| Index: chrome/installer/mac/sign_app.sh.in
|
| diff --git a/chrome/installer/mac/sign_app.sh.in b/chrome/installer/mac/sign_app.sh.in
|
| index d293a4eb6972e4fa8d043d27d93608281e33ffbc..8781b919b9d3b98aa77dc980313d45f37ecf8e97 100644
|
| --- a/chrome/installer/mac/sign_app.sh.in
|
| +++ b/chrome/installer/mac/sign_app.sh.in
|
| @@ -24,17 +24,25 @@ export -n SHELLOPTS
|
| ME="$(basename "${0}")"
|
| readonly ME
|
|
|
| -if [[ ${#} -ne 3 ]]; then
|
| - echo "usage: ${ME} app_path codesign_keychain codesign_id" >& 2
|
| +if [[ ${#} -ne 3 && ${#} -ne 4 ]]; then
|
| + echo "usage: ${ME} app_path codesign_keychain codesign_id \
|
| +[--development]" >& 2
|
| exit 1
|
| fi
|
|
|
| app_path="${1}"
|
| codesign_keychain="${2}"
|
| codesign_id="${3}"
|
| +is_development=
|
| +
|
| +if [[ ${#} == 4 && "${4}" == "--development" ]]; then
|
| + is_development=1
|
| +fi
|
|
|
| -# Use custom resource rules for the browser application.
|
| script_dir="$(dirname "${0}")"
|
| +source "${script_dir}/variables.sh"
|
| +
|
| +# Use custom resource rules for the browser application.
|
| browser_app_rules="${script_dir}/app_resource_rules.plist"
|
|
|
| versioned_dir="${app_path}/Contents/Versions/@VERSION@"
|
| @@ -47,23 +55,25 @@ helper_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper.app"
|
| app_mode_loader_app="${framework}/Resources/app_mode_loader.app"
|
| app_mode_loader="${app_mode_loader_app}/Contents/MacOS/app_mode_loader"
|
|
|
| -requirement_string="\
|
| +requirement="\
|
| designated => \
|
| (identifier \"com.google.Chrome\" or \
|
| identifier \"com.google.Chrome.beta\" or \
|
| identifier \"com.google.Chrome.dev\" or \
|
| identifier \"com.google.Chrome.canary\") \
|
| -and (certificate leaf = H\"85cee8254216185620ddc8851c7a9fc4dfe120ef\" or \
|
| -certificate leaf = H\"c9a99324ca3fcb23dbcc36bd5fd4f9753305130a\") \
|
| +${requirement_suffix} \
|
| "
|
|
|
| -enforcement_flags="restrict"
|
| -
|
| -codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \
|
| - "${browser_app}" \
|
| - --options "${enforcement_flags}" \
|
| - --resource-rules "${browser_app_rules}" \
|
| - -r="${requirement_string}"
|
| +codesign_cmd=(
|
| + codesign --sign "${codesign_id}" --keychain "${codesign_keychain}"
|
| + "${browser_app}"
|
| + --options "${enforcement_flags_app}"
|
| + --resource-rules "${browser_app_rules}"
|
| +)
|
| +if [[ -z "${is_development}" ]]; then
|
| + codesign_cmd+=( -r="${requirement}" )
|
| +fi
|
| +"${codesign_cmd[@]}"
|
|
|
| # Show the signature.
|
| codesign --display --verbose=5 -r- "${browser_app}"
|
| @@ -84,14 +94,15 @@ codesign --verify --verbose=6 --deep "${helper_app}"
|
| # validation. This is unreliable on 10.11 where syspolicyd caches assessments
|
| # and becomes confused when a bundle's CFExecutableName changes
|
| # (https://openradar.appspot.com/23614087), so verify a copy at a unique path.
|
| -temp_dir="$(mktemp -d -t "$(basename "${0}")")"
|
| -
|
| -cleanup() {
|
| - set +e
|
| - rm -rf "${temp_dir}"
|
| -}
|
| -trap cleanup EXIT
|
| -
|
| -temp_browser_app="${temp_dir}/$(basename "${browser_app}")"
|
| -rsync -a "${browser_app}/" "${temp_browser_app}"
|
| -spctl --assess -vv "${temp_browser_app}"
|
| +if [[ -z "${is_development}" ]]; then
|
| + temp_dir="$(mktemp -d -t "$(basename "${0}")")"
|
| +
|
| + cleanup() {
|
| + set +e
|
| + rm -rf "${temp_dir}"
|
| + }
|
| + trap cleanup EXIT
|
| + temp_browser_app="${temp_dir}/$(basename "${browser_app}")"
|
| + rsync -a "${browser_app}/" "${temp_browser_app}"
|
| + spctl --assess -vv "${temp_browser_app}"
|
| +fi
|
|
|