Reland "chrome/installer/mac: set -x in sign_app and fix unquoted var…

…iable expansion" and "//chrome/installer/mac: add entitlements during code signing" with a fix. This reverts commit e25c04d and relands commits a221822 and b69d8c4 Adds the following changes: (1) In chrome/installer/mac/sign_app.sh.in l62, embed the provisioning profile as "embedded.provisionprofile", rather than "embedded.mobileprovision" (suspected root cause for crbug.com/850890). (2) Update DEPS to roll the corresponding reland from chrome/installer/mac/internal. Bug: 850890, 848052 Change-Id: I3f2134a5d587ec6c3c6e223ec7ef5283a9bece30 Reviewed-on: https://chromium-review.googlesource.com/1095597 Commit-Queue: Martin Kreichgauer <martinkr@google.com> Reviewed-by: Robert Sesek <rsesek@chromium.org> Reviewed-by: Nico Weber <thakis@chromium.org> Cr-Commit-Position: refs/heads/master@{#566257}
Denger-Network · Jun 12, 2018 · 4d80b33 · 4d80b33
1 parent d365f4e
commit 4d80b33
Show file tree

Hide file tree

Showing 6 changed files with 44 additions and 6 deletions.
diff --git a/build/util/branding.gni b/build/util/branding.gni
@@ -20,7 +20,8 @@ _branding_dictionary_template =
     "bundle_id = \"@MAC_BUNDLE_ID@\" " +
     "creator_code = \"@MAC_CREATOR_CODE@\" " +
     "installer_full_name = \"@PRODUCT_INSTALLER_FULLNAME@\" " +
-    "installer_short_name = \"@PRODUCT_INSTALLER_SHORTNAME@\" "
+    "installer_short_name = \"@PRODUCT_INSTALLER_SHORTNAME@\" " +
+    "team_id = \"@MAC_TEAM_ID@\" "
 
 _branding_file = "//chrome/app/theme/$branding_path_component/BRANDING"
 _result = exec_script("version.py",
@@ -41,4 +42,5 @@ chrome_product_installer_short_name = _result.installer_short_name
 if (is_mac) {
   chrome_mac_bundle_id = _result.bundle_id
   chrome_mac_creator_code = _result.creator_code
+  chrome_mac_team_id = _result.team_id
 }
diff --git a/chrome/BUILD.gn b/chrome/BUILD.gn
@@ -33,6 +33,7 @@ if (is_android) {
   import("//build/linux/extract_symbols.gni")
 } else if (is_mac) {
   import("//build/compiled_action.gni")
+  import("//build/config/mac/base_rules.gni")
   import("//build/config/mac/rules.gni")
   import("//build/config/mac/symbols.gni")
   import("//build/mac/tweak_info_plist.gni")
@@ -796,6 +797,16 @@ if (is_win) {
     ]
   }
 
+  compile_entitlements("entitlements") {
+    entitlements_templates = [ "app/entitlements.plist" ]
+    output_name = "$target_gen_dir/entitlements.plist"
+    substitutions = [
+      "CHROMIUM_BUNDLE_ID=$chrome_mac_bundle_id",
+      "CHROMIUM_TEAM_ID=$chrome_mac_team_id",
+    ]
+    visibility = [ "//chrome/installer/mac:copies" ]
+  }
+
   mac_app_bundle("chrome_helper_app") {
     output_name = chrome_helper_name
 

diff --git a/chrome/app/entitlements.plist b/chrome/app/entitlements.plist
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.application-identifier</key>
+	<string>${CHROMIUM_TEAM_ID}.${CHROMIUM_BUNDLE_ID}</string>
+	<key>keychain-access-groups</key>
+	<array>
+		<string>${CHROMIUM_TEAM_ID}.${CHROMIUM_BUNDLE_ID}.webauthn</string>
+	</array>
+</dict>
+</plist>
diff --git a/chrome/app/theme/chromium/BRANDING b/chrome/app/theme/chromium/BRANDING
@@ -7,3 +7,4 @@ PRODUCT_INSTALLER_SHORTNAME=Chromium Installer
 COPYRIGHT=Copyright 2017 The Chromium Authors. All rights reserved.
 MAC_BUNDLE_ID=org.chromium.Chromium
 MAC_CREATOR_CODE=Cr24
+MAC_TEAM_ID=
diff --git a/chrome/installer/mac/BUILD.gn b/chrome/installer/mac/BUILD.gn
@@ -5,6 +5,7 @@
 import("//build/util/branding.gni")
 import("//build/util/version.gni")
 import("//build/config/features.gni")
+import("//build/config/mac/base_rules.gni")
 
 group("mac") {
   public_deps = [
@@ -71,6 +72,7 @@ copy("copies") {
 
   deps = [
     ":copy_variables",
+    "//chrome:entitlements",
     "//chrome/installer/mac/third_party/bsdiff:goobsdiff",
     "//chrome/installer/mac/third_party/bsdiff:goobspatch",
     "//chrome/installer/mac/third_party/xz:lzma_decompress",
@@ -79,6 +81,7 @@ copy("copies") {
   ]
 
   sources = [
+    "$root_gen_dir/chrome/entitlements.plist",
     "$root_out_dir/goobsdiff",
     "$root_out_dir/goobspatch",
     "$root_out_dir/liblzma_decompress.dylib",
@@ -99,6 +102,8 @@ copy("copies") {
     sources += [
       "//chrome/app/theme/google_chrome/mac/app_canary.icns",
       "//chrome/app/theme/google_chrome/mac/document_canary.icns",
+      "internal/Google_Chrome.provisionprofile",
+      "internal/Google_Chrome_Canary.provisionprofile",
       "internal/chrome_canary_dmg_dsstore",
       "internal/chrome_canary_dmg_icon.icns",
       "internal/chrome_dmg_background.png",

diff --git a/chrome/installer/mac/sign_app.sh.in b/chrome/installer/mac/sign_app.sh.in
@@ -9,7 +9,7 @@
 # verified. Inner bundle components are expected to be signed before this
 # script is called. See sign_versioned_dir.sh.in.
 
-set -eu
+set -eux
 
 # Environment sanitization. Set a known-safe PATH. Clear environment variables
 # that might impact the interpreter's operation. The |bash -p| invocation
@@ -24,18 +24,20 @@ export -n SHELLOPTS
 ME="$(basename "${0}")"
 readonly ME
 
-if [[ ${#} -ne 3 && ${#} -ne 4 ]]; then
+if [[ ${#} -ne 5 && ${#} -ne 6 ]]; then
   echo "usage: ${ME} app_path codesign_keychain codesign_id \
-[--development]" >& 2
+provisioning_profile entitlements_plist [--development]" >& 2
   exit 1
 fi
 
 app_path="${1}"
 codesign_keychain="${2}"
 codesign_id="${3}"
+provisioning_profile="${4}"
+entitlements_plist="${5}"
 is_development=
 
-if [[ ${#} == 4 && "${4}" == "--development" ]]; then
+if [[ ${#} == 6 && "${6}" == "--development" ]]; then
   is_development=1
 fi
 
@@ -45,7 +47,8 @@ source "${script_dir}/variables.sh"
 # Use custom resource rules for the browser application.
 browser_app_rules="${script_dir}/app_resource_rules.plist"
 
-versioned_dir="${app_path}/Contents/Versions/@VERSION@"
+contents_dir="${app_path}/Contents"
+versioned_dir="${contents_dir}/Versions/@VERSION@"
 
 browser_app="${app_path}"
 framework="${versioned_dir}/@MAC_PRODUCT_NAME@ Framework.framework"
@@ -55,6 +58,9 @@ helper_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper.app"
 app_mode_loader_app="${framework}/Resources/app_mode_loader.app"
 app_mode_loader="${app_mode_loader_app}/Contents/MacOS/app_mode_loader"
 
+# Embed the supplied provisioning profile.
+cp "${provisioning_profile}" "${contents_dir}/embedded.provisionprofile"
+
 requirement="\
 designated => \
 (identifier \"com.google.Chrome\" or \
@@ -69,6 +75,7 @@ codesign_cmd=(
   "${browser_app}"
   --options "${enforcement_flags_app}"
   --resource-rules "${browser_app_rules}"
+  --entitlements "${entitlements_plist}"
 )
 if [[ -z "${is_development}" ]]; then
   codesign_cmd+=( -r="${requirement}" )