Refactor mac signing scripts for development workflow

chrome/installer/mac/sign_versioned_dir.sh.in

 #!/bin/bash -p
 
 # Copyright (c) 2012 The Chromium Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
 # Using codesign, sign the contents of the versioned directory. Namely, this
 # includes the framework and helper app. After signing, the signatures are
 # verified.
 
 set -eu
 
 # Environment sanitization. Set a known-safe PATH. Clear environment variables
 # that might impact the interpreter's operation. The |bash -p| invocation
 # on the #! line takes the bite out of BASH_ENV, ENV, and SHELLOPTS (among
 # other features), but clearing them here ensures that they won't impact any
 # shell scripts used as utility programs. SHELLOPTS is read-only and can't be
 # unset, only unexported.
 export PATH="/usr/bin:/bin:/usr/sbin:/sbin"
 unset BASH_ENV CDPATH ENV GLOBIGNORE IFS POSIXLY_CORRECT
 export -n SHELLOPTS
 
 ME="$(basename "${0}")"
 readonly ME
 
+script_dir="$(dirname "${0}")"
+source "${script_dir}/variables.sh"
+
 codesign_display_and_verify() {
   path=${1}
   shift
 
   # --verbose can go up to 6 for --display, but that just shows the hash of each
   # ordinary page in the executable, which is more noise than anything else.
   codesign --display --verbose=5 -r- "${path}"
   codesign --verify --verbose=6 "${@}" "${path}"
 }
 
-if [[ ${#} -ne 3 ]]; then
-  echo "usage: ${ME} app_path codesign_keychain codesign_id" >& 2
+if [[ ${#} -ne 3 && ${#} -ne 4 ]]; then
+  echo "usage: ${ME} app_path codesign_keychain codesign_id \
+[--development]" >& 2
   exit 1
 fi
 
 app_path="${1}"
 codesign_keychain="${2}"
 codesign_id="${3}"
+is_development=
+
+if [[ ${#} == 4 && ${4} == "--development" ]]; then
+  is_development=1
+fi
+
+codesign_with_options() {
+  path=${1}
+  options=${2}
+  identifier=${3}

[Mark Mentovai, 2017/04/25 02:02:25]

Since you’re accepting this as an argument here, maybe you should sign with an
explicit --identifier so that it matches what you stuff into the requirement.

[Greg K, 2017/04/25 18:45:21]

I would rather do this only for app_mode_loader, since for the rest it will
catch a mistake between the plist and the DR. WDYT?

[Mark Mentovai, 2017/04/25 18:46:49]

That sounds good. Let’s call this variable requirement_identifier or something
then, to avoid confusion.

[Greg K, 2017/04/25 20:27:35]

Done.

+
+  codesign_cmd=(
+    codesign --sign "${codesign_id}" --keychain "${codesign_keychain}"
+    "${path}"
+  )
+
+  if [[ -n "${options}" ]]; then
+    codesign_cmd+=( --options "${options}" )
+  fi
+
+  if [[ -z "${is_development}" ]]; then
+    requirement="designated => identifier \"${identifier}\" \
+${requirement_suffix}"
+    codesign_cmd+=( -r="${requirement}" )
+  fi
+  "${codesign_cmd[@]}"
+}
 
 versioned_dir="${app_path}/Contents/Versions/@VERSION@"
 
 # To sign an .app bundle that contains nested code, the nested components
 # themselves must be signed. Each of these components is signed below. Note
 # that unless a framework has multiple versions (which is discouraged), signing
 # the entire framework is equivalent to signing the Current version.
 # https://developer.apple.com/library/content/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG13
 
 framework="${versioned_dir}/@MAC_PRODUCT_NAME@ Framework.framework"
 notification_service="${framework}/XPCServices/AlertNotificationService.xpc"
 crashpad_handler="${framework}/Helpers/crashpad_handler"
 helper_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper.app"
 app_mode_loader_app="${framework}/Resources/app_mode_loader.app"
 app_mode_loader="${app_mode_loader_app}/Contents/MacOS/app_mode_loader"
 
-requirement_suffix="\
-and (certificate leaf = H\"85cee8254216185620ddc8851c7a9fc4dfe120ef\" or \
-certificate leaf = H\"c9a99324ca3fcb23dbcc36bd5fd4f9753305130a\") \
-"
-
-enforcement_flags_app="restrict"
-enforcement_flags="${enforcement_flags_app},library"
-
-codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \
-    "${crashpad_handler}" \
-    --options "${enforcement_flags}" \
-    -r="designated => identifier \"crashpad_handler\" \
-${requirement_suffix}"
+codesign_with_options "${crashpad_handler}" \
+                      "${enforcement_flags_helpers}" \
+                      "crashpad_handler"
 
 # The app mode loader bundle is modified dynamically at runtime. Just sign the
 # executable, which shouldn't change. In order to do this, the executable needs
 # to be copied out of the bundle, signed, and then copied back in. The resulting
 # bundle's signature won't validate normally, but if the executable file is
 # verified in isolation or with --ignore-resources, it will.
 app_mode_loader_tmp="$(mktemp -t app_mode_loader)"
 cp "${app_mode_loader}" "${app_mode_loader_tmp}"
-codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \
-    "${app_mode_loader_tmp}" \
-    --identifier app_mode_loader \
-    --options "${enforcement_flags}" \
-    -r="designated => identifier \"app_mode_loader\" \
-${requirement_suffix}"
+
+codesign_with_options "${app_mode_loader_tmp}" \

[Mark Mentovai, 2017/04/25 02:02:25]

Since you don’t have --identifier in codesign_with_options, this will no longer
be signed with --identifier, and the default identifier won’t be app_mode_loader
because we sign it as a temporary file with a different name.

[Greg K, 2017/04/25 18:45:21]

Done.

+                      "${enforcement_flags_helpers}" \
+                      "app_mode_loader"
+
 cp "${app_mode_loader_tmp}" "${app_mode_loader}"
 rm -f "${app_mode_loader_tmp}"
 
-codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \
-    "${notification_service}" \
-    --options "${enforcement_flags}" \
-    -r="designated => identifier \"com.google.Chrome.framework.AlertNotificationService\" \
-${requirement_suffix}"
+codesign_with_options "${notification_service}" \
+                      "${enforcement_flags_helpers}" \
+                      "com.google.Chrome.framework.AlertNotificationService"
 
-# The framework is a dylib, so ${enforcement_flags} are meaningless.
-codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \
-    "${framework}" \
-    -r="designated => identifier \"com.google.Chrome.framework\" \
-${requirement_suffix}"
+# The framework is a dylib, so ${enforcement_flags_helpers} are meaningless.
+codesign_with_options "${framework}" "" "com.google.Chrome.framework"
 
-codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \
-    "${helper_app}" \
-    --options "${enforcement_flags_app}" \
-    -r="designated => identifier \"com.google.Chrome.helper\" \
-${requirement_suffix}"
+codesign_with_options "${helper_app}" \
+                      "${enforcement_flags_helpers}" \

[Mark Mentovai, 2017/04/25 02:02:25]

We used to use ${enforcement_flags_app} here. Do we want to drop “-o
library” from this?

[Greg K, 2017/04/25 18:45:21]

Thanks for catching that.

+                      "com.google.Chrome.helper"
 
 # Show the signatures and verify everything.
 codesign_display_and_verify "${crashpad_handler}" --deep
 codesign_display_and_verify "${app_mode_loader}" --ignore-resources
 codesign_display_and_verify "${notification_service}" --deep
 codesign_display_and_verify "${framework}" --deep
 codesign_display_and_verify "${helper_app}" --deep