diff options
| author | mark@chromium.org <mark@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-06-11 17:46:30 +0000 |
|---|---|---|
| committer | mark@chromium.org <mark@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-06-11 17:46:30 +0000 |
| commit | 78ecf43dbd649aca57273c388538da9c7bcb8d2a (patch) | |
| tree | c99adf971cf0891f7b60097ea4c646cd04e6b0e4 | |
| parent | 0b3c9775dc0de558219b776c2ba1a1487352df47 (diff) | |
| download | chromium_src-78ecf43dbd649aca57273c388538da9c7bcb8d2a.zip chromium_src-78ecf43dbd649aca57273c388538da9c7bcb8d2a.tar.gz chromium_src-78ecf43dbd649aca57273c388538da9c7bcb8d2a.tar.bz2 | |
Split sign.sh into two pieces to allow the contents of the versioned directory
to be signed independently of the outer browser application bundle.
BUG=45017
TEST=none
Review URL: http://codereview.chromium.org/2749014
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@49552 0039d316-1c4b-4281-b951-d872f2087c98
| -rw-r--r-- | chrome/chrome_installer.gypi | 17 | ||||
| -rwxr-xr-x | chrome/installer/mac/make_sign_sh | 48 | ||||
| -rwxr-xr-x | chrome/installer/mac/make_signers.sh | 64 | ||||
| -rw-r--r-- | chrome/installer/mac/sign.sh.in | 51 | ||||
| -rw-r--r-- | chrome/installer/mac/sign_app.sh.in | 53 | ||||
| -rw-r--r-- | chrome/installer/mac/sign_versioned_dir.sh.in | 51 |
6 files changed, 176 insertions, 108 deletions
diff --git a/chrome/chrome_installer.gypi b/chrome/chrome_installer.gypi index c7f079e..3680cce 100644 --- a/chrome/chrome_installer.gypi +++ b/chrome/chrome_installer.gypi @@ -777,23 +777,22 @@ # use to sign the .app bundle. 'action_name': 'Make sign.sh', 'variables': { - 'make_sign_sh_path': 'installer/mac/make_sign_sh', - 'sign_sh_in_path': 'installer/mac/sign.sh.in', - 'app_resource_rules_in_path': - 'installer/mac/app_resource_rules.plist.in', + 'make_signers_sh_path': 'installer/mac/make_signers.sh', }, 'inputs': [ - '<(make_sign_sh_path)', - '<(sign_sh_in_path)', - '<(app_resource_rules_in_path)', + '<(make_signers_sh_path)', + 'installer/mac/sign_app.sh.in', + 'installer/mac/sign_versioned_dir.sh.in', + 'installer/mac/app_resource_rules.plist.in', '<(version_path)', ], 'outputs': [ - '<(mac_packaging_dir)/sign.sh', + '<(mac_packaging_dir)/sign_app.sh', + '<(mac_packaging_dir)/sign_versioned_dir.sh', '<(mac_packaging_dir)/app_resource_rules.plist', ], 'action': [ - '<(make_sign_sh_path)', + '<(make_signers_sh_path)', '<(mac_packaging_sh_dir)', '<(mac_product_name)', '<(version_full)', diff --git a/chrome/installer/mac/make_sign_sh b/chrome/installer/mac/make_sign_sh deleted file mode 100755 index db6e1c2..0000000 --- a/chrome/installer/mac/make_sign_sh +++ /dev/null @@ -1,48 +0,0 @@ -#!/bin/sh - -# Copyright (c) 2009 The Chromium Authors. All rights reserved. -# Use of this source code is governed by a BSD-style license that can be -# found in the LICENSE file. - -# This script creates sign.sh, the script that will be used to sign the -# application bundle and inner bundles. It also creates auxiliary files that -# sign.sh needs to do its job, such as the custom resource rules used to sign -# the outermost application bundle. These files are placed in the Packaging -# directory next to the .app bundle. The packaging system is expected to run -# sign.sh to sign everything. - -set -e - -if [ $# -ne 3 ] ; then - echo "usage: ${0} PACKAGING_DIR MAC_PRODUCT_NAME VERSION" >& 2 - exit 1 -fi - -PACKAGING_DIR="${1}" -MAC_PRODUCT_NAME="${2}" -VERSION="${3}" - -INPUT_DIR="$(dirname "${0}")" -SIGN_SH_IN_FILE="${INPUT_DIR}/sign.sh.in" -SIGN_SH_FILE="${PACKAGING_DIR}/sign.sh" -BROWSER_APP_RULES_IN_FILE="${INPUT_DIR}/app_resource_rules.plist.in" -BROWSER_APP_RULES_FILE="${PACKAGING_DIR}/app_resource_rules.plist" - -# Double-backslash each dot: one backslash belongs in the regular expression, -# and the other backslash tells sed not to treat the first backslash -# specially. -VERSION_REGEX="$(echo "${VERSION}" | sed -e 's/\./\\\\./g')" - -mkdir -p "${PACKAGING_DIR}" -sed -e "s/@MAC_PRODUCT_NAME@/${MAC_PRODUCT_NAME}/g" \ - -e "s/@VERSION@/${VERSION}/g" \ - -e "s/@VERSION_REGEX@/${VERSION_REGEX}/g" \ - < "${SIGN_SH_IN_FILE}" \ - > "${SIGN_SH_FILE}" -chmod +x "${SIGN_SH_FILE}" - -sed -e "s/@MAC_PRODUCT_NAME@/${MAC_PRODUCT_NAME}/g" \ - -e "s/@VERSION@/${VERSION}/g" \ - -e "s/@VERSION_REGEX@/${VERSION_REGEX}/g" \ - < "${BROWSER_APP_RULES_IN_FILE}" \ - > "${BROWSER_APP_RULES_FILE}" diff --git a/chrome/installer/mac/make_signers.sh b/chrome/installer/mac/make_signers.sh new file mode 100755 index 0000000..57d7628 --- /dev/null +++ b/chrome/installer/mac/make_signers.sh @@ -0,0 +1,64 @@ +#!/bin/bash -p + +# Copyright (c) 2009 The Chromium Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +# This script creates sign_app.sh and sign_versioned_dir.sh, the scripts that +# will be used to sign the application bundle and inner bundles. It also +# creates auxiliary files that these scripts need to do their jobs, such as +# the custom resource rules used to sign the outermost application bundle. +# The build places these in the "${mac_product_name} Packaging" directory next +# to the .app bundle. The packaging system is expected to run these scripts to +# sign everything. + +set -eu + +# Environment sanitization. Set a known-safe PATH. Clear environment variables +# that might impact the interpreter's operation. The |bash -p| invocation +# on the #! line takes the bite out of BASH_ENV, ENV, and SHELLOPTS (among +# other features), but clearing them here ensures that they won't impact any +# shell scripts used as utility programs. SHELLOPTS is read-only and can't be +# unset, only unexported. +export PATH="/usr/bin:/bin:/usr/sbin:/sbin" +unset BASH_ENV CDPATH ENV GLOBIGNORE IFS POSIXLY_CORRECT +export -n SHELLOPTS + +ME="$(basename "${0}")" +readonly ME + +if [[ ${#} -ne 3 ]]; then + echo "usage: ${ME} packaging_dir mac_product_name version" >& 2 + exit 1 +fi + +packaging_dir="${1}" +mac_product_name="${2}" +version="${3}" + +script_dir="$(dirname "${0}")" +in_files=( + "${script_dir}/sign_app.sh.in" + "${script_dir}/sign_versioned_dir.sh.in" + "${script_dir}/app_resource_rules.plist.in" +) + +# Double-backslash each dot: one backslash belongs in the regular expression, +# and the other backslash tells sed not to treat the first backslash +# specially. +version_regex="$(echo "${version}" | sed -e 's/\./\\\\./g')" + +mkdir -p "${packaging_dir}" + +for in_file in "${in_files[@]}"; do + out_file="${packaging_dir}/$(basename "${in_file:0:${#in_file} - 3}")" + sed -e "s/@MAC_PRODUCT_NAME@/${mac_product_name}/g" \ + -e "s/@VERSION@/${version}/g" \ + -e "s/@VERSION_REGEX@/${version_regex}/g" \ + < "${in_file}" \ + > "${out_file}" + + if [[ "${out_file: -3}" = ".sh" ]]; then + chmod +x "${out_file}" + fi +done diff --git a/chrome/installer/mac/sign.sh.in b/chrome/installer/mac/sign.sh.in deleted file mode 100644 index 18c8197..0000000 --- a/chrome/installer/mac/sign.sh.in +++ /dev/null @@ -1,51 +0,0 @@ -#!/bin/sh - -# Copyright (c) 2009 The Chromium Authors. All rights reserved. -# Use of this source code is governed by a BSD-style license that can be -# found in the LICENSE file. - -# Using codesign, sign the application. Inner components are signed as needed, -# then the outermost bundle is signed, and everything is verified. - -set -e - -if [ $# -ne 3 ] ; then - echo "usage: ${0} APP_PATH CODESIGN_KEYCHAIN CODESIGN_ID" >& 2 - exit 1 -fi - -APP_PATH="${1}" -CODESIGN_KEYCHAIN="${2}" -CODESIGN_ID="${3}" - -# Use custom resource rules for the browser application. -BROWSER_APP_RULES="$(dirname "${0}")/app_resource_rules.plist" - -# An .app bundle to be signed can be signed directly. Normally, signging a -# framework bundle requires that each version within be signed individually. -# http://developer.apple.com/mac/library/technotes/tn2007/tn2206.html#TNTAG13 -# In Chrome's case, the framework bundle is unversioned, so it too can be -# signed directly. See copy_framework_unversioned. - -BROWSER_APP="${APP_PATH}" -FRAMEWORK="${BROWSER_APP}/Contents/Versions/@VERSION@/@MAC_PRODUCT_NAME@ Framework.framework" -HELPER_APP="${BROWSER_APP}/Contents/Versions/@VERSION@/@MAC_PRODUCT_NAME@ Helper.app" - -echo "${0}: signing..." - -# Sign the outer .app last so that its seal includes the signed inner -# components. - -codesign -s "${CODESIGN_ID}" --keychain "${CODESIGN_KEYCHAIN}" "${FRAMEWORK}" -codesign -s "${CODESIGN_ID}" --keychain "${CODESIGN_KEYCHAIN}" "${HELPER_APP}" -codesign -s "${CODESIGN_ID}" --keychain "${CODESIGN_KEYCHAIN}" \ - "${BROWSER_APP}" --resource-rules "${BROWSER_APP_RULES}" - -# Verify everything to ensure that signing the outer bundle didn't break an -# inner bundle. - -echo "${0}: verifying..." - -codesign -v "${FRAMEWORK}" -codesign -v "${HELPER_APP}" -codesign -v "${BROWSER_APP}" diff --git a/chrome/installer/mac/sign_app.sh.in b/chrome/installer/mac/sign_app.sh.in new file mode 100644 index 0000000..64ab064 --- /dev/null +++ b/chrome/installer/mac/sign_app.sh.in @@ -0,0 +1,53 @@ +#!/bin/bash -p + +# Copyright (c) 2009 The Chromium Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +# Using codesign, sign the application. After signing, the signatures on the +# inner bundle components are verified, and the application's own signature is +# verified. Inner bundle components are expected to be signed before this +# script is called. See sign_versioned_dir.sh. + +set -eu + +# Environment sanitization. Set a known-safe PATH. Clear environment variables +# that might impact the interpreter's operation. The |bash -p| invocation +# on the #! line takes the bite out of BASH_ENV, ENV, and SHELLOPTS (among +# other features), but clearing them here ensures that they won't impact any +# shell scripts used as utility programs. SHELLOPTS is read-only and can't be +# unset, only unexported. +export PATH="/usr/bin:/bin:/usr/sbin:/sbin" +unset BASH_ENV CDPATH ENV GLOBIGNORE IFS POSIXLY_CORRECT +export -n SHELLOPTS + +ME="$(basename "${0}")" +readonly ME + +if [[ ${#} -ne 3 ]]; then + echo "usage: ${ME} app_path codesign_keychain codesign_id" >& 2 + exit 1 +fi + +app_path="${1}" +codesign_keychain="${2}" +codesign_id="${3}" + +# Use custom resource rules for the browser application. +script_dir="$(dirname "${0}")" +browser_app_rules="${script_dir}/app_resource_rules.plist" + +versioned_dir="${app_path}/Contents/Versions/@VERSION@" + +browser_app="${app_path}" +framework="${versioned_dir}/@MAC_PRODUCT_NAME@ Framework.framework" +helper_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper.app" + +codesign -s "${codesign_id}" --keychain "${codesign_keychain}" \ + "${browser_app}" --resource-rules "${browser_app_rules}" + +# Verify everything. Check the framework and helper app to make sure that the +# signatures are present and weren't altered by the signing process. +codesign -v "${framework}" +codesign -v "${helper_app}" +codesign -v "${browser_app}" diff --git a/chrome/installer/mac/sign_versioned_dir.sh.in b/chrome/installer/mac/sign_versioned_dir.sh.in new file mode 100644 index 0000000..bfda849 --- /dev/null +++ b/chrome/installer/mac/sign_versioned_dir.sh.in @@ -0,0 +1,51 @@ +#!/bin/bash -p + +# Copyright (c) 2009 The Chromium Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +# Using codesign, sign the contents of the versioned directory. Namely, this +# includes the framework and helper app. After signing, the signatures are +# verified. + +set -eu + +# Environment sanitization. Set a known-safe PATH. Clear environment variables +# that might impact the interpreter's operation. The |bash -p| invocation +# on the #! line takes the bite out of BASH_ENV, ENV, and SHELLOPTS (among +# other features), but clearing them here ensures that they won't impact any +# shell scripts used as utility programs. SHELLOPTS is read-only and can't be +# unset, only unexported. +export PATH="/usr/bin:/bin:/usr/sbin:/sbin" +unset BASH_ENV CDPATH ENV GLOBIGNORE IFS POSIXLY_CORRECT +export -n SHELLOPTS + +ME="$(basename "${0}")" +readonly ME + +if [[ ${#} -ne 3 ]]; then + echo "usage: ${ME} app_path codesign_keychain codesign_id" >& 2 + exit 1 +fi + +app_path="${1}" +codesign_keychain="${2}" +codesign_id="${3}" + +versioned_dir="${app_path}/Contents/Versions/@VERSION@" + +# An .app bundle to be signed can be signed directly. Normally, signging a +# framework bundle requires that each version within be signed individually. +# http://developer.apple.com/mac/library/technotes/tn2007/tn2206.html#TNTAG13 +# In Chrome's case, the framework bundle is unversioned, so it too can be +# signed directly. See copy_framework_unversioned. + +framework="${versioned_dir}/@MAC_PRODUCT_NAME@ Framework.framework" +helper_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper.app" + +codesign -s "${codesign_id}" --keychain "${codesign_keychain}" "${framework}" +codesign -s "${codesign_id}" --keychain "${codesign_keychain}" "${helper_app}" + +# Verify everything. +codesign -v "${framework}" +codesign -v "${helper_app}" |