffix} \ |
| 57 certificate leaf = H\"c9a99324ca3fcb23dbcc36bd5fd4f9753305130a\") \ | |
| 58 " | 64 " |
| 59 | 65 |
| 60 enforcement_flags="restrict" | 66 if [[ $is_development = false ]]; then |
| 61 | 67 codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \ |
|
Mark Mentovai
2017/04/24 15:00:23
You can build up the codesign --sign command line
Mark Mentovai
2017/04/24 22:29:17
You can also write it a bit more directly by using
Greg K
2017/04/25 00:55:01
Done.
| |
| 62 codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \ | 68 "${browser_app}" \ |
| 63 "${browser_app}" \ | 69 --options "${enforcement_flags_app}" \ |
| 64 --options "${enforcement_flags}" \ | 70 --resource-rules "${browser_app_rules}" \ |
| 65 --resource-rules "${browser_app_rules}" \ | 71 -r="${requirement_string}" |
| 66 -r="${requirement_string}" | 72 else |
| 73 codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \ | |
| 74 "${browser_app}" \ | |
| 75 --options "${enforcement_flags_app}" \ | |
| 76 --resource-rules "${browser_app_rules}" | |
| 77 fi | |
| 67 | 78 |
| 68 # Show the signature. | 79 # Show the signature. |
| 69 codesign --display --verbose=5 -r- "${browser_app}" | 80 codesign --display --verbose=5 -r- "${browser_app}" |
| 70 | 81 |
| 71 # Verify everything. Check the framework and helper apps to make sure that the | 82 # Verify everything. Check the framework and helper apps to make sure that the |
| 72 # signatures are present and weren't altered by the signing process. Use | 83 # signatures are present and weren't altered by the signing process. Use |
| 73 # --ignore-resources on the app mode loader because its signature only covers | 84 # --ignore-resources on the app mode loader because its signature only covers |
| 74 # the main executable, not its containing .app bundle. Use --no-strict on the | 85 # the main executable, not its containing .app bundle. Use --no-strict on the |
| 75 # outermost browser .app because it uses custom resource rules. | 86 # outermost browser .app because it uses custom resource rules. |
| 76 codesign --verify --verbose=6 --deep --no-strict "${browser_app}" | 87 codesign --verify --verbose=6 --deep --no-strict "${browser_app}" |
| 77 codesign --verify --verbose=6 --deep "${crashpad_handler}" | 88 codesign --verify --verbose=6 --deep "${crashpad_handler}" |
| 78 codesign --verify --verbose=6 --ignore-resources "${app_mode_loader}" | 89 codesign --verify --verbose=6 --ignore-resources "${app_mode_loader}" |
| 79 codesign --verify --verbose=6 --deep "${notification_service}" | 90 codesign --verify --verbose=6 --deep "${notification_service}" |
| 80 codesign --verify --verbose=6 --deep "${framework}" | 91 codesign --verify --verbose=6 --deep "${framework}" |
| 81 codesign --verify --verbose=6 --deep "${helper_app}" | 92 codesign --verify --verbose=6 --deep "${helper_app}" |
| 82 | 93 |
| 83 # Verify with spctl, which uses the same rules that Gatekeeper does for | 94 # Verify with spctl, which uses the same rules that Gatekeeper does for |
|
Mark Mentovai
2017/04/24 15:00:23
Why bother making a temp_dir that you never use? B
Greg K
2017/04/25 00:55:01
Done.
| |
| 84 # validation. This is unreliable on 10.11 where syspolicyd caches assessments | 95 # validation. This is unreliable on 10.11 where syspolicyd caches assessments |
| 85 # and becomes confused when a bundle's CFExecutableName changes | 96 # and becomes confused when a bundle's CFExecutableName changes |
| 86 # (https://openradar.appspot.com/23614087), so verify a copy at a unique path. | 97 # (https://openradar.appspot.com/23614087), so verify a copy at a unique path. |
| 87 temp_dir="$(mktemp -d -t "$(basename "${0}")")" | 98 temp_dir="$(mktemp -d -t "$(basename "${0}")")" |
| 88 | 99 |
| 89 cleanup() { | 100 cleanup() { |
| 90 set +e | 101 set +e |
| 91 rm -rf "${temp_dir}" | 102 rm -rf "${temp_dir}" |
| 92 } | 103 } |
| 93 trap cleanup EXIT | 104 trap cleanup EXIT |
| 94 | 105 |
| 95 temp_browser_app="${temp_dir}/$(basename "${browser_app}")" | 106 if [[ $is_development = false ]]; then |
| 96 rsync -a "${browser_app}/" "${temp_browser_app}" | 107 temp_browser_app="${temp_dir}/$(basename "${browser_app}")" |
| 97 spctl --assess -vv "${temp_browser_app}" | 108 rsync -a "${browser_app}/" "${temp_browser_app}" |
| 109 spctl --assess -vv "${temp_browser_app}" | |
| 110 fi | |
| OLD | NEW |