Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(445)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: chrome/installer/mac/sign_app.sh.in

Issue 2832073002: Refactor mac signing scripts for development workflow (Closed)
Patch Set: Fix wrong requirement variable name Created 3 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « chrome/installer/mac/OWNERS ('k') | chrome/installer/mac/sign_installer_tools.sh » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 #!/bin/bash -p 1 #!/bin/bash -p
2 2
3 # Copyright (c) 2012 The Chromium Authors. All rights reserved. 3 # Copyright (c) 2012 The Chromium Authors. All rights reserved.
4 # Use of this source code is governed by a BSD-style license that can be 4 # Use of this source code is governed by a BSD-style license that can be
5 # found in the LICENSE file. 5 # found in the LICENSE file.
6 6
7 # Using codesign, sign the application. After signing, the signatures on the 7 # Using codesign, sign the application. After signing, the signatures on the
8 # inner bundle components are verified, and the application's own signature is 8 # inner bundle components are verified, and the application's own signature is
9 # verified. Inner bundle components are expected to be signed before this 9 # verified. Inner bundle components are expected to be signed before this
10 # script is called. See sign_versioned_dir.sh.in. 10 # script is called. See sign_versioned_dir.sh.in.
11 11
12 set -eu 12 set -eu
13 13
14 # Environment sanitization. Set a known-safe PATH. Clear environment variables 14 # Environment sanitization. Set a known-safe PATH. Clear environment variables
15 # that might impact the interpreter's operation. The |bash -p| invocation 15 # that might impact the interpreter's operation. The |bash -p| invocation
16 # on the #! line takes the bite out of BASH_ENV, ENV, and SHELLOPTS (among 16 # on the #! line takes the bite out of BASH_ENV, ENV, and SHELLOPTS (among
17 # other features), but clearing them here ensures that they won't impact any 17 # other features), but clearing them here ensures that they won't impact any
18 # shell scripts used as utility programs. SHELLOPTS is read-only and can't be 18 # shell scripts used as utility programs. SHELLOPTS is read-only and can't be
19 # unset, only unexported. 19 # unset, only unexported.
20 export PATH="/usr/bin:/bin:/usr/sbin:/sbin" 20 export PATH="/usr/bin:/bin:/usr/sbin:/sbin"
21 unset BASH_ENV CDPATH ENV GLOBIGNORE IFS POSIXLY_CORRECT 21 unset BASH_ENV CDPATH ENV GLOBIGNORE IFS POSIXLY_CORRECT
22 export -n SHELLOPTS 22 export -n SHELLOPTS
23 23
24 ME="$(basename "${0}")" 24 ME="$(basename "${0}")"
25 readonly ME 25 readonly ME
26 26
27 if [[ ${#} -ne 3 ]]; then 27 if [[ ${#} -ne 3 && ${#} -ne 4 ]]; then
28 echo "usage: ${ME} app_path codesign_keychain codesign_id" >& 2 28 echo "usage: ${ME} app_path codesign_keychain codesign_id \
29 [--development]" >& 2
29 exit 1 30 exit 1
30 fi 31 fi
31 32
32 app_path="${1}" 33 app_path="${1}"
33 codesign_keychain="${2}" 34 codesign_keychain="${2}"
34 codesign_id="${3}" 35 codesign_id="${3}"
36 is_development=
37
38 if [[ ${#} == 4 && "${4}" == "--development" ]]; then
39 is_development=1
40 fi
41
42 script_dir="$(dirname "${0}")"
43 source "${script_dir}/variables.sh"
35 44
36 # Use custom resource rules for the browser application. 45 # Use custom resource rules for the browser application.
37 script_dir="$(dirname "${0}")"
38 browser_app_rules="${script_dir}/app_resource_rules.plist" 46 browser_app_rules="${script_dir}/app_resource_rules.plist"
39 47
40 versioned_dir="${app_path}/Contents/Versions/@VERSION@" 48 versioned_dir="${app_path}/Contents/Versions/@VERSION@"
41 49
42 browser_app="${app_path}" 50 browser_app="${app_path}"
43 framework="${versioned_dir}/@MAC_PRODUCT_NAME@ Framework.framework" 51 framework="${versioned_dir}/@MAC_PRODUCT_NAME@ Framework.framework"
44 notification_service="${framework}/XPCServices/AlertNotificationService.xpc" 52 notification_service="${framework}/XPCServices/AlertNotificationService.xpc"
45 crashpad_handler="${framework}/Helpers/crashpad_handler" 53 crashpad_handler="${framework}/Helpers/crashpad_handler"
46 helper_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper.app" 54 helper_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper.app"
47 app_mode_loader_app="${framework}/Resources/app_mode_loader.app" 55 app_mode_loader_app="${framework}/Resources/app_mode_loader.app"
48 app_mode_loader="${app_mode_loader_app}/Contents/MacOS/app_mode_loader" 56 app_mode_loader="${app_mode_loader_app}/Contents/MacOS/app_mode_loader"
49 57
50 requirement_string="\ 58 requirement="\
51 designated => \ 59 designated => \
52 (identifier \"com.google.Chrome\" or \ 60 (identifier \"com.google.Chrome\" or \
53 identifier \"com.google.Chrome.beta\" or \ 61 identifier \"com.google.Chrome.beta\" or \
54 identifier \"com.google.Chrome.dev\" or \ 62 identifier \"com.google.Chrome.dev\" or \
55 identifier \"com.google.Chrome.canary\") \ 63 identifier \"com.google.Chrome.canary\") \
56 and (certificate leaf = H\"85cee8254216185620ddc8851c7a9fc4dfe120ef\" or \ 64 ${requirement_suffix} \
57 certificate leaf = H\"c9a99324ca3fcb23dbcc36bd5fd4f9753305130a\") \
58 " 65 "
59 66
60 enforcement_flags="restrict" 67 codesign_cmd=(
61 68 codesign --sign "${codesign_id}" --keychain "${codesign_keychain}"
62 codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \ 69 "${browser_app}"
63 "${browser_app}" \ 70 --options "${enforcement_flags_app}"
64 --options "${enforcement_flags}" \ 71 --resource-rules "${browser_app_rules}"
65 --resource-rules "${browser_app_rules}" \ 72 )
66 -r="${requirement_string}" 73 if [[ -z "${is_development}" ]]; then
74 codesign_cmd+=( -r="${requirement}" )
75 fi
76 "${codesign_cmd[@]}"
67 77
68 # Show the signature. 78 # Show the signature.
69 codesign --display --verbose=5 -r- "${browser_app}" 79 codesign --display --verbose=5 -r- "${browser_app}"
70 80
71 # Verify everything. Check the framework and helper apps to make sure that the 81 # Verify everything. Check the framework and helper apps to make sure that the
72 # signatures are present and weren't altered by the signing process. Use 82 # signatures are present and weren't altered by the signing process. Use
73 # --ignore-resources on the app mode loader because its signature only covers 83 # --ignore-resources on the app mode loader because its signature only covers
74 # the main executable, not its containing .app bundle. Use --no-strict on the 84 # the main executable, not its containing .app bundle. Use --no-strict on the
75 # outermost browser .app because it uses custom resource rules. 85 # outermost browser .app because it uses custom resource rules.
76 codesign --verify --verbose=6 --deep --no-strict "${browser_app}" 86 codesign --verify --verbose=6 --deep --no-strict "${browser_app}"
77 codesign --verify --verbose=6 --deep "${crashpad_handler}" 87 codesign --verify --verbose=6 --deep "${crashpad_handler}"
78 codesign --verify --verbose=6 --ignore-resources "${app_mode_loader}" 88 codesign --verify --verbose=6 --ignore-resources "${app_mode_loader}"
79 codesign --verify --verbose=6 --deep "${notification_service}" 89 codesign --verify --verbose=6 --deep "${notification_service}"
80 codesign --verify --verbose=6 --deep "${framework}" 90 codesign --verify --verbose=6 --deep "${framework}"
81 codesign --verify --verbose=6 --deep "${helper_app}" 91 codesign --verify --verbose=6 --deep "${helper_app}"
82 92
83 # Verify with spctl, which uses the same rules that Gatekeeper does for 93 # Verify with spctl, which uses the same rules that Gatekeeper does for
84 # validation. This is unreliable on 10.11 where syspolicyd caches assessments 94 # validation. This is unreliable on 10.11 where syspolicyd caches assessments
85 # and becomes confused when a bundle's CFExecutableName changes 95 # and becomes confused when a bundle's CFExecutableName changes
86 # (https://openradar.appspot.com/23614087), so verify a copy at a unique path. 96 # (https://openradar.appspot.com/23614087), so verify a copy at a unique path.
87 temp_dir="$(mktemp -d -t "$(basename "${0}")")" 97 if [[ -z "${is_development}" ]]; then
98 temp_dir="$(mktemp -d -t "$(basename "${0}")")"
88 99
89 cleanup() { 100 cleanup() {
90 set +e 101 set +e
91 rm -rf "${temp_dir}" 102 rm -rf "${temp_dir}"
92 } 103 }
93 trap cleanup EXIT 104 trap cleanup EXIT
94 105 temp_browser_app="${temp_dir}/$(basename "${browser_app}")"
95 temp_browser_app="${temp_dir}/$(basename "${browser_app}")" 106 rsync -a "${browser_app}/" "${temp_browser_app}"
96 rsync -a "${browser_app}/" "${temp_browser_app}" 107 spctl --assess -vv "${temp_browser_app}"
97 spctl --assess -vv "${temp_browser_app}" 108 fi
OLDNEW
« no previous file with comments | « chrome/installer/mac/OWNERS ('k') | chrome/installer/mac/sign_installer_tools.sh » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698