| #!/bin/bash -p |
| |
| # Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| # Using codesign, sign the application. After signing, the signatures on the |
| # inner bundle components are verified, and the application's own signature is |
| # verified. Inner bundle components are expected to be signed before this |
| # script is called. See sign_versioned_dir.sh. |
| |
| set -eu |
| |
| # Environment sanitization. Set a known-safe PATH. Clear environment variables |
| # that might impact the interpreter's operation. The |bash -p| invocation |
| # on the #! line takes the bite out of BASH_ENV, ENV, and SHELLOPTS (among |
| # other features), but clearing them here ensures that they won't impact any |
| # shell scripts used as utility programs. SHELLOPTS is read-only and can't be |
| # unset, only unexported. |
| export PATH="/usr/bin:/bin:/usr/sbin:/sbin" |
| unset BASH_ENV CDPATH ENV GLOBIGNORE IFS POSIXLY_CORRECT |
| export -n SHELLOPTS |
| |
| ME="$(basename "${0}")" |
| readonly ME |
| |
| if [[ ${#} -ne 3 ]]; then |
| echo "usage: ${ME} app_path codesign_keychain codesign_id" >& 2 |
| exit 1 |
| fi |
| |
| app_path="${1}" |
| codesign_keychain="${2}" |
| codesign_id="${3}" |
| |
| # Use custom resource rules for the browser application. |
| script_dir="$(dirname "${0}")" |
| browser_app_rules="${script_dir}/app_resource_rules.plist" |
| |
| versioned_dir="${app_path}/Contents/Versions/@VERSION@" |
| |
| browser_app="${app_path}" |
| framework="${versioned_dir}/@MAC_PRODUCT_NAME@ Framework.framework" |
| notification_service="${framework}/XPCServices/AlertNotificationService.xpc" |
| crashpad_handler="${framework}/Helpers/crashpad_handler" |
| helper_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper.app" |
| |
| requirement_string="\ |
| designated => \ |
| (identifier \"com.google.Chrome\" or identifier \"com.google.Chrome.canary\") \ |
| and (certificate leaf = H\"85cee8254216185620ddc8851c7a9fc4dfe120ef\" or \ |
| certificate leaf = H\"34f0bdf7f87d4f3a955862c351472e52250e4c2b\") \ |
| " |
| |
| enforcement_flags="restrict" |
| |
| codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \ |
| "${browser_app}" --resource-rules "${browser_app_rules}" \ |
| -r="${requirement_string}" --options "${enforcement_flags}" |
| |
| # Show the signature. |
| codesign --display -r- -vvvvvv "${browser_app}" |
| |
| # Verify everything. Check the framework and helper apps to make sure that the |
| # signatures are present and weren't altered by the signing process. Don't use |
| # --deep on the framework because Keystone's signature is in a transitional |
| # state (b/18474911). Use --no-strict on the app because it uses custom resource |
| # rules. |
| codesign --verify --deep -vvvvvv "${crashpad_handler}" |
| codesign --verify --deep -vvvvvv "${notification_service}" |
| codesign --verify -vvvvvv "${framework}" |
| codesign --verify --deep -vvvvvv "${helper_app}" |
| codesign --verify --deep --no-strict -vvvvvv "${browser_app}" |
| |
| # Verify with spctl, which uses the same rules that Gatekeeper does for |
| # validation. This is unreliable on 10.11 where syspolicyd caches assessments |
| # and becomes confused when a bundle's CFExecutableName changes |
| # (https://openradar.appspot.com/23614087), so verify a copy at a unique path. |
| temp_dir="$(mktemp -d -t "$(basename "${0}")")" |
| |
| cleanup() { |
| set +e |
| rm -rf "${temp_dir}" |
| } |
| trap cleanup EXIT |
| |
| temp_browser_app="${temp_dir}/$(basename "${browser_app}")" |
| rsync -a "${browser_app}/" "${temp_browser_app}" |
| spctl --assess -vv "${temp_browser_app}" |
