diff options
-rw-r--r-- | chrome/browser/chrome_browser_main_mac.mm | 11 | ||||
-rw-r--r-- | chrome/chrome_installer.gypi | 15 | ||||
-rw-r--r-- | chrome/installer/mac/keychain_reauthorize_main.cc | 81 | ||||
-rw-r--r-- | chrome/installer/mac/sign_app.sh.in | 3 |
4 files changed, 9 insertions, 101 deletions
diff --git a/chrome/browser/chrome_browser_main_mac.mm b/chrome/browser/chrome_browser_main_mac.mm index 54560b1..8d69833 100644 --- a/chrome/browser/chrome_browser_main_mac.mm +++ b/chrome/browser/chrome_browser_main_mac.mm @@ -89,9 +89,7 @@ void ChromeBrowserMainPartsMac::PreEarlyInitialization() { // have to run again. // // This is kicked off by a special stub executable during an automatic - // update. See chrome/installer/mac/keychain_reauthorize_main.cc. This is - // done during update installation in additon to browser app launch to - // help reauthorize Keychain items for users who never restart Chrome. + // update. See chrome/installer/mac/keychain_reauthorize_main.cc. chrome::browser::mac::KeychainReauthorizeIfNeeded( kKeychainReauthorizeAtUpdatePref, kKeychainReauthorizeAtUpdateMaxTries); @@ -179,13 +177,6 @@ void ChromeBrowserMainPartsMac::PreMainMessageLoopStart() { // |-application:openFiles:|, since we already handle them directly. [[NSUserDefaults standardUserDefaults] setObject:@"NO" forKey:@"NSTreatUnknownArgumentsAsOpen"]; - - // Do Keychain reauthorization at browser app launch. This gets two chances - // to run. If the first try doesn't complete successfully (crashes or is - // interrupted for any reason), there will be a second chance. Once this - // step completes successfully, it should never have to run again. - chrome::browser::mac::KeychainReauthorizeIfNeeded( - kKeychainReauthorizeAtLaunchPref, kKeychainReauthorizeAtLaunchMaxTries); } void ChromeBrowserMainPartsMac::DidEndMainMessageLoop() { diff --git a/chrome/chrome_installer.gypi b/chrome/chrome_installer.gypi index 74480b4..1b67958 100644 --- a/chrome/chrome_installer.gypi +++ b/chrome/chrome_installer.gypi @@ -892,7 +892,6 @@ 'target_name': 'installer_packaging', 'type': 'none', 'dependencies': [ - 'keychain_reauthorize', 'installer/mac/third_party/bsdiff/goobsdiff.gyp:*', 'installer/mac/third_party/xz/xz.gyp:*', ], @@ -966,16 +965,16 @@ }], # branding=="Chrome" and buildtype=="Official" ], # conditions }, + { + 'destination': '<(mac_packaging_dir)/.keychain_reauthorize', + 'files': [ + 'installer/mac/internal/keychain_reauthorize/com.google.Chrome', + 'installer/mac/internal/keychain_reauthorize/com.google.Chrome.canary', + ], + }, ], # copies }, # target: installer_packaging { - 'target_name': 'keychain_reauthorize', - 'type': 'executable', - 'sources': [ - 'installer/mac/keychain_reauthorize_main.cc', - ], - }, # target: keychain_reauthorize - { 'target_name': 'gcapi_lib', 'type': 'static_library', 'include_dirs': [ diff --git a/chrome/installer/mac/keychain_reauthorize_main.cc b/chrome/installer/mac/keychain_reauthorize_main.cc deleted file mode 100644 index 9fb7ffc..0000000 --- a/chrome/installer/mac/keychain_reauthorize_main.cc +++ /dev/null @@ -1,81 +0,0 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -// The entry point for the Mac Chrome Keychain Reauthorization process, -// which runs at update time. It needs to be signed by the old certificate -// in order to have access to the existing Keychain items, so it takes the -// form of this little stub that uses dlopen and dlsym to find a current -// Chrome framework, which can be signed by any certificate including the new -// one. This architecture allows the updater to peform keychain -// reauthorization by using an old copy of this executable signed with the old -// certificate even after the rest of Chrome has switched to being signed with -// the new certificate. The reauthorization code remains in the framework to -// avoid duplication and to allow it to change over time without having to -// re-sign this executable with the old certificate. This uses dlopen and -// dlsym to avoid problems linking with a library whose path is not fixed and -// whose version changes with each release. -// -// In order to satisfy the requirements of items stored in the Keychain, this -// executable needs to be named "com.google.Chrome" or -// "com.google.Chrome.canary", because the original applications were signed -// with deignated requirements requiring the identifier to be one of those -// names. - -#include <dlfcn.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -__attribute__((visibility("default"))) -int main(int argc, char* argv[]) { - const char* me = argv[0]; - - // Since |me| will be something like "com.google.Chrome", also use an - // alternate name to avoid confusion. - const char alt_me[] = "keychain_reauthorize"; - - if (argc != 2) { - fprintf(stderr, "usage: %s (%s) <framework_code_path>\n", me, alt_me); - return 1; - } - - const char* framework_code_path = argv[1]; - void* framework_code = dlopen(framework_code_path, RTLD_LAZY | RTLD_GLOBAL); - if (!framework_code) { - fprintf(stderr, "%s (%s): dlopen: %s\n", me, alt_me, dlerror()); - return 1; - } - - typedef int(*ChromeMainType)(int, char**); - ChromeMainType chrome_main = - reinterpret_cast<ChromeMainType>(dlsym(framework_code, "ChromeMain")); - if (!chrome_main) { - fprintf(stderr, "%s (%s): dlsym: %s\n", me, alt_me, dlerror()); - return 1; - } - - // Use strdup to get char* copies of the original const char* strings. - // ChromeMain doesn't promise that it won't touch its argv. - char* me_copy = strdup(me); - char* keychain_reauthorize_argument = strdup("--keychain-reauthorize"); - char* chrome_main_argv[] = { - me_copy, - keychain_reauthorize_argument - }; - - int chrome_main_argc = sizeof(chrome_main_argv) / sizeof(chrome_main_argv[0]); - - // Not expected to return. - int rv = chrome_main(chrome_main_argc, chrome_main_argv); - - fprintf(stderr, "%s (%s): NOTREACHED!\n", me, alt_me); - - free(keychain_reauthorize_argument); - free(me_copy); - - // As in chrome_exe_main_mac.cc: exit, don't return from main, to avoid the - // apparent removal of main from stack backtraces under tail call - // optimization. - exit(rv); -} diff --git a/chrome/installer/mac/sign_app.sh.in b/chrome/installer/mac/sign_app.sh.in index cb4a2da..4738ed7 100644 --- a/chrome/installer/mac/sign_app.sh.in +++ b/chrome/installer/mac/sign_app.sh.in @@ -48,8 +48,7 @@ helper_np_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper NP.app" requirement_string="\ designated => \ (identifier \"com.google.Chrome\" or identifier \"com.google.Chrome.canary\") \ -and (certificate leaf = H\"85cee8254216185620ddc8851c7a9fc4dfe120ef\" or \ -certificate leaf = H\"9481882581d8178db8b1649c0eaa4f9eb11288f0\")\ +and certificate leaf = H\"85cee8254216185620ddc8851c7a9fc4dfe120ef\"\ " codesign -s "${codesign_id}" --keychain "${codesign_keychain}" \ |