#!/bin/bash -p # Copyright (c) 2012 The Chromium Authors. All rights reserved. # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. # Using codesign, sign the application. After signing, the signatures on the # inner bundle components are verified, and the application's own signature is # verified. Inner bundle components are expected to be signed before this # script is called. See sign_versioned_dir.sh. set -eu # Environment sanitization. Set a known-safe PATH. Clear environment variables # that might impact the interpreter's operation. The |bash -p| invocation # on the #! line takes the bite out of BASH_ENV, ENV, and SHELLOPTS (among # other features), but clearing them here ensures that they won't impact any # shell scripts used as utility programs. SHELLOPTS is read-only and can't be # unset, only unexported. export PATH="/usr/bin:/bin:/usr/sbin:/sbin" unset BASH_ENV CDPATH ENV GLOBIGNORE IFS POSIXLY_CORRECT export -n SHELLOPTS ME="$(basename "${0}")" readonly ME if [[ ${#} -ne 3 ]]; then echo "usage: ${ME} app_path codesign_keychain codesign_id" >& 2 exit 1 fi app_path="${1}" codesign_keychain="${2}" codesign_id="${3}" # Use custom resource rules for the browser application. script_dir="$(dirname "${0}")" browser_app_rules="${script_dir}/app_resource_rules.plist" versioned_dir="${app_path}/Contents/Versions/@VERSION@" browser_app="${app_path}" framework="${versioned_dir}/@MAC_PRODUCT_NAME@ Framework.framework" crashpad_handler="${framework}/Helpers/crashpad_handler" helper_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper.app" helper_eh_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper EH.app" helper_np_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper NP.app" requirement_string="\ designated => \ (identifier \"com.google.Chrome\" or identifier \"com.google.Chrome.canary\") \ and certificate leaf = H\"85cee8254216185620ddc8851c7a9fc4dfe120ef\"\ " codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \ "${browser_app}" --resource-rules "${browser_app_rules}" \ -r="${requirement_string}" # Show the signature. codesign --display -r- -vvvvvv "${browser_app}" # Verify everything. Check the framework and helper apps to make sure that the # signatures are present and weren't altered by the signing process. Don't use # --deep on the framework because Keystone's signature is in a transitional # state (radar 18474911). Use --no-strict on the app because it uses custom # resource rules. codesign --verify --deep -vvvvvv "${crashpad_handler}" codesign --verify -vvvvvv "${framework}" codesign --verify --deep -vvvvvv "${helper_app}" codesign --verify --deep -vvvvvv "${helper_eh_app}" codesign --verify --deep -vvvvvv "${helper_np_app}" codesign --verify --deep --no-strict -vvvvvv "${browser_app}" # Verify with spctl, which uses the same rules that Gatekeeper does for # validation. spctl --assess -vv "${browser_app}"