macOS Signing Scripts: Delete the old scripts.

Bug: 958163 Change-Id: I356398a77cee42c71ccc6c722523b832a0b9d649 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1610639Reviewed-by: Mark Mentovai <mark@chromium.org> Commit-Queue: Robert Sesek <rsesek@chromium.org> Cr-Commit-Position: refs/heads/master@{#659151}

macOS Signing Scripts: Delete the old scripts.
Bug: 958163 Change-Id: I356398a77cee42c71ccc6c722523b832a0b9d649 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1610639Reviewed-by: Mark Mentovai <mark@chromium.org> Commit-Queue: Robert Sesek <rsesek@chromium.org> Cr-Commit-Position: refs/heads/master@{#659151}
6bb62be5 · Robert Sesek · Commit Bot · 69ee994e · 6bb62be5 · 6bb62be5
Commit 6bb62be5 authored May 13, 2019 by Robert Sesek Committed by Commit Bot May 13, 2019
6 changed files
--- a/chrome/installer/mac/BUILD.gn
+++ b/chrome/installer/mac/BUILD.gn
@@ -23,22 +23,14 @@ action("make_signers") {
  script = "//build/gn_run_binary.py"
  shell_script = "//chrome/installer/mac/make_signers.sh"
-  deps = [
-    ":copy_variables",
-  ]
  inputs = [
    script,
    shell_script,
-    "sign_app.sh.in",
-    "sign_versioned_dir.sh.in",
    "app_resource_rules.plist.in",
    "//chrome/VERSION",
  ]
  outputs = [
-    "$_packaging_dir/sign_app.sh",
-    "$_packaging_dir/sign_versioned_dir.sh",
    "$_packaging_dir/app_resource_rules.plist",
  ]
@@ -50,19 +42,6 @@ action("make_signers") {
  ]
 }
-copy("copy_variables") {
-  visibility = [
-    ":make_signers",
-    ":copies",
-  ]
-  sources = [
-    "variables.sh",
-  ]
-  outputs = [
-    "$_packaging_dir/{{source_file_part}}",
-  ]
-}
 process_version_rc_template("sign_config") {
  visibility = [ ":copy_signing" ]
@@ -111,7 +90,6 @@ copy("copies") {
  deps = [
    ":copy_signing",
-    ":copy_variables",
    "//chrome:entitlements",
    "//chrome/installer/mac/third_party/bsdiff:goobsdiff",
    "//chrome/installer/mac/third_party/bsdiff:goobspatch",
@@ -132,7 +110,6 @@ copy("copies") {
    "dmgdiffer.sh",
    "pkg-dmg",
    "sign_chrome.py",
-    "sign_installer_tools.sh",
  ]
  if (is_chrome_branded) {
@@ -150,8 +127,6 @@ copy("copies") {
      "internal/chrome_dmg_background.png",
      "internal/chrome_dmg_dsstore",
      "internal/chrome_dmg_icon.icns",
-      "internal/generate_dmgs",
-      "internal/signing_common.sh",
    ]
  }

--- a/chrome/installer/mac/make_signers.sh
+++ b/chrome/installer/mac/make_signers.sh
@@ -38,8 +38,6 @@ version="${3}"
 script_dir="$(dirname "${0}")"
 in_files=(
-  "${script_dir}/sign_app.sh.in"
-  "${script_dir}/sign_versioned_dir.sh.in"
  "${script_dir}/app_resource_rules.plist.in"
 )

--- a/chrome/installer/mac/sign_app.sh.in
+++ b/chrome/installer/mac/sign_app.sh.in
-#!/bin/bash -p
-# Copyright (c) 2012 The Chromium Authors. All rights reserved.
-# Use of this source code is governed by a BSD-style license that can be
-# found in the LICENSE file.
-# Using codesign, sign the application. After signing, the signatures on the
-# inner bundle components are verified, and the application's own signature is
-# verified. Inner bundle components are expected to be signed before this
-# script is called. See sign_versioned_dir.sh.in.
-set -eux
-# Environment sanitization. Set a known-safe PATH. Clear environment variables
-# that might impact the interpreter's operation. The |bash -p| invocation
-# on the #! line takes the bite out of BASH_ENV, ENV, and SHELLOPTS (among
-# other features), but clearing them here ensures that they won't impact any
-# shell scripts used as utility programs. SHELLOPTS is read-only and can't be
-# unset, only unexported.
-export PATH="/usr/bin:/bin:/usr/sbin:/sbin"
-unset BASH_ENV CDPATH ENV GLOBIGNORE IFS POSIXLY_CORRECT
-export -n SHELLOPTS
-ME="$(basename "${0}")"
-readonly ME
-# Note that |is_development| is tested for string length, not value.
-is_development=
-if [[ ${#} -eq 4 || ${#} -eq 6 ]]; then
-  app_path="${1}"
-  codesign_keychain="${2}"
-  codesign_id="${3}"
-  if [[ "${4}" == "--development" || "${6}" == "--development" ]]; then
-    is_development=1
-  fi
-elif [[ ${#} -ne 5 ]]; then
-  echo "usage: ${ME} app_path codesign_keychain codesign_id \
-provisioning_profile entitlements_plist" >& 2
-  exit 1
-else
-  app_path="${1}"
-  codesign_keychain="${2}"
-  codesign_id="${3}"
-  provisioning_profile="${4}"
-  entitlements_plist="${5}"
-fi
-script_dir="$(dirname "${0}")"
-source "${script_dir}/variables.sh"
-# Use custom resource rules for the browser application.
-browser_app_rules="${script_dir}/app_resource_rules.plist"
-contents_dir="${app_path}/Contents"
-versioned_dir="${contents_dir}/Versions/@VERSION@"
-browser_app="${app_path}"
-framework="${versioned_dir}/@MAC_PRODUCT_NAME@ Framework.framework"
-notification_service="${framework}/XPCServices/AlertNotificationService.xpc"
-crashpad_handler="${framework}/Helpers/chrome_crashpad_handler"
-helper_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper.app"
-app_mode_loader_app="${framework}/Resources/app_mode_loader.app"
-app_mode_loader="${app_mode_loader_app}/Contents/MacOS/app_mode_loader"
-libraries_dir="${framework}/Libraries"
-libraries=(
-  "${libraries_dir}/libEGL.dylib"
-  "${libraries_dir}/libGLESv2.dylib"
-  "${libraries_dir}/libswiftshader_libEGL.dylib"
-  "${libraries_dir}/libswiftshader_libGLESv2.dylib"
-  "${libraries_dir}/WidevineCdm/_platform_specific/mac_x64/libwidevinecdm.dylib"
-)
-# Embed the supplied provisioning profile.
-if [[ -z "${is_development}" ]]; then
-  cp "${provisioning_profile}" "${contents_dir}/embedded.provisionprofile"
-fi
-requirement="\
-designated => \
-(identifier \"com.google.Chrome\" or \
-identifier \"com.google.Chrome.beta\" or \
-identifier \"com.google.Chrome.dev\" or \
-identifier \"com.google.Chrome.canary\") \
-${requirement_suffix} \
-"
-codesign_cmd=(
-  codesign --sign "${codesign_id}" --keychain "${codesign_keychain}"
-  "${browser_app}"
-  --options "${enforcement_flags_app}"
-  --resource-rules "${browser_app_rules}"
-)
-if [[ -z "${is_development}" ]]; then
-  codesign_cmd+=(--entitlements="${entitlements_plist}")
-  codesign_cmd+=( -r="${requirement}" )
-fi
-"${codesign_cmd[@]}"
-# Show the signature.
-codesign --display --verbose=5 -r- "${browser_app}"
-# Verify everything. Check the framework and helper apps to make sure that the
-# signatures are present and weren't altered by the signing process. Use
-# --ignore-resources on the app mode loader because its signature only covers
-# the main executable, not its containing .app bundle. Use --no-strict to
-# verify items that use custom resource rules:
-#  - The outermost brrowser .app
-#  - The inner .framework, which has a nested component that uses them.
-codesign --verify --verbose=6 --deep --no-strict "${browser_app}"
-codesign --verify --verbose=6 --deep "${crashpad_handler}"
-codesign --verify --verbose=6 --ignore-resources "${app_mode_loader}"
-codesign --verify --verbose=6 --deep "${notification_service}"
-# Check the framework twice: once deep with no-strict, and once shallow with
-# strict verification.
-codesign --verify --verbose=6 --deep --no-strict "${framework}"
-codesign --verify --verbose=6 --strict "${framework}"
-codesign --verify --verbose=6 --deep "${helper_app}"
-for library in "${libraries[@]}"; do
-  if [ -f "${library}" ]; then
-    codesign --verify --verbose=6 --deep "${library}"
-  fi
-done
-# Verify with spctl, which uses the same rules that Gatekeeper does for
-# validation. This is unreliable on 10.11 where syspolicyd caches assessments
-# and becomes confused when a bundle's CFExecutableName changes
-# (https://openradar.appspot.com/23614087), so verify a copy at a unique path.
-if [[ -z "${is_development}" ]]; then
-  temp_dir="$(mktemp -d -t "$(basename "${0}")")"
-  cleanup() {
-    set +e
-    rm -rf "${temp_dir}"
-  }
-  trap cleanup EXIT
-  temp_browser_app="${temp_dir}/$(basename "${browser_app}")"
-  rsync -a "${browser_app}/" "${temp_browser_app}"
-  spctl --assess -vv "${temp_browser_app}"
-fi
--- a/chrome/installer/mac/sign_installer_tools.sh
+++ b/chrome/installer/mac/sign_installer_tools.sh
-#!/bin/bash -p
-# Copyright 2015 The Chromium Authors. All rights reserved.
-# Use of this source code is governed by a BSD-style license that can be
-# found in the LICENSE file.
-# Using codesign, sign the installer tools. After signing, the signatures are
-# verified.
-set -eu
-# Environment sanitization. Set a known-safe PATH. Clear environment variables
-# that might impact the interpreter's operation. The |bash -p| invocation
-# on the #! line takes the bite out of BASH_ENV, ENV, and SHELLOPTS (among
-# other features), but clearing them here ensures that they won't impact any
-# shell scripts used as utility programs. SHELLOPTS is read-only and can't be
-# unset, only unexported.
-export PATH="/usr/bin:/bin:/usr/sbin:/sbin"
-unset BASH_ENV CDPATH ENV GLOBIGNORE IFS POSIXLY_CORRECT
-export -n SHELLOPTS
-ME="$(basename "${0}")"
-readonly ME
-if [[ ${#} -ne 3 && ${#} -ne 4 ]]; then
-  echo "usage: ${ME} packaging_dir codesign_keychain codesign_id \
-[--development]" >& 2
-  exit 1
-fi
-packaging_dir="${1}"
-codesign_keychain="${2}"
-codesign_id="${3}"
-is_development=
-if [[ ${#} == 4 && ${4} == "--development" ]]; then
-  is_development=1
-fi
-script_dir="$(dirname "${0}")"
-source "${script_dir}/variables.sh"
-executables=(goobspatch xzdec)
-libraries=(liblzma_decompress.dylib)
-declare -a everything
-for executable in "${executables[@]}"; do
-  sign_path="${packaging_dir}/${executable}"
-  everything+=("${sign_path}")
-  codesign_cmd=(
-    codesign --sign "${codesign_id}" --keychain "${codesign_keychain}"
-    "${sign_path}" --options "${enforcement_flags_installer_tools}"
-  )
-  if [[ -z "${is_development}" ]]; then
-    requirement="designated => identifier \"${executable}\" \
-${requirement_suffix}"
-    codesign_cmd+=( -r="${requirement}" )
-  fi
-  "${codesign_cmd[@]}"
-done
-for library in "${libraries[@]}"; do
-  sign_path="${packaging_dir}/${library}"
-  everything+=("${sign_path}")
-  codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \
-      "${sign_path}"
-done
-for sign_path in "${everything[@]}"; do
-  codesign --verify --deep -vvvvvv "${sign_path}"
-done
--- a/chrome/installer/mac/sign_versioned_dir.sh.in
+++ b/chrome/installer/mac/sign_versioned_dir.sh.in
-#!/bin/bash -p
-# Copyright (c) 2012 The Chromium Authors. All rights reserved.
-# Use of this source code is governed by a BSD-style license that can be
-# found in the LICENSE file.
-# Using codesign, sign the contents of the versioned directory. Namely, this
-# includes the framework and helper app. After signing, the signatures are
-# verified.
-set -eu
-# Environment sanitization. Set a known-safe PATH. Clear environment variables
-# that might impact the interpreter's operation. The |bash -p| invocation
-# on the #! line takes the bite out of BASH_ENV, ENV, and SHELLOPTS (among
-# other features), but clearing them here ensures that they won't impact any
-# shell scripts used as utility programs. SHELLOPTS is read-only and can't be
-# unset, only unexported.
-export PATH="/usr/bin:/bin:/usr/sbin:/sbin"
-unset BASH_ENV CDPATH ENV GLOBIGNORE IFS POSIXLY_CORRECT
-export -n SHELLOPTS
-ME="$(basename "${0}")"
-readonly ME
-script_dir="$(dirname "${0}")"
-source "${script_dir}/variables.sh"
-codesign_display_and_verify() {
-  args=("${@}")
-  path=${args[0]}
-  # --verbose can go up to 6 for --display, but that just shows the hash of each
-  # ordinary page in the executable, which is more noise than anything else.
-  codesign --display --verbose=5 -r- "${path}"
-  codesign --verify --verbose=6 "${args[@]:1}" "${path}"
-}
-if [[ ${#} -ne 3 && ${#} -ne 4 ]]; then
-  echo "usage: ${ME} app_path codesign_keychain codesign_id \
-[--development]" >& 2
-  exit 1
-fi
-app_path="${1}"
-codesign_keychain="${2}"
-codesign_id="${3}"
-is_development=
-if [[ ${#} == 4 && ${4} == "--development" ]]; then
-  is_development=1
-fi
-codesign_with_options() {
-  path=${1}
-  options=${2}
-  requirement_identifier=${3}
-  codesign_cmd=(
-    codesign --sign "${codesign_id}" --keychain "${codesign_keychain}"
-    "${path}"
-  )
-  if [[ "${requirement_identifier}" = "app_mode_loader" ]]; then
-    codesign_cmd+=( --identifier "${requirement_identifier}" )
-  fi
-  if [[ -n "${options}" ]]; then
-    codesign_cmd+=( --options "${options}" )
-  fi
-  if [[ -z "${is_development}" ]]; then
-    requirement="designated => identifier \"${requirement_identifier}\" \
-${requirement_suffix}"
-    codesign_cmd+=( -r="${requirement}" )
-  fi
-  "${codesign_cmd[@]}"
-}
-versioned_dir="${app_path}/Contents/Versions/@VERSION@"
-# To sign an .app bundle that contains nested code, the nested components
-# themselves must be signed. Each of these components is signed below. Note
-# that unless a framework has multiple versions (which is discouraged), signing
-# the entire framework is equivalent to signing the Current version.
-# https://developer.apple.com/library/content/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG13
-framework="${versioned_dir}/@MAC_PRODUCT_NAME@ Framework.framework"
-notification_service="${framework}/XPCServices/AlertNotificationService.xpc"
-crashpad_handler="${framework}/Helpers/chrome_crashpad_handler"
-helper_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper.app"
-app_mode_loader_app="${framework}/Resources/app_mode_loader.app"
-app_mode_loader="${app_mode_loader_app}/Contents/MacOS/app_mode_loader"
-libraries_dir="${framework}/Libraries"
-libraries=(
-  "${libraries_dir}/libEGL.dylib"
-  "${libraries_dir}/libGLESv2.dylib"
-  "${libraries_dir}/libswiftshader_libEGL.dylib"
-  "${libraries_dir}/libswiftshader_libGLESv2.dylib"
-  "${libraries_dir}/WidevineCdm/_platform_specific/mac_x64/libwidevinecdm.dylib"
-)
-codesign_with_options "${crashpad_handler}" \
-                      "${enforcement_flags_helpers}" \
-                      "chrome_crashpad_handler"
-# The app mode loader bundle is modified dynamically at runtime. Just sign the
-# executable, which shouldn't change. In order to do this, the executable needs
-# to be copied out of the bundle, signed, and then copied back in. The resulting
-# bundle's signature won't validate normally, but if the executable file is
-# verified in isolation or with --ignore-resources, it will.
-app_mode_loader_tmp="$(mktemp -t app_mode_loader)"
-cp "${app_mode_loader}" "${app_mode_loader_tmp}"
-codesign_with_options "${app_mode_loader_tmp}" \
-                      "${enforcement_flags_helpers}" \
-                      "app_mode_loader"
-cp "${app_mode_loader_tmp}" "${app_mode_loader}"
-rm -f "${app_mode_loader_tmp}"
-xpc_plist="${notification_service}/Contents/Info"
-xpc_bundle_id="$(__CFPREFERENCES_AVOID_DAEMON=1 defaults read \
-    "${xpc_plist}" "CFBundleIdentifier")"
-codesign_with_options "${notification_service}" \
-                      "${enforcement_flags_helpers}" \
-                      "${xpc_bundle_id}"
-# Sign the other Libraries. Some of these could be missing, if they are
-# excluded from the build via GN args, so do test for their presence first.
-for library in "${libraries[@]}"; do
-  if [ -f "${library}" ]; then
-    # No ${enforcement_flags_helpers} since they only apply to executables.
-    codesign_with_options "${library}" "" "$(basename "$library" .dylib)"
-  fi
-done
-# The framework is a dylib, so ${enforcement_flags_helpers} are meaningless.
-codesign_with_options "${framework}" "" "com.google.Chrome.framework"
-codesign_with_options "${helper_app}" \
-                      "${enforcement_flags_app}" \
-                      "com.google.Chrome.helper"
-codesign_display_and_verify "${crashpad_handler}" --deep
-codesign_display_and_verify "${app_mode_loader}" --ignore-resources
-codesign_display_and_verify "${notification_service}" --deep
-# The framework contains KeystoneRegistration.framework, which uses
-# custom resource rules, so use --no-strict to verify.
-codesign_display_and_verify "${framework}" --deep --no-strict
-codesign_display_and_verify "${framework}" --strict
-codesign_display_and_verify "${helper_app}" --deep
-for library in "${libraries[@]}"; do
-  if [ -f "${library}" ]; then
-    codesign_display_and_verify "${library}" --deep
-  fi
-done
--- a/chrome/installer/mac/variables.sh
+++ b/chrome/installer/mac/variables.sh
-# Copyright 2017 The Chromium Authors. All rights reserved.
-# Use of this source code is governed by a BSD-style license that can be
-# found in the LICENSE file.
-# This signs the main app and helper executable, and enables "rootless"
-# protections. The main app does not use library validation because it has to
-# load Flash player, plugins, etc.
-enforcement_flags_app="restrict"
-# All the helpers (crashpad, app_mode_loader, etc.), run under library
-# validation as they should not run any code not signed by Google.
-enforcement_flags_helpers="${enforcement_flags_app},library"
-# The installer tools are signed with the kill bit as well, as they run on
-# signing machines and should never be modified.
-enforcement_flags_installer_tools="${enforcement_flags_helpers},kill"
-# The designated requirement suffix used when signing Chrome's binaries. It
-# contains the hash of the certificate used to sign Chrome. When transitioning
-# signing certs, this may include the hash of both the old and new certificate.
-requirement_suffix="\
-and certificate leaf = H\"c9a99324ca3fcb23dbcc36bd5fd4f9753305130a\" \
-"