macOS Signing Scripts: Add an is_chrome_branded config property.

Use this to gate copying internal-only resources. Bug: 1021255 Change-Id: I66f6143df12f6eeaaa1c27249350105ba39a6178 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2023947Reviewed-by: Mark Mentovai <mark@chromium.org> Commit-Queue: Robert Sesek <rsesek@chromium.org> Cr-Commit-Position: refs/heads/master@{#735902}

macOS Signing Scripts: Add an is_chrome_branded config property.
Use this to gate copying internal-only resources. Bug: 1021255 Change-Id: I66f6143df12f6eeaaa1c27249350105ba39a6178 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2023947Reviewed-by: Mark Mentovai <mark@chromium.org> Commit-Queue: Robert Sesek <rsesek@chromium.org> Cr-Commit-Position: refs/heads/master@{#735902}
de707f33 · Robert Sesek · Commit Bot · ec26c0e4 · de707f33 · de707f33
Commit de707f33 authored Jan 28, 2020 by Robert Sesek Committed by Commit Bot Jan 28, 2020
8 changed files
--- a/chrome/installer/mac/BUILD.gn
+++ b/chrome/installer/mac/BUILD.gn
@@ -27,9 +27,16 @@ process_version_rc_template("sign_config") {
  _full_target_name = get_label_info(target_name, "label_no_toolchain")
  _file_path = rebase_path(template_file)
+  _local_chrome_branded = "False"
+  if (is_chrome_branded) {
+    _local_chrome_branded = "True"
+  }
  extra_args = [
    "-e",
    "GEN_HEADER=\"THIS FILE IS AUTOMATICALLY GENERATED BY $_full_target_name.\n# The original copy is at $_file_path.\n\"",
+    "-e",
+    "IS_CHROME_BRANDED=$_local_chrome_branded",
  ]
 }

--- a/chrome/installer/mac/sign_chrome.py
+++ b/chrome/installer/mac/sign_chrome.py
@@ -51,7 +51,7 @@ def create_config(config_args, development):
    except ImportError as e:
        # If the build specified Google Chrome as the product, then the
        # internal config has to be available.
-        if config_class(*config_args).product == 'Google Chrome':
+        if config_class.is_chrome_branded():
            raise e
    if development:

--- a/chrome/installer/mac/signing/README.md
+++ b/chrome/installer/mac/signing/README.md
@@ -35,8 +35,7 @@ launch-able), signed Chromium:
   - `com.apple.application-identifier`
   - `keychain-access-groups`
   - `com.apple.developer.associated-domains.applinks.read-write`
-2. `touch out/<outdir>/Chromium\ Packaging/keystone_install.sh`
+2. Run `sign_chrome.py` as documented above.
-3. Run `sign_chrome.py` as documented above.
 Note that the Chromium [code sign
 config](https://cs.chromium.org/chromium/src/chrome/installer/mac/signing/chromium_config.py)

--- a/chrome/installer/mac/signing/build_props_config.py.in
+++ b/chrome/installer/mac/signing/build_props_config.py.in
@@ -11,6 +11,10 @@ class BuildPropsCodeSignConfig(CodeSignConfig):
    properties from the branding and version data.
    """
+    @staticmethod
+    def is_chrome_branded():
+        return @IS_CHROME_BRANDED@
    @property
    def app_product(self):
        return '@PRODUCT_FULLNAME@'

--- a/chrome/installer/mac/signing/config.py
+++ b/chrome/installer/mac/signing/config.py
@@ -66,6 +66,16 @@ class CodeSignConfig(object):
        self._notary_password = notary_password
        self._notary_asc_provider = notary_asc_provider
+    @staticmethod
+    def is_chrome_branded():
+        """Returns True if the build is an official Google Chrome build and
+        should use Chrome-specific resources.
+        This is a @staticmethod and not a @property so that it can be tested
+        during the process of creating a CodeSignConfig object.
+        """
+        raise ConfigError('is_chrome_branded')
    @property
    def identity(self):
        """Returns the code signing identity that will be used to sign the

--- a/chrome/installer/mac/signing/pipeline.py
+++ b/chrome/installer/mac/signing/pipeline.py
@@ -340,7 +340,7 @@ def _package_dmg(paths, dist, config):
    # Don't put a name on the /Applications symbolic link because the same disk
    # image is used for all languages.
    # yapf: disable
-    commands.run_command([
+    pkg_dmg = [
        os.path.join(packaging_dir, 'pkg-dmg'),
        '--verbosity', '0',
        '--tempdir', paths.work,
@@ -348,19 +348,27 @@ def _package_dmg(paths, dist, config):
        '--target', dmg_path,
        '--format', 'UDBZ',
        '--volname', config.app_product,
-        '--icon', os.path.join(packaging_dir, icon_file),
        '--copy', '{}:/'.format(app_path),
-        '--copy',
-            '{}/keystone_install.sh:/.keystone_install'.format(packaging_dir),
-        '--mkdir', '.background',
-        '--copy',
-            '{}/chrome_dmg_background.png:/.background/background.png'.format(
-                packaging_dir),
-        '--copy', '{}/{}:/.DS_Store'.format(packaging_dir, dsstore_file),
        '--symlink', '/Applications:/ ',
-    ])
+    ]
    # yapf: enable
+    if config.is_chrome_branded():
+        # yapf: disable
+        pkg_dmg += [
+            '--icon', os.path.join(packaging_dir, icon_file),
+            '--copy',
+                '{}/keystone_install.sh:/.keystone_install'.format(packaging_dir),
+            '--mkdir', '.background',
+            '--copy',
+                '{}/chrome_dmg_background.png:/.background/background.png'.format(
+                    packaging_dir),
+            '--copy', '{}/{}:/.DS_Store'.format(packaging_dir, dsstore_file),
+        ]
+        # yapf: enable
+    commands.run_command(pkg_dmg)
    return dmg_path
@@ -375,13 +383,14 @@ def _package_installer_tools(paths, config):
    DIFF_TOOLS = 'diff_tools'
    tools_to_sign = signing.get_installer_tools(config)
+    chrome_tools = (
+        'keystone_install.sh',) if config.is_chrome_branded() else ()
    other_tools = (
        'dirdiffer.sh',
        'dirpatcher.sh',
        'dmgdiffer.sh',
-        'keystone_install.sh',
        'pkg-dmg',
-    )
+    ) + chrome_tools
    with commands.WorkDirectory(paths) as paths:
        diff_tools_dir = os.path.join(paths.work, DIFF_TOOLS)

--- a/chrome/installer/mac/signing/pipeline_test.py
+++ b/chrome/installer/mac/signing/pipeline_test.py
@@ -550,6 +550,29 @@ framework dir is 'App Product.app/Contents/Frameworks/Product Framework.framewor
                '$I/Product Packaging/chrome_canary_dmg_dsstore:/.DS_Store'
            ]))
+    def test_package_dmg_no_customize_not_chrome(self, **kwargs):
+        dist = model.Distribution()
+        config = test_config.TestConfigNonChromeBranded()
+        paths = self.paths.replace_work('$W')
+        dmg_path = pipeline._package_dmg(paths, dist, config)
+        self.assertEqual('$O/AppProduct-99.0.9999.99.dmg', dmg_path)
+        pkg_dmg_args = kwargs['run_command'].mock_calls[0][1][0]
+        self.assertEqual(dmg_path, _get_adjacent_item(pkg_dmg_args, '--target'))
+        self.assertEqual('App Product',
+                         _get_adjacent_item(pkg_dmg_args, '--volname'))
+        self.assertEqual('$W/empty', _get_adjacent_item(pkg_dmg_args,
+                                                        '--source'))
+        copy_specs = [
+            pkg_dmg_args[i + 1]
+            for i, arg in enumerate(pkg_dmg_args)
+            if arg == '--copy'
+        ]
+        self.assertEqual(set(copy_specs), set(['$W/App Product.app:/']))
    def test_package_installer_tools(self, **kwargs):
        manager = mock.Mock()
        for attr in kwargs:
@@ -616,6 +639,36 @@ framework dir is 'App Product.app/Contents/Frameworks/Product Framework.framewor
        self.assertEqual(set(signed_files), files_to_sign)
        self.assertEqual(set(verified_files), files_to_sign)
+    def test_package_installer_tools_not_chrome(self, **kwargs):
+        manager = mock.Mock()
+        for attr in kwargs:
+            manager.attach_mock(kwargs[attr], attr)
+        config = test_config.TestConfigNonChromeBranded()
+        pipeline._package_installer_tools(self.paths, config)
+        files_to_copy = set([
+            'goobspatch',
+            'liblzma_decompress.dylib',
+            'goobsdiff',
+            'xz',
+            'xzdec',
+            'dirdiffer.sh',
+            'dirpatcher.sh',
+            'dmgdiffer.sh',
+            'pkg-dmg',
+        ])
+        copied_files = []
+        for call in manager.mock_calls:
+            if call[0] == 'copy_files':
+                args = call[1]
+                self.assertTrue(args[0].startswith('$I/Product Packaging/'))
+                self.assertEqual('$W_1/diff_tools', args[1])
+                copied_files.append(os.path.basename(args[0]))
+        self.assertEqual(len(copied_files), len(files_to_copy))
+        self.assertEqual(set(copied_files), files_to_copy)
 @mock.patch.multiple(
    'signing.commands', **{

--- a/chrome/installer/mac/signing/test_config.py
+++ b/chrome/installer/mac/signing/test_config.py
@@ -17,6 +17,10 @@ class TestConfig(config.CodeSignConfig):
              self).__init__(identity, installer_identity, notary_user,
                             notary_password, notary_asc_provider)
+    @staticmethod
+    def is_chrome_branded():
+        return True
    @property
    def app_product(self):
        return 'App Product'
@@ -40,3 +44,10 @@ class TestConfig(config.CodeSignConfig):
    @property
    def run_spctl_assess(self):
        return True
+class TestConfigNonChromeBranded(TestConfig):
+    @staticmethod
+    def is_chrome_branded():
+        return False