| #!/bin/bash -p |
| |
| # Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| # Using codesign, sign the contents of the versioned directory. Namely, this |
| # includes the framework and helper app. After signing, the signatures are |
| # verified. |
| |
| set -eu |
| |
| # Environment sanitization. Set a known-safe PATH. Clear environment variables |
| # that might impact the interpreter's operation. The |bash -p| invocation |
| # on the #! line takes the bite out of BASH_ENV, ENV, and SHELLOPTS (among |
| # other features), but clearing them here ensures that they won't impact any |
| # shell scripts used as utility programs. SHELLOPTS is read-only and can't be |
| # unset, only unexported. |
| export PATH="/usr/bin:/bin:/usr/sbin:/sbin" |
| unset BASH_ENV CDPATH ENV GLOBIGNORE IFS POSIXLY_CORRECT |
| export -n SHELLOPTS |
| |
| ME="$(basename "${0}")" |
| readonly ME |
| |
| script_dir="$(dirname "${0}")" |
| source "${script_dir}/variables.sh" |
| |
| codesign_display_and_verify() { |
| args=("${@}") |
| path=${args[0]} |
| |
| # --verbose can go up to 6 for --display, but that just shows the hash of each |
| # ordinary page in the executable, which is more noise than anything else. |
| codesign --display --verbose=5 -r- "${path}" |
| codesign --verify --verbose=6 "${args[@]:1}" "${path}" |
| } |
| |
| if [[ ${#} -ne 3 && ${#} -ne 4 ]]; then |
| echo "usage: ${ME} app_path codesign_keychain codesign_id \ |
| [--development]" >& 2 |
| exit 1 |
| fi |
| |
| app_path="${1}" |
| codesign_keychain="${2}" |
| codesign_id="${3}" |
| is_development= |
| |
| if [[ ${#} == 4 && ${4} == "--development" ]]; then |
| is_development=1 |
| fi |
| |
| codesign_with_options() { |
| path=${1} |
| options=${2} |
| requirement_identifier=${3} |
| |
| codesign_cmd=( |
| codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" |
| "${path}" |
| ) |
| |
| if [[ "${requirement_identifier}" = "app_mode_loader" ]]; then |
| codesign_cmd+=( --identifier "${requirement_identifier}" ) |
| fi |
| |
| if [[ -n "${options}" ]]; then |
| codesign_cmd+=( --options "${options}" ) |
| fi |
| |
| if [[ -z "${is_development}" ]]; then |
| requirement="designated => identifier \"${requirement_identifier}\" \ |
| ${requirement_suffix}" |
| codesign_cmd+=( -r="${requirement}" ) |
| fi |
| "${codesign_cmd[@]}" |
| } |
| |
| versioned_dir="${app_path}/Contents/Versions/@VERSION@" |
| |
| # To sign an .app bundle that contains nested code, the nested components |
| # themselves must be signed. Each of these components is signed below. Note |
| # that unless a framework has multiple versions (which is discouraged), signing |
| # the entire framework is equivalent to signing the Current version. |
| # https://developer.apple.com/library/content/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG13 |
| |
| framework="${versioned_dir}/@MAC_PRODUCT_NAME@ Framework.framework" |
| notification_service="${framework}/XPCServices/AlertNotificationService.xpc" |
| crashpad_handler="${framework}/Helpers/crashpad_handler" |
| helper_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper.app" |
| app_mode_loader_app="${framework}/Resources/app_mode_loader.app" |
| app_mode_loader="${app_mode_loader_app}/Contents/MacOS/app_mode_loader" |
| widevine_plugin="${framework}/Libraries/WidevineCdm/_platform_specific/mac_x64/widevinecdmadapter.plugin" |
| |
| codesign_with_options "${crashpad_handler}" \ |
| "${enforcement_flags_helpers}" \ |
| "crashpad_handler" |
| |
| # The app mode loader bundle is modified dynamically at runtime. Just sign the |
| # executable, which shouldn't change. In order to do this, the executable needs |
| # to be copied out of the bundle, signed, and then copied back in. The resulting |
| # bundle's signature won't validate normally, but if the executable file is |
| # verified in isolation or with --ignore-resources, it will. |
| app_mode_loader_tmp="$(mktemp -t app_mode_loader)" |
| cp "${app_mode_loader}" "${app_mode_loader_tmp}" |
| |
| codesign_with_options "${app_mode_loader_tmp}" \ |
| "${enforcement_flags_helpers}" \ |
| "app_mode_loader" |
| |
| cp "${app_mode_loader_tmp}" "${app_mode_loader}" |
| rm -f "${app_mode_loader_tmp}" |
| |
| xpc_plist="${notification_service}/Contents/Info" |
| xpc_bundle_id="$(__CFPREFERENCES_AVOID_DAEMON=1 defaults read \ |
| "${xpc_plist}" "CFBundleIdentifier")" |
| |
| codesign_with_options "${notification_service}" \ |
| "${enforcement_flags_helpers}" \ |
| "${xpc_bundle_id}" |
| |
| # Only sign widevine plugin if it is present in the bundle. |
| # ${enforcement_flags*} are meaningless for dynamic libraries. |
| if [[ -f "${widevine_plugin}" ]]; then |
| codesign_with_options "${widevine_plugin}" "" "widevinecdmadapter" |
| fi |
| |
| # The framework is a dylib, so ${enforcement_flags_helpers} are meaningless. |
| codesign_with_options "${framework}" "" "com.google.Chrome.framework" |
| |
| codesign_with_options "${helper_app}" \ |
| "${enforcement_flags_app}" \ |
| "com.google.Chrome.helper" |
| |
| if [[ -f "${widevine_plugin}" ]]; then |
| codesign_display_and_verify "${widevine_plugin}" |
| fi |
| |
| codesign_display_and_verify "${crashpad_handler}" --deep |
| codesign_display_and_verify "${app_mode_loader}" --ignore-resources |
| codesign_display_and_verify "${notification_service}" --deep |
| # The framework contains KeystoneRegistration.framework, which uses |
| # custom resource rules, so use --no-strict to verify. |
| codesign_display_and_verify "${framework}" --deep --no-strict |
| codesign_display_and_verify "${framework}" --strict |
| codesign_display_and_verify "${helper_app}" --deep |
