mac: Divide the entitlements into Chrome-specific and Chromium files.

This let the signing scripts work out-of-the-box with Chromium builds. The existing app-entitlements.plist file is split into two: in that file are all the entitlements that work with any signed build of the product, but the entitlements that are bound to the Google Chrome signing identity are moved into a new app-entitlements-chrome.plist. Bug: 1021255 Change-Id: I2aa04d5da1edcaaeeed50f3b70a86400e3aac516 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2276523Reviewed-by: Avi Drissman <avi@chromium.org> Reviewed-by: Mark Mentovai <mark@chromium.org> Commit-Queue: Robert Sesek <rsesek@chromium.org> Cr-Commit-Position: refs/heads/master@{#784391}

mac: Divide the entitlements into Chrome-specific and Chromium files.
This let the signing scripts work out-of-the-box with Chromium builds. The existing app-entitlements.plist file is split into two: in that file are all the entitlements that work with any signed build of the product, but the entitlements that are bound to the Google Chrome signing identity are moved into a new app-entitlements-chrome.plist. Bug: 1021255 Change-Id: I2aa04d5da1edcaaeeed50f3b70a86400e3aac516 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2276523Reviewed-by: Avi Drissman <avi@chromium.org> Reviewed-by: Mark Mentovai <mark@chromium.org> Commit-Queue: Robert Sesek <rsesek@chromium.org> Cr-Commit-Position: refs/heads/master@{#784391}
587c8026 · Robert Sesek · Commit Bot · 18c685d2 · 587c8026 · 587c8026
Commit 587c8026 authored Jul 01, 2020 by Robert Sesek Committed by Commit Bot Jul 01, 2020
4 changed files
--- a/chrome/BUILD.gn
+++ b/chrome/BUILD.gn
@@ -602,6 +602,11 @@ if (is_win) {
  compile_entitlements("entitlements") {
    entitlements_templates = [ "app/app-entitlements.plist" ]
+    if (is_chrome_branded) {
+      # These entitlements are bound to the official Google Chrome signing
+      # certificate and will not necessarily work in any other build.
+      entitlements_templates += [ "app/app-entitlements-chrome.plist" ]
+    }
    output_name = "$target_gen_dir/app-entitlements.plist"
    substitutions = [
      "CHROMIUM_BUNDLE_ID=$chrome_mac_bundle_id",

--- a/chrome/app/app-entitlements-chrome.plist
+++ b/chrome/app/app-entitlements-chrome.plist
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.application-identifier</key>
+	<string>${CHROMIUM_TEAM_ID}.${CHROMIUM_BUNDLE_ID}</string>
+	<key>keychain-access-groups</key>
+	<array>
+		<string>${CHROMIUM_TEAM_ID}.${CHROMIUM_BUNDLE_ID}.webauthn</string>
+	</array>
+	<key>com.apple.developer.associated-domains.applinks.read-write</key>
+	<true/>
+</dict>
+</plist>
--- a/chrome/app/app-entitlements.plist
+++ b/chrome/app/app-entitlements.plist
@@ -2,14 +2,6 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
-	<key>com.apple.application-identifier</key>
-	<string>${CHROMIUM_TEAM_ID}.${CHROMIUM_BUNDLE_ID}</string>
-	<key>keychain-access-groups</key>
-	<array>
-		<string>${CHROMIUM_TEAM_ID}.${CHROMIUM_BUNDLE_ID}.webauthn</string>
-	</array>
-	<key>com.apple.developer.associated-domains.applinks.read-write</key>
-	<true/>
 	<key>com.apple.security.device.audio-input</key>
 	<true/>
 	<key>com.apple.security.device.bluetooth</key>

--- a/chrome/installer/mac/signing/README.md
+++ b/chrome/installer/mac/signing/README.md
@@ -26,18 +26,14 @@ that do not work without the official Google signing identity.
 ## Chromium
-The signing scripts do not work out-of-the-box with a Chromium build. Until
+There are slight differences between the official Google Chrome signed build and
-https://crbug.com/1021255 is fixed, in order to have a working (i.e.
+a development-signed Chromium build. Specifically, the entitlements will vary
-launch-able), signed Chromium:
+because the default
+[chrome/app/app-entitlements.plist](../../../app/app-entitlements.plist) omits
-1. Edit chrome/app/app-entitlements.plist and remove the following key/value
+[specific entitlements](../../../app/app-entitlements-chrome.plist) that are
-   pairs:
+tied to the official Google signing identity.
-   - `com.apple.application-identifier`
-   - `keychain-access-groups`
+In addition, the Chromium [code sign
-   - `com.apple.developer.associated-domains.applinks.read-write`
-2. Run `sign_chrome.py` as documented above.
-Note that the Chromium [code sign
 config](https://cs.chromium.org/chromium/src/chrome/installer/mac/signing/chromium_config.py)
 only produces one Distribution to sign just the .app. An
 `is_chrome_build=true` build produces several Distributions for the official
@@ -45,7 +41,9 @@ release system.
 ## Running Tests
-Simply run the wrapper script at
+The `signing` module is thoroughly unit-tested. When making changes to the
+signing scripts, please be sure to add new tests too. To run the tests, simply
+run the wrapper script at
 `//chrome/installer/mac/signing/run_mac_signing_tests.py`.
 You can pass `--coverage` or `-c` to show coverage information. To generate a