chrome/installer/mac/sign_installer_tools.sh - Issue 2832073002: Refactor mac signing scripts for development workflow

Side by Side Diff: chrome/installer/mac/sign_installer_tools.sh

Issue 2832073002: Refactor mac signing scripts for development workflow (Closed)

Patch Set: Renamed requirement Created 3 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 #!/bin/bash -p	1 #!/bin/bash -p

2	2

3 # Copyright 2015 The Chromium Authors. All rights reserved.	3 # Copyright 2015 The Chromium Authors. All rights reserved.

4 # Use of this source code is governed by a BSD-style license that can be	4 # Use of this source code is governed by a BSD-style license that can be

5 # found in the LICENSE file.	5 # found in the LICENSE file.

6	6

7 # Using codesign, sign the installer tools. After signing, the signatures are	7 # Using codesign, sign the installer tools. After signing, the signatures are

8 # verified.	8 # verified.

9	9

10 set -eu	10 set -eu

11	11

12 # Environment sanitization. Set a known-safe PATH. Clear environment variables	12 # Environment sanitization. Set a known-safe PATH. Clear environment variables

13 # that might impact the interpreter's operation. The \|bash -p\| invocation	13 # that might impact the interpreter's operation. The \|bash -p\| invocation

14 # on the #! line takes the bite out of BASH_ENV, ENV, and SHELLOPTS (among	14 # on the #! line takes the bite out of BASH_ENV, ENV, and SHELLOPTS (among

15 # other features), but clearing them here ensures that they won't impact any	15 # other features), but clearing them here ensures that they won't impact any

16 # shell scripts used as utility programs. SHELLOPTS is read-only and can't be	16 # shell scripts used as utility programs. SHELLOPTS is read-only and can't be

17 # unset, only unexported.	17 # unset, only unexported.

18 export PATH="/usr/bin:/bin:/usr/sbin:/sbin"	18 export PATH="/usr/bin:/bin:/usr/sbin:/sbin"

19 unset BASH_ENV CDPATH ENV GLOBIGNORE IFS POSIXLY_CORRECT	19 unset BASH_ENV CDPATH ENV GLOBIGNORE IFS POSIXLY_CORRECT

20 export -n SHELLOPTS	20 export -n SHELLOPTS

21	21

22 ME="$(basename "${0}")"	22 ME="$(basename "${0}")"

23 readonly ME	23 readonly ME

24	24

25 if [[ ${#} -ne 3 ]]; then	25 if [[ ${#} -ne 3 && ${#} -ne 4 ]]; then

26 echo "usage: ${ME} packaging_dir codesign_keychain codesign_id" >& 2	26 echo "usage: ${ME} packaging_dir codesign_keychain codesign_id \

	27 [--development]" >& 2

27 exit 1	28 exit 1

28 fi	29 fi

29	30

30 packaging_dir="${1}"	31 packaging_dir="${1}"

31 codesign_keychain="${2}"	32 codesign_keychain="${2}"

32 codesign_id="${3}"	33 codesign_id="${3}"

	34 is_development=

33	35

34 enforcement_flags="restrict,library-validation,kill"	36 if [[ ${#} == 4 && ${4} == "--development" ]]; then

	37 is_development=1

	38 fi

	39

	40 script_dir="$(dirname "${0}")"

	41 source "${script_dir}/variables.sh"

35	42

36 executables=(goobspatch xzdec)	43 executables=(goobspatch xzdec)

37 libraries=(liblzma_decompress.dylib)	44 libraries=(liblzma_decompress.dylib)

38 declare -a everything	45 declare -a everything

39	46

40 for executable in "${executables[@]}"; do	47 for executable in "${executables[@]}"; do

41 sign_path="${packaging_dir}/${executable}"	48 sign_path="${packaging_dir}/${executable}"

42 everything+=("${sign_path}")	49 everything+=("${sign_path}")

43	50

44 codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \	51 codesign_cmd=(

45 "${sign_path}" --options "${enforcement_flags}"	52 codesign --sign "${codesign_id}" --keychain "${codesign_keychain}"

	53 "${sign_path}" --options "${enforcement_flags_installer_tools}"

	54 )

	55

	56 if [[ -z "${is_development}" ]]; then

	57 requirement="designated => identifier \"${executable}\" \

	58 ${requirement_suffix}"

	59 codesign_cmd+=( -r="${designated}" )
	Mark Mentovai 2017/04/25 20:34:57 ${requirement}, not ${designated}, right? You cal ${requirement}, not ${designated}, right? You called it requirement_string in sign_app.sh.in. Maybe it’s best to use the same name consistently in all of these scripts. Greg K 2017/04/25 22:15:05 Good catch. It turns out spctl failing caused the Show quoted text On 2017/04/25 20:34:57, Mark Mentovai wrote: > ${requirement}, not ${designated}, right? > > You called it requirement_string in sign_app.sh.in. Maybe it’s best to use the > same name consistently in all of these scripts. Good catch. It turns out spctl failing caused the test never execute this code: not good! I made sure to execute it now.
	60 fi

	61

	62 "${codesign_cmd[@]}"

46 done	63 done

47	64

48 for library in "${libraries[@]}"; do	65 for library in "${libraries[@]}"; do

49 sign_path="${packaging_dir}/${library}"	66 sign_path="${packaging_dir}/${library}"

50 everything+=("${sign_path}")	67 everything+=("${sign_path}")

51	68

52 codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \	69 codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \

53 "${sign_path}"	70 "${sign_path}"

54 done	71 done

55	72

56 for sign_path in "${everything[@]}"; do	73 for sign_path in "${everything[@]}"; do

57 codesign --verify --deep -vvvvvv "${sign_path}"	74 codesign --verify --deep -vvvvvv "${sign_path}"

58 done	75 done

OLD	NEW

« no previous file with comments | « chrome/installer/mac/sign_app.sh.in ('k') | chrome/installer/mac/sign_versioned_dir.sh.in » ('j') | chrome/installer/mac/sign_versioned_dir.sh.in » ('J')