chrome/installer/mac/sign_app.sh.in

#!/bin/bash -p

# Copyright (c) 2012 The Chromium Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.

# Using codesign, sign the application. After signing, the signatures on the
# inner bundle components are verified, and the application's own signature is
# verified. Inner bundle components are expected to be signed before this
# script is called. See sign_versioned_dir.sh.in.

set -eu

# Environment sanitization. Set a known-safe PATH. Clear environment variables
# that might impact the interpreter's operation. The |bash -p| invocation
# on the #! line takes the bite out of BASH_ENV, ENV, and SHELLOPTS (among
# other features), but clearing them here ensures that they won't impact any
# shell scripts used as utility programs. SHELLOPTS is read-only and can't be
# unset, only unexported.
export PATH="/usr/bin:/bin:/usr/sbin:/sbin"
unset BASH_ENV CDPATH ENV GLOBIGNORE IFS POSIXLY_CORRECT
export -n SHELLOPTS

ME="$(basename "${0}")"
readonly ME

if [[ ${#} -ne 3 ]]; then
  echo "usage: ${ME} app_path codesign_keychain codesign_id" >& 2
  exit 1
fi

app_path="${1}"
codesign_keychain="${2}"
codesign_id="${3}"

# Use custom resource rules for the browser application.
script_dir="$(dirname "${0}")"
browser_app_rules="${script_dir}/app_resource_rules.plist"

versioned_dir="${app_path}/Contents/Versions/@VERSION@"

browser_app="${app_path}"
framework="${versioned_dir}/@MAC_PRODUCT_NAME@ Framework.framework"
notification_service="${framework}/XPCServices/AlertNotificationService.xpc"
crashpad_handler="${framework}/Helpers/crashpad_handler"
helper_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper.app"
app_mode_loader_app="${framework}/Resources/app_mode_loader.app"
app_mode_loader="${app_mode_loader_app}/Contents/MacOS/app_mode_loader"

requirement_string="\
designated => \
(identifier \"com.google.Chrome\" or \
identifier \"com.google.Chrome.beta\" or \
identifier \"com.google.Chrome.dev\" or \
identifier \"com.google.Chrome.canary\") \
and (certificate leaf = H\"85cee8254216185620ddc8851c7a9fc4dfe120ef\" or \
certificate leaf = H\"c9a99324ca3fcb23dbcc36bd5fd4f9753305130a\") \
"

enforcement_flags="restrict"

codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \
    "${browser_app}" \
    --options "${enforcement_flags}" \
    --resource-rules "${browser_app_rules}" \
    -r="${requirement_string}"

# Show the signature.
codesign --display --verbose=5 -r- "${browser_app}"

# Verify everything. Check the framework and helper apps to make sure that the
# signatures are present and weren't altered by the signing process. Use
# --ignore-resources on the app mode loader because its signature only covers
# the main executable, not its containing .app bundle. Use --no-strict to
# verify items that use custom resource rules:
#  - The outermost brrowser .app
#  - The inner .framework, which has a nested component that uses them.
codesign --verify --verbose=6 --deep --no-strict "${browser_app}"
codesign --verify --verbose=6 --deep "${crashpad_handler}"
codesign --verify --verbose=6 --ignore-resources "${app_mode_loader}"
codesign --verify --verbose=6 --deep "${notification_service}"
# Check the framework twice: once deep with no-strict, and once shallow with
# strict verification.
codesign --verify --verbose=6 --deep --no-strict "${framework}"
codesign --verify --verbose=6 --strict "${framework}"
codesign --verify --verbose=6 --deep "${helper_app}"

# Verify with spctl, which uses the same rules that Gatekeeper does for
# validation. This is unreliable on 10.11 where syspolicyd caches assessments
# and becomes confused when a bundle's CFExecutableName changes
# (https://openradar.appspot.com/23614087), so verify a copy at a unique path.
temp_dir="$(mktemp -d -t "$(basename "${0}")")"

cleanup() {
  set +e
  rm -rf "${temp_dir}"
}
trap cleanup EXIT

temp_browser_app="${temp_dir}/$(basename "${browser_app}")"
rsync -a "${browser_app}/" "${temp_browser_app}"
spctl --assess -vv "${temp_browser_app}"