search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Extensions: Store disable reasons in Sync
[chromium-blink-merge.git] / chrome / installer / mac / sign_app.sh.in
blobc289f82a3937c4e6acc8f64f2f06bed6fc5b4fa8
1 #!/bin/bash -p
2
3 # Copyright (c) 2012 The Chromium Authors. All rights reserved.
4 # Use of this source code is governed by a BSD-style license that can be
5 # found in the LICENSE file.
6
7 # Using codesign, sign the application. After signing, the signatures on the
8 # inner bundle components are verified, and the application's own signature is
9 # verified. Inner bundle components are expected to be signed before this
10 # script is called. See sign_versioned_dir.sh.
11
12 set -eu
13
14 # Environment sanitization. Set a known-safe PATH. Clear environment variables
15 # that might impact the interpreter's operation. The |bash -p| invocation
16 # on the #! line takes the bite out of BASH_ENV, ENV, and SHELLOPTS (among
17 # other features), but clearing them here ensures that they won't impact any
18 # shell scripts used as utility programs. SHELLOPTS is read-only and can't be
19 # unset, only unexported.
20 export PATH="/usr/bin:/bin:/usr/sbin:/sbin"
21 unset BASH_ENV CDPATH ENV GLOBIGNORE IFS POSIXLY_CORRECT
22 export -n SHELLOPTS
23
24 ME="$(basename "${0}")"
25 readonly ME
26
27 if [[ ${#} -ne 3 ]]; then
28 echo "usage: ${ME} app_path codesign_keychain codesign_id" >& 2
29 exit 1
30 fi
31
32 app_path="${1}"
33 codesign_keychain="${2}"
34 codesign_id="${3}"
35
36 # Use custom resource rules for the browser application.
37 script_dir="$(dirname "${0}")"
38 browser_app_rules="${script_dir}/app_resource_rules.plist"
39
40 versioned_dir="${app_path}/Contents/Versions/@VERSION@"
41
42 browser_app="${app_path}"
43 framework="${versioned_dir}/@MAC_PRODUCT_NAME@ Framework.framework"
44 crashpad_handler="${framework}/Helpers/crashpad_handler"
45 helper_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper.app"
46 helper_eh_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper EH.app"
47 helper_np_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper NP.app"
48
49 requirement_string="\
50 designated => \
51 (identifier \"com.google.Chrome\" or identifier \"com.google.Chrome.canary\") \
52 and certificate leaf = H\"85cee8254216185620ddc8851c7a9fc4dfe120ef\"\
53 "
54
55 codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \
56 "${browser_app}" --resource-rules "${browser_app_rules}" \
57 -r="${requirement_string}"
58
59 # Show the signature.
60 codesign --display -r- -vvvvvv "${browser_app}"
61
62 # Verify everything. Check the framework and helper apps to make sure that the
63 # signatures are present and weren't altered by the signing process. Don't use
64 # --deep on the framework because Keystone's signature is in a transitional
65 # state (radar 18474911). Use --no-strict on the app because it uses custom
66 # resource rules.
67 codesign --verify --deep -vvvvvv "${crashpad_handler}"
68 codesign --verify -vvvvvv "${framework}"
69 codesign --verify --deep -vvvvvv "${helper_app}"
70 codesign --verify --deep -vvvvvv "${helper_eh_app}"
71 codesign --verify --deep -vvvvvv "${helper_np_app}"
72 codesign --verify --deep --no-strict -vvvvvv "${browser_app}"
73
74 # Verify with spctl, which uses the same rules that Gatekeeper does for
75 # validation.
76 spctl --assess -vv "${browser_app}"