Refactor mac signing scripts for development workflow

chrome/installer/mac/sign_app.sh.in

Index: chrome/installer/mac/sign_app.sh.in
diff --git a/chrome/installer/mac/sign_app.sh.in b/chrome/installer/mac/sign_app.sh.in
index d293a4eb6972e4fa8d043d27d93608281e33ffbc..fe29ccf44246ad44590848c58e62ab10d4bc127e 100644
--- a/chrome/installer/mac/sign_app.sh.in
+++ b/chrome/installer/mac/sign_app.sh.in
@@ -24,17 +24,24 @@ export -n SHELLOPTS
 ME="$(basename "${0}")"
 readonly ME
 
-if [[ ${#} -ne 3 ]]; then
-  echo "usage: ${ME} app_path codesign_keychain codesign_id" >& 2
+if [[ ${#} -ne 3 && ${#} -ne 4 ]]; then
+  echo "usage: ${ME} app_path codesign_keychain codesign_id [--development]" >& 2

[Mark Mentovai, 2017/04/24 15:00:23]

Stay within 80 characters.

[Greg K, 2017/04/25 00:55:01]

Done.

   exit 1
 fi
 
 app_path="${1}"
 codesign_keychain="${2}"
 codesign_id="${3}"
+is_development=false

[Mark Mentovai, 2017/04/24 15:00:23]

It’d be more normal for this to either be blank or non-blank, and then you’d
test with [[ -z "${is_development}" ]] (meaning production) or [[ -n
"${is_development}" ]] (meaning development).

[Greg K, 2017/04/25 00:55:01]

Done.

+
+if [[ ${#} == 4 && ${4} == "--development" ]]; then
+  is_development=true
+fi
 
-# Use custom resource rules for the browser application.
 script_dir="$(dirname "${0}")"
+source "${script_dir}/variables.sh"
+
+# Use custom resource rules for the browser application.
 browser_app_rules="${script_dir}/app_resource_rules.plist"
 
 versioned_dir="${app_path}/Contents/Versions/@VERSION@"
@@ -53,17 +60,21 @@ designated => \
 identifier \"com.google.Chrome.beta\" or \
 identifier \"com.google.Chrome.dev\" or \
 identifier \"com.google.Chrome.canary\") \
-and (certificate leaf = H\"85cee8254216185620ddc8851c7a9fc4dfe120ef\" or \
-certificate leaf = H\"c9a99324ca3fcb23dbcc36bd5fd4f9753305130a\") \
+${requirement_suffix} \
 "
 
-enforcement_flags="restrict"
-
-codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \
-    "${browser_app}" \
-    --options "${enforcement_flags}" \
-    --resource-rules "${browser_app_rules}" \
-    -r="${requirement_string}"
+if [[ $is_development = false ]]; then
+  codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \

[Mark Mentovai, 2017/04/24 15:00:23]

You can build up the codesign --sign command line in an array, and append -r= to
the array only if you’re not ${is_development}

[Mark Mentovai, 2017/04/24 22:29:17]

You can also write it a bit more directly by using an array to hold the optional
extra argument(s), and have the array be empty if they're not present. That's
probably better than building up the entire command in an array.

[Greg K, 2017/04/25 00:55:01]

Done.

+      "${browser_app}" \
+      --options "${enforcement_flags_app}" \
+      --resource-rules "${browser_app_rules}" \
+      -r="${requirement_string}"
+else
+  codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \
+      "${browser_app}" \
+      --options "${enforcement_flags_app}" \
+      --resource-rules "${browser_app_rules}" 
+fi
 
 # Show the signature.
 codesign --display --verbose=5 -r- "${browser_app}"
@@ -92,6 +103,8 @@ cleanup() {
 }
 trap cleanup EXIT
 
-temp_browser_app="${temp_dir}/$(basename "${browser_app}")"
-rsync -a "${browser_app}/" "${temp_browser_app}"
-spctl --assess -vv "${temp_browser_app}"
+if [[ $is_development = false ]]; then
+  temp_browser_app="${temp_dir}/$(basename "${browser_app}")"
+  rsync -a "${browser_app}/" "${temp_browser_app}"
+  spctl --assess -vv "${temp_browser_app}"
+fi