mac: Sign app_mode_loader [badly]

We can't sign the app_mode_loader bundle because it's altered at runtime as new app mode loader stubs are created. We can sign just the executable. The resulting executable won't validate in its bundle normally, and spctl won't like it, but it can be verified with --ignore-resources, or in isolation from its bundle. BUG=550972 Review URL: https://codereview.chromium.org/1486863003 Cr-Commit-Position: refs/heads/master@{#363070}

mac: Sign app_mode_loader [badly]
We can't sign the app_mode_loader bundle because it's altered at runtime as new app mode loader stubs are created. We can sign just the executable. The resulting executable won't validate in its bundle normally, and spctl won't like it, but it can be verified with --ignore-resources, or in isolation from its bundle. BUG=550972 Review URL: https://codereview.chromium.org/1486863003 Cr-Commit-Position: refs/heads/master@{#363070}
2720613d · mark · Commit bot · c5c1f865 · 2720613d
Commit 2720613d authored Dec 03, 2015 by mark Committed by Commit bot Dec 03, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 21 additions and 0 deletions

chrome/installer/mac/sign_versioned_dir.sh.in chrome/installer/mac/sign_versioned_dir.sh.in +21 -0

No files found.
--- a/chrome/installer/mac/sign_versioned_dir.sh.in
+++ b/chrome/installer/mac/sign_versioned_dir.sh.in
@@ -43,6 +43,8 @@ versioned_dir="${app_path}/Contents/Versions/@VERSION@"
 framework="${versioned_dir}/@MAC_PRODUCT_NAME@ Framework.framework"
 crashpad_handler="${framework}/Helpers/crashpad_handler"
 helper_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper.app"
+app_mode_loader_app="${framework}/Resources/app_mode_loader.app"
+app_mode_loader="${app_mode_loader_app}/Contents/MacOS/app_mode_loader"
 requirement_suffix="\
 and certificate leaf = H\"85cee8254216185620ddc8851c7a9fc4dfe120ef\"\
@@ -54,10 +56,28 @@ codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \
    "${crashpad_handler}" \
    -r="designated => identifier \"crashpad_handler\" \
 ${requirement_suffix}" --options "${enforcement_flags}"
+# The app mode loader bundle is modified dynamically at runtime. Just sign the
+# executable, which shouldn't change. In order to do this, the executable needs
+# to be copied out of the bundle, signed, and then copied back in. The resulting
+# bundle's signature won't validate normally, but if the executable file is
+# verified in isolation or with --ignore-resources, it will. Because the
+# bundle's signature won't validate on its own, don't set any of the enforcement
+# flags.
+app_mode_loader_tmp="$(mktemp -t app_mode_loader)"
+cp "${app_mode_loader}" "${app_mode_loader_tmp}"
+codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \
+    "${app_mode_loader_tmp}" \
+    -r="designated => identifier \"app_mode_loader\" \
+${requirement_suffix}"
+cp "${app_mode_loader_tmp}" "${app_mode_loader}"
+rm -f "${app_mode_loader_tmp}"
 codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \
    "${framework}" \
    -r="designated => identifier \"com.google.Chrome.framework\" \
 ${requirement_suffix}"
 codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \
    "${helper_app}" \
    -r="designated => identifier \"com.google.Chrome.helper\" \
@@ -66,5 +86,6 @@ ${requirement_suffix}" --options "${enforcement_flags}"
 # Verify everything. Don't use --deep on the framework because Keystone's
 # signature is in a transitional state (radar 18474911).
 codesign --verify --deep "${crashpad_handler}"
+codesign --verify --ignore-resources "${app_mode_loader}"
 codesign --verify "${framework}"
 codesign --verify --deep "${helper_app}"