| OLD | NEW |
|---|
| 1 #!/bin/bash -p | 1 #!/bin/bash -p |
| 2 | 2 |
| 3 # Copyright (c) 2012 The Chromium Authors. All rights reserved. | 3 # Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 4 # Use of this source code is governed by a BSD-style license that can be | 4 # Use of this source code is governed by a BSD-style license that can be |
| 5 # found in the LICENSE file. | 5 # found in the LICENSE file. |
| 6 | 6 |
| 7 # Using codesign, sign the contents of the versioned directory. Namely, this | 7 # Using codesign, sign the contents of the versioned directory. Namely, this |
| 8 # includes the framework and helper app. After signing, the signatures are | 8 # includes the framework and helper app. After signing, the signatures are |
| 9 # verified. | 9 # verified. |
| 10 | 10 |
| 11 set -eu | 11 set -eu |
| 12 | 12 |
| 13 # Environment sanitization. Set a known-safe PATH. Clear environment variables | 13 # Environment sanitization. Set a known-safe PATH. Clear environment variables |
| 14 # that might impact the interpreter's operation. The |bash -p| invocation | 14 # that might impact the interpreter's operation. The |bash -p| invocation |
| 15 # on the #! line takes the bite out of BASH_ENV, ENV, and SHELLOPTS (among | 15 # on the #! line takes the bite out of BASH_ENV, ENV, and SHELLOPTS (among |
| 16 # other features), but clearing them here ensures that they won't impact any | 16 # other features), but clearing them here ensures that they won't impact any |
| 17 # shell scripts used as utility programs. SHELLOPTS is read-only and can't be | 17 # shell scripts used as utility programs. SHELLOPTS is read-only and can't be |
| 18 # unset, only unexported. | 18 # unset, only unexported. |
| 19 export PATH="/usr/bin:/bin:/usr/sbin:/sbin" | 19 export PATH="/usr/bin:/bin:/usr/sbin:/sbin" |
| 20 unset BASH_ENV CDPATH ENV GLOBIGNORE IFS POSIXLY_CORRECT | 20 unset BASH_ENV CDPATH ENV GLOBIGNORE IFS POSIXLY_CORRECT |
| 21 export -n SHELLOPTS | 21 export -n SHELLOPTS |
| 22 | 22 |
| 23 ME="$(basename "${0}")" | 23 ME="$(basename "${0}")" |
| 24 readonly ME | 24 readonly ME |
| 25 | 25 |
| 26 script_dir="$(dirname "${0}")" |
| 27 source "${script_dir}/variables.sh" |
| 28 |
| 26 codesign_display_and_verify() { | 29 codesign_display_and_verify() { |
| 27 path=${1} | 30 path=${1} |
| 28 shift | 31 shift |
| 29 | 32 |
| 30 # --verbose can go up to 6 for --display, but that just shows the hash of each | 33 # --verbose can go up to 6 for --display, but that just shows the hash of each |
| 31 # ordinary page in the executable, which is more noise than anything else. | 34 # ordinary page in the executable, which is more noise than anything else. |
| 32 codesign --display --verbose=5 -r- "${path}" | 35 codesign --display --verbose=5 -r- "${path}" |
| 33 codesign --verify --verbose=6 "${@}" "${path}" | 36 codesign --verify --verbose=6 "${@}" "${path}" |
| 34 } | 37 } |
| 35 | 38 |
| 36 if [[ ${#} -ne 3 ]]; then | 39 if [[ ${#} -ne 3 && ${#} -ne 4 ]]; then |
| 37 echo "usage: ${ME} app_path codesign_keychain codesign_id" >& 2 | 40 echo "usage: ${ME} app_path codesign_keychain codesign_id \ |
| 41 [--development]" >& 2 |
| 38 exit 1 | 42 exit 1 |
| 39 fi | 43 fi |
| 40 | 44 |
| 41 app_path="${1}" | 45 app_path="${1}" |
| 42 codesign_keychain="${2}" | 46 codesign_keychain="${2}" |
| 43 codesign_id="${3}" | 47 codesign_id="${3}" |
| 48 is_development= |
| 49 |
| 50 if [[ ${#} == 4 && ${4} == "--development" ]]; then |
| 51 is_development=1 |
| 52 fi |
| 53 |
| 54 codesign_with_options() { |
| 55 path=${1} |
| 56 options=${2} |
| 57 requirement_identifier=${3} |
| 58 |
| 59 codesign_cmd=( |
| 60 codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" |
| 61 "${path}" |
| 62 ) |
| 63 |
| 64 if [[ "${requirement_identifier}" = "app_mode_loader" ]]; then |
| 65 codesign_cmd+=( --identifier "${requirement_identifier}" ) |
| 66 fi |
| 67 |
| 68 if [[ -n "${options}" ]]; then |
| 69 codesign_cmd+=( --options "${options}" ) |
| 70 fi |
| 71 |
| 72 if [[ -z "${is_development}" ]]; then |
| 73 requirement="designated => identifier \"${requirement_identifier}\" \ |
| 74 ${requirement_suffix}" |
| 75 codesign_cmd+=( -r="${requirement}" ) |
| 76 fi |
| 77 "${codesign_cmd[@]}" |
| 78 } |
| 44 | 79 |
| 45 versioned_dir="${app_path}/Contents/Versions/@VERSION@" | 80 versioned_dir="${app_path}/Contents/Versions/@VERSION@" |
| 46 | 81 |
| 47 # To sign an .app bundle that contains nested code, the nested components | 82 # To sign an .app bundle that contains nested code, the nested components |
| 48 # themselves must be signed. Each of these components is signed below. Note | 83 # themselves must be signed. Each of these components is signed below. Note |
| 49 # that unless a framework has multiple versions (which is discouraged), signing | 84 # that unless a framework has multiple versions (which is discouraged), signing |
| 50 # the entire framework is equivalent to signing the Current version. | 85 # the entire framework is equivalent to signing the Current version. |
| 51 # https://developer.apple.com/library/content/technotes/tn2206/_index.html#//app
le_ref/doc/uid/DTS40007919-CH1-TNTAG13 | 86 # https://developer.apple.com/library/content/technotes/tn2206/_index.html#//app
le_ref/doc/uid/DTS40007919-CH1-TNTAG13 |
| 52 | 87 |
| 53 framework="${versioned_dir}/@MAC_PRODUCT_NAME@ Framework.framework" | 88 framework="${versioned_dir}/@MAC_PRODUCT_NAME@ Framework.framework" |
| 54 notification_service="${framework}/XPCServices/AlertNotificationService.xpc" | 89 notification_service="${framework}/XPCServices/AlertNotificationService.xpc" |
| 55 crashpad_handler="${framework}/Helpers/crashpad_handler" | 90 crashpad_handler="${framework}/Helpers/crashpad_handler" |
| 56 helper_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper.app" | 91 helper_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper.app" |
| 57 app_mode_loader_app="${framework}/Resources/app_mode_loader.app" | 92 app_mode_loader_app="${framework}/Resources/app_mode_loader.app" |
| 58 app_mode_loader="${app_mode_loader_app}/Contents/MacOS/app_mode_loader" | 93 app_mode_loader="${app_mode_loader_app}/Contents/MacOS/app_mode_loader" |
| 59 | 94 |
| 60 requirement_suffix="\ | 95 codesign_with_options "${crashpad_handler}" \ |
| 61 and (certificate leaf = H\"85cee8254216185620ddc8851c7a9fc4dfe120ef\" or \ | 96 "${enforcement_flags_helpers}" \ |
| 62 certificate leaf = H\"c9a99324ca3fcb23dbcc36bd5fd4f9753305130a\") \ | 97 "crashpad_handler" |
| 63 " | |
| 64 | |
| 65 enforcement_flags_app="restrict" | |
| 66 enforcement_flags="${enforcement_flags_app},library" | |
| 67 | |
| 68 codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \ | |
| 69 "${crashpad_handler}" \ | |
| 70 --options "${enforcement_flags}" \ | |
| 71 -r="designated => identifier \"crashpad_handler\" \ | |
| 72 ${requirement_suffix}" | |
| 73 | 98 |
| 74 # The app mode loader bundle is modified dynamically at runtime. Just sign the | 99 # The app mode loader bundle is modified dynamically at runtime. Just sign the |
| 75 # executable, which shouldn't change. In order to do this, the executable needs | 100 # executable, which shouldn't change. In order to do this, the executable needs |
| 76 # to be copied out of the bundle, signed, and then copied back in. The resulting | 101 # to be copied out of the bundle, signed, and then copied back in. The resulting |
| 77 # bundle's signature won't validate normally, but if the executable file is | 102 # bundle's signature won't validate normally, but if the executable file is |
| 78 # verified in isolation or with --ignore-resources, it will. | 103 # verified in isolation or with --ignore-resources, it will. |
| 79 app_mode_loader_tmp="$(mktemp -t app_mode_loader)" | 104 app_mode_loader_tmp="$(mktemp -t app_mode_loader)" |
| 80 cp "${app_mode_loader}" "${app_mode_loader_tmp}" | 105 cp "${app_mode_loader}" "${app_mode_loader_tmp}" |
| 81 codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \ | 106 |
| 82 "${app_mode_loader_tmp}" \ | 107 codesign_with_options "${app_mode_loader_tmp}" \ |
| 83 --identifier app_mode_loader \ | 108 "${enforcement_flags_helpers}" \ |
| 84 --options "${enforcement_flags}" \ | 109 "app_mode_loader" |
| 85 -r="designated => identifier \"app_mode_loader\" \ | 110 |
| 86 ${requirement_suffix}" | |
| 87 cp "${app_mode_loader_tmp}" "${app_mode_loader}" | 111 cp "${app_mode_loader_tmp}" "${app_mode_loader}" |
| 88 rm -f "${app_mode_loader_tmp}" | 112 rm -f "${app_mode_loader_tmp}" |
| 89 | 113 |
| 90 codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \ | 114 codesign_with_options "${notification_service}" \ |
| 91 "${notification_service}" \ | 115 "${enforcement_flags_helpers}" \ |
| 92 --options "${enforcement_flags}" \ | 116 "com.google.Chrome.framework.AlertNotificationService" |
| 93 -r="designated => identifier \"com.google.Chrome.framework.AlertNotification
Service\" \ | |
| 94 ${requirement_suffix}" | |
| 95 | 117 |
| 96 # The framework is a dylib, so ${enforcement_flags} are meaningless. | 118 # The framework is a dylib, so ${enforcement_flags_helpers} are meaningless. |
| 97 codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \ | 119 codesign_with_options "${framework}" "" "com.google.Chrome.framework" |
| 98 "${framework}" \ | |
| 99 -r="designated => identifier \"com.google.Chrome.framework\" \ | |
| 100 ${requirement_suffix}" | |
| 101 | 120 |
| 102 codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \ | 121 codesign_with_options "${helper_app}" \ |
| 103 "${helper_app}" \ | 122 "${enforcement_flags_app}" \ |
| 104 --options "${enforcement_flags_app}" \ | 123 "com.google.Chrome.helper" |
| 105 -r="designated => identifier \"com.google.Chrome.helper\" \ | |
| 106 ${requirement_suffix}" | |
| 107 | 124 |
| 108 # Show the signatures and verify everything. | 125 # Show the signatures and verify everything. |
| 109 codesign_display_and_verify "${crashpad_handler}" --deep | 126 codesign_display_and_verify "${crashpad_handler}" --deep |
| 110 codesign_display_and_verify "${app_mode_loader}" --ignore-resources | 127 codesign_display_and_verify "${app_mode_loader}" --ignore-resources |
| 111 codesign_display_and_verify "${notification_service}" --deep | 128 codesign_display_and_verify "${notification_service}" --deep |
| 112 codesign_display_and_verify "${framework}" --deep | 129 codesign_display_and_verify "${framework}" --deep |
| 113 codesign_display_and_verify "${helper_app}" --deep | 130 codesign_display_and_verify "${helper_app}" --deep |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2832073002:
Refactor mac signing scripts for development workflow (Closed)
