This directory contains Python modules that modify the Chrome application bundle for various release channels, sign the resulting bundle, package it into .dmg/.pkg files for distribution, and sign those resulting .dmg/.pkg files.
The scripts are invoked using the driver located at //chrome/installer/mac/sign_chrome.py. In order to sign a binary, a signing identity is required. Googlers can use the internal development identity; otherwise you can create a self-signed identity.
A sample invocation to use during development would be:
$ ninja -C out/release chrome chrome/installer/mac $ ./out/release/Chromium\ Packaging/sign_chrome.py --input out/release --output /tmp/signed --identity 'MacOS Developer' --development --disable-packaging
The --disable-packaging flag skips the creation of DMG and PKG files, which speeds up the signing process when one is only interested in a signed .app bundle. The --development flag skips over code signing requirements and checks that do not work without the official Google signing identity.
The signing scripts do not work out-of-the-box with a Chromium build. Until https://crbug.com/1021255 is fixed, in order to have a working (i.e. launch-able), signed Chromium:
com.apple.application-identifierkeychain-access-groupscom.apple.developer.associated-domains.applinks.read-writetouch out/<outdir>/Chromium\ Packaging/keystone_install.shsign_chrome.py as documented above.Note that the Chromium code sign config only produces one Distribution to sign just the .app. An is_chrome_build=true build produces several Distributions for the official release system.
Simply run the wrapper script at //chrome/installer/mac/signing/run_mac_signing_tests.py.
You can pass --coverage or -c to show coverage information. To generate a HTML coverage report and Python coverage package is available (via pip install coverage), run:
coverage3 run -m unittest discover -p '*_test.py' coverage3 html
The code is automatically formatted with YAPF. Run:
git cl format --python