macOS Signing Scripts: Add an is_chrome_branded config property.

Use this to gate copying internal-only resources.

Bug: 1021255
Change-Id: I66f6143df12f6eeaaa1c27249350105ba39a6178
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2023947Reviewed-by: Mark Mentovai <mark@chromium.org>
Commit-Queue: Robert Sesek <rsesek@chromium.org>
Cr-Commit-Position: refs/heads/master@{#735902}

chrome/installer/mac/BUILD.gn

@@ -27,9 +27,16 @@ process_version_rc_template("sign_config") {
   _full_target_name = get_label_info(target_name, "label_no_toolchain")
   _file_path = rebase_path(template_file)
 
+  _local_chrome_branded = "False"
+  if (is_chrome_branded) {
+    _local_chrome_branded = "True"
+  }
+
   extra_args = [
     "-e",
     "GEN_HEADER=\"THIS FILE IS AUTOMATICALLY GENERATED BY $_full_target_name.\n# The original copy is at $_file_path.\n\"",
+    "-e",
+    "IS_CHROME_BRANDED=$_local_chrome_branded",
   ]
 }
 

chrome/installer/mac/sign_chrome.py

@@ -51,7 +51,7 @@ def create_config(config_args, development):
     except ImportError as e:
         # If the build specified Google Chrome as the product, then the
         # internal config has to be available.
-        if config_class(*config_args).product == 'Google Chrome':
+        if config_class.is_chrome_branded():
             raise e
 
     if development:

chrome/installer/mac/signing/README.md

@@ -35,8 +35,7 @@ launch-able), signed Chromium:
    - `com.apple.application-identifier`
    - `keychain-access-groups`
    - `com.apple.developer.associated-domains.applinks.read-write`
-2. `touch out/<outdir>/Chromium\ Packaging/keystone_install.sh`
-3. Run `sign_chrome.py` as documented above.
+2. Run `sign_chrome.py` as documented above.
 
 Note that the Chromium [code sign
 config](https://cs.chromium.org/chromium/src/chrome/installer/mac/signing/chromium_config.py)

chrome/installer/mac/signing/build_props_config.py.in

@@ -11,6 +11,10 @@ class BuildPropsCodeSignConfig(CodeSignConfig):
     properties from the branding and version data.
     """
 
+    @staticmethod
+    def is_chrome_branded():
+        return @IS_CHROME_BRANDED@
+
     @property
     def app_product(self):
         return '@PRODUCT_FULLNAME@'

chrome/installer/mac/signing/config.py

@@ -66,6 +66,16 @@ class CodeSignConfig(object):
         self._notary_password = notary_password
         self._notary_asc_provider = notary_asc_provider
 
+    @staticmethod
+    def is_chrome_branded():
+        """Returns True if the build is an official Google Chrome build and
+        should use Chrome-specific resources.
+
+        This is a @staticmethod and not a @property so that it can be tested
+        during the process of creating a CodeSignConfig object.
+        """
+        raise ConfigError('is_chrome_branded')
+
     @property
     def identity(self):
         """Returns the code signing identity that will be used to sign the

chrome/installer/mac/signing/pipeline.py

@@ -340,7 +340,7 @@ def _package_dmg(paths, dist, config):
     # Don't put a name on the /Applications symbolic link because the same disk
     # image is used for all languages.
     # yapf: disable
-    commands.run_command([
+    pkg_dmg = [
         os.path.join(packaging_dir, 'pkg-dmg'),
         '--verbosity', '0',
         '--tempdir', paths.work,
@@ -348,19 +348,27 @@ def _package_dmg(paths, dist, config):
         '--target', dmg_path,
         '--format', 'UDBZ',
         '--volname', config.app_product,
-        '--icon', os.path.join(packaging_dir, icon_file),
         '--copy', '{}:/'.format(app_path),
-        '--copy',
-            '{}/keystone_install.sh:/.keystone_install'.format(packaging_dir),
-        '--mkdir', '.background',
-        '--copy',
-            '{}/chrome_dmg_background.png:/.background/background.png'.format(
-                packaging_dir),
-        '--copy', '{}/{}:/.DS_Store'.format(packaging_dir, dsstore_file),
         '--symlink', '/Applications:/ ',
-    ])
+    ]
     # yapf: enable
 
+    if config.is_chrome_branded():
+        # yapf: disable
+        pkg_dmg += [
+            '--icon', os.path.join(packaging_dir, icon_file),
+            '--copy',
+                '{}/keystone_install.sh:/.keystone_install'.format(packaging_dir),
+            '--mkdir', '.background',
+            '--copy',
+                '{}/chrome_dmg_background.png:/.background/background.png'.format(
+                    packaging_dir),
+            '--copy', '{}/{}:/.DS_Store'.format(packaging_dir, dsstore_file),
+        ]
+        # yapf: enable
+
+    commands.run_command(pkg_dmg)
+
     return dmg_path
 
 
@@ -375,13 +383,14 @@ def _package_installer_tools(paths, config):
     DIFF_TOOLS = 'diff_tools'
 
     tools_to_sign = signing.get_installer_tools(config)
+    chrome_tools = (
+        'keystone_install.sh',) if config.is_chrome_branded() else ()
     other_tools = (
         'dirdiffer.sh',
         'dirpatcher.sh',
         'dmgdiffer.sh',
-        'keystone_install.sh',
         'pkg-dmg',
-    )
+    ) + chrome_tools
 
     with commands.WorkDirectory(paths) as paths:
         diff_tools_dir = os.path.join(paths.work, DIFF_TOOLS)

chrome/installer/mac/signing/pipeline_test.py

@@ -550,6 +550,29 @@ framework dir is 'App Product.app/Contents/Frameworks/Product Framework.framewor
                 '$I/Product Packaging/chrome_canary_dmg_dsstore:/.DS_Store'
             ]))
 
+    def test_package_dmg_no_customize_not_chrome(self, **kwargs):
+        dist = model.Distribution()
+        config = test_config.TestConfigNonChromeBranded()
+        paths = self.paths.replace_work('$W')
+
+        dmg_path = pipeline._package_dmg(paths, dist, config)
+        self.assertEqual('$O/AppProduct-99.0.9999.99.dmg', dmg_path)
+
+        pkg_dmg_args = kwargs['run_command'].mock_calls[0][1][0]
+
+        self.assertEqual(dmg_path, _get_adjacent_item(pkg_dmg_args, '--target'))
+        self.assertEqual('App Product',
+                         _get_adjacent_item(pkg_dmg_args, '--volname'))
+        self.assertEqual('$W/empty', _get_adjacent_item(pkg_dmg_args,
+                                                        '--source'))
+
+        copy_specs = [
+            pkg_dmg_args[i + 1]
+            for i, arg in enumerate(pkg_dmg_args)
+            if arg == '--copy'
+        ]
+        self.assertEqual(set(copy_specs), set(['$W/App Product.app:/']))
+
     def test_package_installer_tools(self, **kwargs):
         manager = mock.Mock()
         for attr in kwargs:
@@ -616,6 +639,36 @@ framework dir is 'App Product.app/Contents/Frameworks/Product Framework.framewor
         self.assertEqual(set(signed_files), files_to_sign)
         self.assertEqual(set(verified_files), files_to_sign)
 
+    def test_package_installer_tools_not_chrome(self, **kwargs):
+        manager = mock.Mock()
+        for attr in kwargs:
+            manager.attach_mock(kwargs[attr], attr)
+
+        config = test_config.TestConfigNonChromeBranded()
+        pipeline._package_installer_tools(self.paths, config)
+
+        files_to_copy = set([
+            'goobspatch',
+            'liblzma_decompress.dylib',
+            'goobsdiff',
+            'xz',
+            'xzdec',
+            'dirdiffer.sh',
+            'dirpatcher.sh',
+            'dmgdiffer.sh',
+            'pkg-dmg',
+        ])
+        copied_files = []
+        for call in manager.mock_calls:
+            if call[0] == 'copy_files':
+                args = call[1]
+                self.assertTrue(args[0].startswith('$I/Product Packaging/'))
+                self.assertEqual('$W_1/diff_tools', args[1])
+                copied_files.append(os.path.basename(args[0]))
+
+        self.assertEqual(len(copied_files), len(files_to_copy))
+        self.assertEqual(set(copied_files), files_to_copy)
+
 
 @mock.patch.multiple(
     'signing.commands', **{

chrome/installer/mac/signing/test_config.py

@@ -17,6 +17,10 @@ class TestConfig(config.CodeSignConfig):
               self).__init__(identity, installer_identity, notary_user,
                              notary_password, notary_asc_provider)
 
+    @staticmethod
+    def is_chrome_branded():
+        return True
+
     @property
     def app_product(self):
         return 'App Product'
@@ -40,3 +44,10 @@ class TestConfig(config.CodeSignConfig):
     @property
     def run_spctl_assess(self):
         return True
+
+
+class TestConfigNonChromeBranded(TestConfig):
+
+    @staticmethod
+    def is_chrome_branded():
+        return False