Restore the "omit" code signature resource rule to new-layout installations

The new signing scripts introduced by bug 958163 do not use the "omit"
code signature resource rule when signing a new-layout product. Bug
958976 enabled the new layout by default. This is fine for a product
built in isolation, but is incorrect in the field, for products that
update on top of existing old-layout versions. For proper function, the
resource rule must be preserved as long as an old-layout version exists.
Vestiges of these old-layout versions will remain following an update
when updating directly from an old-layout version or when an old-layout
version appears to be in use. Accordingly, it will take at least two
updates, and for some users, many more, to assure that these historical
artifacts are fully purged. Until that happens, the "omit" resource rule
assures that the presence of an old-layout old version does not
interfere with code signature validation.

Removal of the "omit" resource rule is required for successful
notarization, so this rule's days are numbered. In due time, resource
rule removal will fix bug 496298, and is a prerequisite for fixing bug

Because this removes the requirement that a specific version's versioned
directory appear in the outer .app's Contents/Versions, as this no
longer exists with the new layout, this change breaks the ability to
properly sign products built with new_mac_bundle_structure = false.
However, following recent successful testing, this flag now defaults to
true, will be removed shortly, and we do not anticipate releasing
anything built with it set to false again.

Bug: 965224
Change-Id: I095b1cd66de599ab57fb07635cb8947adfe06128
Reviewed-by: Robert Sesek <>
Commit-Queue: Mark Mentovai <>
Cr-Commit-Position: refs/heads/master@{#661476}
5 files changed