//chrome/installer/mac: add entitlements during code signing

This changes sign_app.sh to take a provisioning profile path as an
argument, which it will copy into the app bundle Content/ directory. It
then signs the app with --entitlements pointing at a newly created
entitlements.plist file, in order to grant the keychain-access-group
entitlement.

The entitlement is needed to create and access cryptographic key
material in the Secure Enclave Processor (SEP) on compatible macOS
devices.

Bug: 848052
Change-Id: Ib002fc73d250409e555f4caee8848a2c3e95e591
Reviewed-on: https://chromium-review.googlesource.com/1079833
Commit-Queue: Martin Kreichgauer <martinkr@google.com>
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Reviewed-by: Nico Weber <thakis@chromium.org>
Reviewed-by: Avi Drissman <avi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#565027}

build/util/branding.gni

@@ -20,7 +20,8 @@ _branding_dictionary_template =
     "bundle_id = \"@MAC_BUNDLE_ID@\" " +
     "creator_code = \"@MAC_CREATOR_CODE@\" " +
     "installer_full_name = \"@PRODUCT_INSTALLER_FULLNAME@\" " +
-    "installer_short_name = \"@PRODUCT_INSTALLER_SHORTNAME@\" "
+    "installer_short_name = \"@PRODUCT_INSTALLER_SHORTNAME@\" " +
+    "team_id = \"@MAC_TEAM_ID@\" "
 
 _branding_file = "//chrome/app/theme/$branding_path_component/BRANDING"
 _result = exec_script("version.py",
@@ -41,4 +42,5 @@ chrome_product_installer_short_name = _result.installer_short_name
 if (is_mac) {
   chrome_mac_bundle_id = _result.bundle_id
   chrome_mac_creator_code = _result.creator_code
+  chrome_mac_team_id = _result.team_id
 }

chrome/BUILD.gn

@@ -33,6 +33,7 @@ if (is_android) {
   import("//build/linux/extract_symbols.gni")
 } else if (is_mac) {
   import("//build/compiled_action.gni")
+  import("//build/config/mac/base_rules.gni")
   import("//build/config/mac/rules.gni")
   import("//build/config/mac/symbols.gni")
   import("//build/mac/tweak_info_plist.gni")
@@ -796,6 +797,16 @@ if (is_win) {
     ]
   }
 
+  compile_entitlements("entitlements") {
+    entitlements_templates = [ "app/entitlements.plist" ]
+    output_name = "$target_gen_dir/entitlements.plist"
+    substitutions = [
+      "CHROMIUM_BUNDLE_ID=$chrome_mac_bundle_id",
+      "CHROMIUM_TEAM_ID=$chrome_mac_team_id",
+    ]
+    visibility = [ "//chrome/installer/mac:copies" ]
+  }
+
   mac_app_bundle("chrome_helper_app") {
     output_name = chrome_helper_name
 

chrome/app/entitlements.plist

+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.application-identifier</key>
+	<string>${CHROMIUM_TEAM_ID}.${CHROMIUM_BUNDLE_ID}</string>
+	<key>keychain-access-groups</key>
+	<array>
+		<string>${CHROMIUM_TEAM_ID}.${CHROMIUM_BUNDLE_ID}.webauthn</string>
+	</array>
+</dict>
+</plist>

chrome/app/theme/chromium/BRANDING

@@ -7,3 +7,4 @@ PRODUCT_INSTALLER_SHORTNAME=Chromium Installer
 COPYRIGHT=Copyright 2017 The Chromium Authors. All rights reserved.
 MAC_BUNDLE_ID=org.chromium.Chromium
 MAC_CREATOR_CODE=Cr24
+MAC_TEAM_ID=

chrome/installer/mac/BUILD.gn

@@ -5,6 +5,7 @@
 import("//build/util/branding.gni")
 import("//build/util/version.gni")
 import("//build/config/features.gni")
+import("//build/config/mac/base_rules.gni")
 
 group("mac") {
   public_deps = [
@@ -71,6 +72,7 @@ copy("copies") {
 
   deps = [
     ":copy_variables",
+    "//chrome:entitlements",
     "//chrome/installer/mac/third_party/bsdiff:goobsdiff",
     "//chrome/installer/mac/third_party/bsdiff:goobspatch",
     "//chrome/installer/mac/third_party/xz:lzma_decompress",
@@ -79,6 +81,7 @@ copy("copies") {
   ]
 
   sources = [
+    "$root_gen_dir/chrome/entitlements.plist",
     "$root_out_dir/goobsdiff",
     "$root_out_dir/goobspatch",
     "$root_out_dir/liblzma_decompress.dylib",
@@ -99,6 +102,8 @@ copy("copies") {
     sources += [
       "//chrome/app/theme/google_chrome/mac/app_canary.icns",
       "//chrome/app/theme/google_chrome/mac/document_canary.icns",
+      "internal/Google_Chrome.provisionprofile",
+      "internal/Google_Chrome_Canary.provisionprofile",
       "internal/chrome_canary_dmg_dsstore",
       "internal/chrome_canary_dmg_icon.icns",
       "internal/chrome_dmg_background.png",

chrome/installer/mac/sign_app.sh.in

@@ -24,18 +24,20 @@ export -n SHELLOPTS
 ME="$(basename "${0}")"
 readonly ME
 
-if [[ ${#} -ne 3 && ${#} -ne 4 ]]; then
+if [[ ${#} -ne 5 && ${#} -ne 6 ]]; then
   echo "usage: ${ME} app_path codesign_keychain codesign_id \
-[--development]" >& 2
+provisioning_profile entitlements_plist [--development]" >& 2
   exit 1
 fi
 
 app_path="${1}"
 codesign_keychain="${2}"
 codesign_id="${3}"
+provisioning_profile="${4}"
+entitlements_plist="${5}"
 is_development=
 
-if [[ ${#} == 4 && "${4}" == "--development" ]]; then
+if [[ ${#} == 6 && "${6}" == "--development" ]]; then
   is_development=1
 fi
 
@@ -45,7 +47,8 @@ source "${script_dir}/variables.sh"
 # Use custom resource rules for the browser application.
 browser_app_rules="${script_dir}/app_resource_rules.plist"
 
-versioned_dir="${app_path}/Contents/Versions/@VERSION@"
+contents_dir="${app_path}/Contents"
+versioned_dir="${contents_dir}/Versions/@VERSION@"
 
 browser_app="${app_path}"
 framework="${versioned_dir}/@MAC_PRODUCT_NAME@ Framework.framework"
@@ -55,6 +58,9 @@ helper_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper.app"
 app_mode_loader_app="${framework}/Resources/app_mode_loader.app"
 app_mode_loader="${app_mode_loader_app}/Contents/MacOS/app_mode_loader"
 
+# Embed the supplied provisioning profile.
+cp ${provisioning_profile} "${contents_dir}/embedded.mobileprovision"
+
 requirement="\
 designated => \
 (identifier \"com.google.Chrome\" or \
@@ -69,6 +75,7 @@ codesign_cmd=(
   "${browser_app}"
   --options "${enforcement_flags_app}"
   --resource-rules "${browser_app_rules}"
+  --entitlements "${entitlements_plist}"
 )
 if [[ -z "${is_development}" ]]; then
   codesign_cmd+=( -r="${requirement}" )