Chromium Code Reviews Chromium Code Reviews
Issue 2934373002:
Record Code Signature of Downloaded DMG files (Closed)
| OLD | NEW |
|---|---|
| 1 # Copyright 2015 The Chromium Authors. All rights reserved. | 1 # Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 # Use of this source code is governed by a BSD-style license that can be | 2 # Use of this source code is governed by a BSD-style license that can be |
| 3 # found in the LICENSE file. | 3 # found in the LICENSE file. |
| 4 | 4 |
| 5 KEYCHAIN_PASSWORD=g0atMaster | 5 KEYCHAIN_PASSWORD=g0atMaster |
| 6 # This must match the commonName in codesign.cfg. | 6 # This must match the commonName in codesign.cfg. |
| 7 KEYCHAIN_IDENTITY=untrusted@goat.local | 7 KEYCHAIN_IDENTITY=untrusted@goat.local |
| 8 | 8 |
| 9 # Funcitons to add and remove key and cert to users keychain. | |
| 10 pre-build = security import codesign.key; security import codesign.crt | |
|
Greg K
2017/06/30 18:16:22
I would make this && because if one fails, the oth
mortonm
2017/06/30 20:01:06
Done.
| |
| 11 post-build = security delete-identity -c untrusted@goat.local | |
| 12 | |
| 9 executable32: src.c | 13 executable32: src.c |
| 10 clang -m32 -o $@ $^ | 14 clang -m32 -o $@ $^ |
| 11 | 15 |
| 12 executable64: src.c | 16 executable64: src.c |
| 13 clang -m64 -o $@ $^ | 17 clang -m64 -o $@ $^ |
| 14 | 18 |
| 15 executablefat: executable32 executable64 | 19 executablefat: executable32 executable64 |
| 16 lipo -create -output $@ $^ | 20 lipo -create -output $@ $^ |
| 17 | 21 |
| 18 lib32.dylib: src.c | 22 lib32.dylib: src.c |
| 19 clang -m32 -shared -o $@ $^ | 23 clang -m32 -shared -o $@ $^ |
| 20 | 24 |
| 21 lib64.dylib: src.c | 25 lib64.dylib: src.c |
| 22 clang -m64 -shared -o $@ $^ | 26 clang -m64 -shared -o $@ $^ |
| 23 | 27 |
| 24 libfat.dylib: lib64.dylib lib32.dylib | 28 libfat.dylib: lib64.dylib lib32.dylib |
| 25 lipo -create -output $@ $^ | 29 lipo -create -output $@ $^ |
| 26 | 30 |
| 27 codesign.key: | 31 codesign.key: |
| 28 openssl genrsa -out $@ 2048 | 32 openssl genrsa -out $@ 2048 |
| 29 | 33 |
| 30 codesign.csr: codesign.key codesign.cfg | 34 codesign.csr: codesign.key codesign.cfg |
| 31 openssl req -new -key $< -out $@ -config codesign.cfg | 35 openssl req -new -key $< -out $@ -config codesign.cfg |
| 32 | 36 |
| 33 codesign.crt: codesign.csr codesign.key codesign.cfg | 37 codesign.crt: codesign.csr codesign.key codesign.cfg |
| 34 openssl x509 -req -signkey codesign.key -sha256 \ | 38 openssl x509 -req -signkey codesign.key -sha256 \ |
| 35 -extfile codesign.cfg -extensions req_attrs -in $< -out $@ | 39 -extfile codesign.cfg -extensions req_attrs -in $< -out $@ |
| 36 | 40 |
| 37 codesign.keychain: codesign.key codesign.crt | 41 signedexecutable32: executable32 codesign.crt |
| 38 » security create-keychain -p $(KEYCHAIN_PASSWORD) $(PWD)/$@ | 42 » $(call pre-build) |
| 39 » security unlock-keychain -p $(KEYCHAIN_PASSWORD) $(PWD)/$@ | 43 » cp $< $@ |
| 40 » certtool i ./codesign.crt k=$(PWD)/$@ r=./codesign.key | 44 » codesign -s $(KEYCHAIN_IDENTITY) $@ |
| 45 » $(call post-build) | |
| 41 | 46 |
| 42 signedexecutable32: executable32 codesign.keychain | 47 libsigned64.dylib: lib64.dylib codesign.crt |
| 48 » $(call pre-build) | |
| 43 cp $< $@ | 49 cp $< $@ |
| 44 » security unlock-keychain -p $(KEYCHAIN_PASSWORD) \ | 50 » codesign -s $(KEYCHAIN_IDENTITY) $@ |
| 45 » » $(PWD)/codesign.keychain | 51 » $(call post-build) |
| 46 » codesign -s $(KEYCHAIN_IDENTITY) --keychain $(PWD)/codesign.keychain $@ | |
| 47 | 52 |
| 48 libsigned64.dylib: lib64.dylib codesign.keychain | 53 signedexecutablefat: executablefat codesign.crt |
| 54 » $(call pre-build) | |
| 49 cp $< $@ | 55 cp $< $@ |
| 50 » security unlock-keychain -p $(KEYCHAIN_PASSWORD) \ | 56 » codesign -s $(KEYCHAIN_IDENTITY) $@ --all-architectures |
| 51 » » $(PWD)/codesign.keychain | 57 » $(call post-build) |
| 52 » codesign -s $(KEYCHAIN_IDENTITY) --keychain $(PWD)/codesign.keychain $@ | |
| 53 | 58 |
| 54 signedexecutablefat: executablefat codesign.keychain | 59 signed-archive.dmg: test-bundle.app codesign.crt |
| 55 » cp $< $@ | 60 » $(call pre-build) |
| 56 » security unlock-keychain -p $(KEYCHAIN_PASSWORD) \ | 61 » hdiutil create -srcfolder test-bundle.app -format UDZO -layout \ |
| 57 » » $(PWD)/codesign.keychain | 62 » » SPUD -volname "Signed Archive" -ov $@ |
| 58 » codesign -s $(KEYCHAIN_IDENTITY) --keychain $(PWD)/codesign.keychain \ | 63 » codesign -s $(KEYCHAIN_IDENTITY) $@ |
| 59 » » $@ --all-architectures | 64 » $(call post-build) |
| 60 | 65 |
| 61 .PHONY: test-bundle.app | 66 .PHONY: test-bundle.app |
| 62 test-bundle.app: signedexecutablefat libsigned64.dylib executable32 | 67 test-bundle.app: signedexecutablefat libsigned64.dylib executable32 |
| 68 $(call pre-build) | |
| 63 ditto base-bundle.app $@ | 69 ditto base-bundle.app $@ |
| 64 ditto $< $@/Contents/MacOS/test-bundle | 70 ditto $< $@/Contents/MacOS/test-bundle |
| 65 ditto $(word 2,$^) $@/Contents/Frameworks/$(word 2,$^) | 71 ditto $(word 2,$^) $@/Contents/Frameworks/$(word 2,$^) |
| 66 ditto $(word 3,$^) $@/Contents/Resources/$(word 3,$^) | 72 ditto $(word 3,$^) $@/Contents/Resources/$(word 3,$^) |
| 67 » security unlock-keychain -p $(KEYCHAIN_PASSWORD) \ | 73 » codesign -f -s $(KEYCHAIN_IDENTITY) $@ --all-architectures \ |
| 68 » » $(PWD)/codesign.keychain | 74 » » --resource-rules ResourceRules |
| 69 » codesign -f -s $(KEYCHAIN_IDENTITY) --keychain $(PWD)/codesign.keychain \ | 75 » $(call post-build) |
| 70 » » $@ --all-architectures --resource-rules ResourceRules | |
| 71 | 76 |
| 72 .PHONY: modified-bundle.app | 77 .PHONY: modified-bundle.app |
| 73 modified-bundle.app: test-bundle.app lib32.dylib executable64 | 78 modified-bundle.app: test-bundle.app lib32.dylib executable64 |
| 79 $(call pre-build) | |
| 74 ditto $< $@ | 80 ditto $< $@ |
| 75 echo "<xml/>" > $@/Contents/Resources/Base.lproj/InfoPlist.strings | 81 echo "<xml/>" > $@/Contents/Resources/Base.lproj/InfoPlist.strings |
| 76 » security unlock-keychain -p $(KEYCHAIN_PASSWORD) \ | 82 » codesign -f -s $(KEYCHAIN_IDENTITY) $@ --all-architectures \ |
| 77 » » $(PWD)/codesign.keychain | 83 » » --resource-rules ResourceRules |
| 78 » codesign -f -s $(KEYCHAIN_IDENTITY) --keychain $(PWD)/codesign.keychain \ | |
| 79 » » $@ --all-architectures --resource-rules ResourceRules | |
| 80 echo "BAD" > $@/Contents/Resources/Base.lproj/InfoPlist.strings | 84 echo "BAD" > $@/Contents/Resources/Base.lproj/InfoPlist.strings |
| 81 touch $@/Contents/Resources/codesign.cfg | 85 touch $@/Contents/Resources/codesign.cfg |
| 82 ditto $(word 2,$^) $@/Contents/Frameworks/libsigned64.dylib | 86 ditto $(word 2,$^) $@/Contents/Frameworks/libsigned64.dylib |
| 83 ditto $(word 3,$^) $@/Contents/Resources/executable32 | 87 ditto $(word 3,$^) $@/Contents/Resources/executable32 |
| 84 echo "foo" >> $@/Contents/Resources/Base.lproj/MainMenu.nib | 88 echo "foo" >> $@/Contents/Resources/Base.lproj/MainMenu.nib |
| 85 » security unlock-keychain -p $(KEYCHAIN_PASSWORD) \ | 89 » codesign -f -s $(KEYCHAIN_IDENTITY) \ |
| 86 » » $(PWD)/codesign.keychain | |
| 87 » codesign -f -s $(KEYCHAIN_IDENTITY) --keychain $(PWD)/codesign.keychain \ | |
| 88 $@/Contents/Resources/Base.lproj/MainMenu.nib | 90 $@/Contents/Resources/Base.lproj/MainMenu.nib |
| 91 $(call post-build) | |
| 89 | 92 |
| 90 .PHONY: modified-bundle-and-exec.app | 93 .PHONY: modified-bundle-and-exec.app |
| 91 modified-bundle-and-exec.app: test-bundle.app lib32.dylib executable64 | 94 modified-bundle-and-exec.app: test-bundle.app lib32.dylib executable64 |
| 92 ditto $< $@ | 95 ditto $< $@ |
| 93 touch $@/Contents/Resources/codesign.cfg | 96 touch $@/Contents/Resources/codesign.cfg |
| 94 ditto $(word 2,$^) $@/Contents/Frameworks/libsigned64.dylib | 97 ditto $(word 2,$^) $@/Contents/Frameworks/libsigned64.dylib |
| 95 ditto $(word 3,$^) $@/Contents/Resources/executable32 | 98 ditto $(word 3,$^) $@/Contents/Resources/executable32 |
| 96 printf '\x31' | dd bs=1 seek=8097 count=1 conv=notrunc \ | 99 printf '\x31' | dd bs=1 seek=8097 count=1 conv=notrunc \ |
| 97 of=$@/Contents/MacOS/test-bundle | 100 of=$@/Contents/MacOS/test-bundle |
| 98 | 101 |
| 99 .PHONY: modified-main-exec32.app | 102 .PHONY: modified-main-exec32.app |
| 100 modified-main-exec32.app: test-bundle.app | 103 modified-main-exec32.app: test-bundle.app |
| 101 ditto $< $@ | 104 ditto $< $@ |
| 102 printf '\x31' | dd bs=1 seek=8097 count=1 conv=notrunc \ | 105 printf '\x31' | dd bs=1 seek=8097 count=1 conv=notrunc \ |
| 103 of=$@/Contents/MacOS/test-bundle | 106 of=$@/Contents/MacOS/test-bundle |
| 104 | 107 |
| 105 .PHONY: modified-main-exec64.app | 108 .PHONY: modified-main-exec64.app |
| 106 modified-main-exec64.app: test-bundle.app | 109 modified-main-exec64.app: test-bundle.app |
| 107 ditto $< $@ | 110 ditto $< $@ |
| 108 printf '\x31' | dd bs=1 seek=24448 count=1 conv=notrunc \ | 111 printf '\x31' | dd bs=1 seek=24448 count=1 conv=notrunc \ |
| 109 of=$@/Contents/MacOS/test-bundle | 112 of=$@/Contents/MacOS/test-bundle |
| 110 | 113 |
| 111 .PHONY: modified-localization.app | 114 .PHONY: modified-localization.app |
| 112 modified-localization.app: test-bundle.app | 115 modified-localization.app: test-bundle.app |
| 116 $(call pre-build) | |
| 113 ditto $< $@ | 117 ditto $< $@ |
| 114 echo "<xml/>" > $@/Contents/Resources/Base.lproj/InfoPlist.strings | 118 echo "<xml/>" > $@/Contents/Resources/Base.lproj/InfoPlist.strings |
| 115 » security unlock-keychain -p $(KEYCHAIN_PASSWORD) \ | 119 » codesign -f -s $(KEYCHAIN_IDENTITY) $@ --all-architectures \ |
| 116 » » $(PWD)/codesign.keychain | 120 » » --resource-rules ResourceRules |
| 117 » codesign -f -s $(KEYCHAIN_IDENTITY) --keychain $(PWD)/codesign.keychain \ | |
| 118 » » $@ --all-architectures --resource-rules ResourceRules | |
| 119 echo "CORRUPT" > $@/Contents/Resources/Base.lproj/InfoPlist.strings | 121 echo "CORRUPT" > $@/Contents/Resources/Base.lproj/InfoPlist.strings |
| 122 $(call post-build) | |
| OLD | NEW |
