Refactor mac signing scripts for development workflow

chrome/installer/mac/sign_versioned_dir.sh.in

 #!/bin/bash -p
 
 # Copyright (c) 2012 The Chromium Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
 # Using codesign, sign the contents of the versioned directory. Namely, this
 # includes the framework and helper app. After signing, the signatures are
 # verified.
 
 set -eu
 
 # Environment sanitization. Set a known-safe PATH. Clear environment variables
 # that might impact the interpreter's operation. The |bash -p| invocation
 # on the #! line takes the bite out of BASH_ENV, ENV, and SHELLOPTS (among
 # other features), but clearing them here ensures that they won't impact any
 # shell scripts used as utility programs. SHELLOPTS is read-only and can't be
 # unset, only unexported.
 export PATH="/usr/bin:/bin:/usr/sbin:/sbin"
 unset BASH_ENV CDPATH ENV GLOBIGNORE IFS POSIXLY_CORRECT
 export -n SHELLOPTS
 
 ME="$(basename "${0}")"
 readonly ME
 
+script_dir="$(dirname "${0}")"
+source "${script_dir}/variables.sh"
+
 codesign_display_and_verify() {
   path=${1}
   shift
 
   # --verbose can go up to 6 for --display, but that just shows the hash of each
   # ordinary page in the executable, which is more noise than anything else.
   codesign --display --verbose=5 -r- "${path}"
   codesign --verify --verbose=6 "${@}" "${path}"
 }
 
-if [[ ${#} -ne 3 ]]; then
-  echo "usage: ${ME} app_path codesign_keychain codesign_id" >& 2
+if [[ ${#} -ne 3 && ${#} -ne 4 ]]; then
+  echo "usage: ${ME} app_path codesign_keychain codesign_id [--development]" >& 2
   exit 1
 fi
 
 app_path="${1}"
 codesign_keychain="${2}"
 codesign_id="${3}"
+is_development=false
+
+if [[ ${#} == 4 && ${4} == "--development" ]]; then
+  is_development=true
+fi
 
 versioned_dir="${app_path}/Contents/Versions/@VERSION@"
 
 # To sign an .app bundle that contains nested code, the nested components
 # themselves must be signed. Each of these components is signed below. Note
 # that unless a framework has multiple versions (which is discouraged), signing
 # the entire framework is equivalent to signing the Current version.
 # https://developer.apple.com/library/content/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG13
 
 framework="${versioned_dir}/@MAC_PRODUCT_NAME@ Framework.framework"
 notification_service="${framework}/XPCServices/AlertNotificationService.xpc"
 crashpad_handler="${framework}/Helpers/crashpad_handler"
 helper_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper.app"
 app_mode_loader_app="${framework}/Resources/app_mode_loader.app"
 app_mode_loader="${app_mode_loader_app}/Contents/MacOS/app_mode_loader"
 
-requirement_suffix="\
-and (certificate leaf = H\"85cee8254216185620ddc8851c7a9fc4dfe120ef\" or \
-certificate leaf = H\"c9a99324ca3fcb23dbcc36bd5fd4f9753305130a\") \
-"
-
-enforcement_flags_app="restrict"
-enforcement_flags="${enforcement_flags_app},library"
 
 codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \
     "${crashpad_handler}" \
-    --options "${enforcement_flags}" \
+    --options "${enforcement_flags_helpers}" \
     -r="designated => identifier \"crashpad_handler\" \
 ${requirement_suffix}"
 
 # The app mode loader bundle is modified dynamically at runtime. Just sign the
 # executable, which shouldn't change. In order to do this, the executable needs
 # to be copied out of the bundle, signed, and then copied back in. The resulting
 # bundle's signature won't validate normally, but if the executable file is
 # verified in isolation or with --ignore-resources, it will.
 app_mode_loader_tmp="$(mktemp -t app_mode_loader)"
 cp "${app_mode_loader}" "${app_mode_loader_tmp}"
 codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \
     "${app_mode_loader_tmp}" \
     --identifier app_mode_loader \
-    --options "${enforcement_flags}" \
+    --options "${enforcement_flags_helpers}" \
     -r="designated => identifier \"app_mode_loader\" \
 ${requirement_suffix}"
 cp "${app_mode_loader_tmp}" "${app_mode_loader}"
 rm -f "${app_mode_loader_tmp}"
 
 codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \
     "${notification_service}" \
-    --options "${enforcement_flags}" \
+    --options "${enforcement_flags_helpers}" \
     -r="designated => identifier \"com.google.Chrome.framework.AlertNotificationService\" \
 ${requirement_suffix}"
 
-# The framework is a dylib, so ${enforcement_flags} are meaningless.
+# The framework is a dylib, so ${enforcement_flags_helpers} are meaningless.
 codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \
     "${framework}" \
     -r="designated => identifier \"com.google.Chrome.framework\" \
 ${requirement_suffix}"
 
 codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \
     "${helper_app}" \
     --options "${enforcement_flags_app}" \
     -r="designated => identifier \"com.google.Chrome.helper\" \
 ${requirement_suffix}"
 
 # Show the signatures and verify everything.
 codesign_display_and_verify "${crashpad_handler}" --deep
 codesign_display_and_verify "${app_mode_loader}" --ignore-resources
 codesign_display_and_verify "${notification_service}" --deep
 codesign_display_and_verify "${framework}" --deep
 codesign_display_and_verify "${helper_app}" --deep