4 files changed, 9 insertions, 101 deletions

diff --git a/chrome/browser/chrome_browser_main_mac.mm b/chrome/browser/chrome_browser_main_mac.mm
index 54560b1..8d69833 100644
--- a/chrome/browser/chrome_browser_main_mac.mm
+++ b/chrome/browser/chrome_browser_main_mac.mm
@@ -89,9 +89,7 @@ void ChromeBrowserMainPartsMac::PreEarlyInitialization() {
     // have to run again.
     //
     // This is kicked off by a special stub executable during an automatic
-    // update. See chrome/installer/mac/keychain_reauthorize_main.cc. This is
-    // done during update installation in additon to browser app launch to
-    // help reauthorize Keychain items for users who never restart Chrome.
+    // update. See chrome/installer/mac/keychain_reauthorize_main.cc.
     chrome::browser::mac::KeychainReauthorizeIfNeeded(
         kKeychainReauthorizeAtUpdatePref, kKeychainReauthorizeAtUpdateMaxTries);
 
@@ -179,13 +177,6 @@ void ChromeBrowserMainPartsMac::PreMainMessageLoopStart() {
   // |-application:openFiles:|, since we already handle them directly.
   [[NSUserDefaults standardUserDefaults]
       setObject:@"NO" forKey:@"NSTreatUnknownArgumentsAsOpen"];
-
-  // Do Keychain reauthorization at browser app launch. This gets two chances
-  // to run. If the first try doesn't complete successfully (crashes or is
-  // interrupted for any reason), there will be a second chance. Once this
-  // step completes successfully, it should never have to run again.
-  chrome::browser::mac::KeychainReauthorizeIfNeeded(
-      kKeychainReauthorizeAtLaunchPref, kKeychainReauthorizeAtLaunchMaxTries);
 }
 
 void ChromeBrowserMainPartsMac::DidEndMainMessageLoop() {
diff --git a/chrome/chrome_installer.gypi b/chrome/chrome_installer.gypi
index 74480b4..1b67958 100644
--- a/chrome/chrome_installer.gypi
+++ b/chrome/chrome_installer.gypi
@@ -892,7 +892,6 @@
           'target_name': 'installer_packaging',
           'type': 'none',
           'dependencies': [
-            'keychain_reauthorize',
             'installer/mac/third_party/bsdiff/goobsdiff.gyp:*',
             'installer/mac/third_party/xz/xz.gyp:*',
           ],
@@ -966,16 +965,16 @@
                 }],  # branding=="Chrome" and buildtype=="Official"
               ],  # conditions
             },
+            {
+              'destination': '<(mac_packaging_dir)/.keychain_reauthorize',
+              'files': [
+                'installer/mac/internal/keychain_reauthorize/com.google.Chrome',
+                'installer/mac/internal/keychain_reauthorize/com.google.Chrome.canary',
+              ],
+            },
           ],  # copies
         },  # target: installer_packaging
         {
-          'target_name': 'keychain_reauthorize',
-          'type': 'executable',
-          'sources': [
-            'installer/mac/keychain_reauthorize_main.cc',
-          ],
-        },  # target: keychain_reauthorize
-        {
           'target_name': 'gcapi_lib',
           'type': 'static_library',
           'include_dirs': [
diff --git a/chrome/installer/mac/keychain_reauthorize_main.cc b/chrome/installer/mac/keychain_reauthorize_main.cc
deleted file mode 100644
index 9fb7ffc..0000000
--- a/chrome/installer/mac/keychain_reauthorize_main.cc
+++ /dev/null
@@ -1,81 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// The entry point for the Mac Chrome Keychain Reauthorization process,
-// which runs at update time. It needs to be signed by the old certificate
-// in order to have access to the existing Keychain items, so it takes the
-// form of this little stub that uses dlopen and dlsym to find a current
-// Chrome framework, which can be signed by any certificate including the new
-// one. This architecture allows the updater to peform keychain
-// reauthorization by using an old copy of this executable signed with the old
-// certificate even after the rest of Chrome has switched to being signed with
-// the new certificate. The reauthorization code remains in the framework to
-// avoid duplication and to allow it to change over time without having to
-// re-sign this executable with the old certificate. This uses dlopen and
-// dlsym to avoid problems linking with a library whose path is not fixed and
-// whose version changes with each release.
-//
-// In order to satisfy the requirements of items stored in the Keychain, this
-// executable needs to be named "com.google.Chrome" or
-// "com.google.Chrome.canary", because the original applications were signed
-// with deignated requirements requiring the identifier to be one of those
-// names.
-
-#include <dlfcn.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-__attribute__((visibility("default")))
-int main(int argc, char* argv[]) {
-  const char* me = argv[0];
-
-  // Since |me| will be something like "com.google.Chrome", also use an
-  // alternate name to avoid confusion.
-  const char alt_me[] = "keychain_reauthorize";
-
-  if (argc != 2) {
-    fprintf(stderr, "usage: %s (%s) <framework_code_path>\n", me, alt_me);
-    return 1;
-  }
-
-  const char* framework_code_path = argv[1];
-  void* framework_code = dlopen(framework_code_path, RTLD_LAZY | RTLD_GLOBAL);
-  if (!framework_code) {
-    fprintf(stderr, "%s (%s): dlopen: %s\n", me, alt_me, dlerror());
-    return 1;
-  }
-
-  typedef int(*ChromeMainType)(int, char**);
-  ChromeMainType chrome_main =
-      reinterpret_cast<ChromeMainType>(dlsym(framework_code, "ChromeMain"));
-  if (!chrome_main) {
-    fprintf(stderr, "%s (%s): dlsym: %s\n", me, alt_me, dlerror());
-    return 1;
-  }
-
-  // Use strdup to get char* copies of the original const char* strings.
-  // ChromeMain doesn't promise that it won't touch its argv.
-  char* me_copy = strdup(me);
-  char* keychain_reauthorize_argument = strdup("--keychain-reauthorize");
-  char* chrome_main_argv[] = {
-    me_copy,
-    keychain_reauthorize_argument
-  };
-
-  int chrome_main_argc = sizeof(chrome_main_argv) / sizeof(chrome_main_argv[0]);
-
-  // Not expected to return.
-  int rv = chrome_main(chrome_main_argc, chrome_main_argv);
-
-  fprintf(stderr, "%s (%s): NOTREACHED!\n", me, alt_me);
-
-  free(keychain_reauthorize_argument);
-  free(me_copy);
-
-  // As in chrome_exe_main_mac.cc: exit, don't return from main, to avoid the
-  // apparent removal of main from stack backtraces under tail call
-  // optimization.
-  exit(rv);
-}
diff --git a/chrome/installer/mac/sign_app.sh.in b/chrome/installer/mac/sign_app.sh.in
index cb4a2da..4738ed7 100644
--- a/chrome/installer/mac/sign_app.sh.in
+++ b/chrome/installer/mac/sign_app.sh.in
@@ -48,8 +48,7 @@ helper_np_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper NP.app"
 requirement_string="\
 designated => \
 (identifier \"com.google.Chrome\" or identifier \"com.google.Chrome.canary\") \
-and (certificate leaf = H\"85cee8254216185620ddc8851c7a9fc4dfe120ef\" or \
-certificate leaf = H\"9481882581d8178db8b1649c0eaa4f9eb11288f0\")\
+and certificate leaf = H\"85cee8254216185620ddc8851c7a9fc4dfe120ef\"\
 "
 
 codesign -s "${codesign_id}" --keychain "${codesign_keychain}" \