diff --git a/build/util/branding.gni b/build/util/branding.gni index cadd1a3441586b..2a229f1056e43a 100644 --- a/build/util/branding.gni +++ b/build/util/branding.gni @@ -20,7 +20,8 @@ _branding_dictionary_template = "bundle_id = \"@MAC_BUNDLE_ID@\" " + "creator_code = \"@MAC_CREATOR_CODE@\" " + "installer_full_name = \"@PRODUCT_INSTALLER_FULLNAME@\" " + - "installer_short_name = \"@PRODUCT_INSTALLER_SHORTNAME@\" " + "installer_short_name = \"@PRODUCT_INSTALLER_SHORTNAME@\" " + + "team_id = \"@MAC_TEAM_ID@\" " _branding_file = "//chrome/app/theme/$branding_path_component/BRANDING" _result = exec_script("version.py", @@ -41,4 +42,5 @@ chrome_product_installer_short_name = _result.installer_short_name if (is_mac) { chrome_mac_bundle_id = _result.bundle_id chrome_mac_creator_code = _result.creator_code + chrome_mac_team_id = _result.team_id } diff --git a/chrome/BUILD.gn b/chrome/BUILD.gn index 8b985d50efc6a8..d6dff6822064b0 100644 --- a/chrome/BUILD.gn +++ b/chrome/BUILD.gn @@ -33,6 +33,7 @@ if (is_android) { import("//build/linux/extract_symbols.gni") } else if (is_mac) { import("//build/compiled_action.gni") + import("//build/config/mac/base_rules.gni") import("//build/config/mac/rules.gni") import("//build/config/mac/symbols.gni") import("//build/mac/tweak_info_plist.gni") @@ -796,6 +797,16 @@ if (is_win) { ] } + compile_entitlements("entitlements") { + entitlements_templates = [ "app/entitlements.plist" ] + output_name = "$target_gen_dir/entitlements.plist" + substitutions = [ + "CHROMIUM_BUNDLE_ID=$chrome_mac_bundle_id", + "CHROMIUM_TEAM_ID=$chrome_mac_team_id", + ] + visibility = [ "//chrome/installer/mac:copies" ] + } + mac_app_bundle("chrome_helper_app") { output_name = chrome_helper_name diff --git a/chrome/app/entitlements.plist b/chrome/app/entitlements.plist new file mode 100644 index 00000000000000..a64a5ec03937da --- /dev/null +++ b/chrome/app/entitlements.plist @@ -0,0 +1,12 @@ + + + + + com.apple.application-identifier + ${CHROMIUM_TEAM_ID}.${CHROMIUM_BUNDLE_ID} + keychain-access-groups + + ${CHROMIUM_TEAM_ID}.${CHROMIUM_BUNDLE_ID}.webauthn + + + diff --git a/chrome/app/theme/chromium/BRANDING b/chrome/app/theme/chromium/BRANDING index 4f9ef78ce599db..4167796dd60fa4 100644 --- a/chrome/app/theme/chromium/BRANDING +++ b/chrome/app/theme/chromium/BRANDING @@ -7,3 +7,4 @@ PRODUCT_INSTALLER_SHORTNAME=Chromium Installer COPYRIGHT=Copyright 2017 The Chromium Authors. All rights reserved. MAC_BUNDLE_ID=org.chromium.Chromium MAC_CREATOR_CODE=Cr24 +MAC_TEAM_ID= diff --git a/chrome/installer/mac/BUILD.gn b/chrome/installer/mac/BUILD.gn index 616dee3ba6c8a7..e30b17ba2e1efb 100644 --- a/chrome/installer/mac/BUILD.gn +++ b/chrome/installer/mac/BUILD.gn @@ -5,6 +5,7 @@ import("//build/util/branding.gni") import("//build/util/version.gni") import("//build/config/features.gni") +import("//build/config/mac/base_rules.gni") group("mac") { public_deps = [ @@ -71,6 +72,7 @@ copy("copies") { deps = [ ":copy_variables", + "//chrome:entitlements", "//chrome/installer/mac/third_party/bsdiff:goobsdiff", "//chrome/installer/mac/third_party/bsdiff:goobspatch", "//chrome/installer/mac/third_party/xz:lzma_decompress", @@ -79,6 +81,7 @@ copy("copies") { ] sources = [ + "$root_gen_dir/chrome/entitlements.plist", "$root_out_dir/goobsdiff", "$root_out_dir/goobspatch", "$root_out_dir/liblzma_decompress.dylib", @@ -99,6 +102,8 @@ copy("copies") { sources += [ "//chrome/app/theme/google_chrome/mac/app_canary.icns", "//chrome/app/theme/google_chrome/mac/document_canary.icns", + "internal/Google_Chrome.provisionprofile", + "internal/Google_Chrome_Canary.provisionprofile", "internal/chrome_canary_dmg_dsstore", "internal/chrome_canary_dmg_icon.icns", "internal/chrome_dmg_background.png", diff --git a/chrome/installer/mac/sign_app.sh.in b/chrome/installer/mac/sign_app.sh.in index a2694af5cc7a66..4383c826c43588 100644 --- a/chrome/installer/mac/sign_app.sh.in +++ b/chrome/installer/mac/sign_app.sh.in @@ -9,7 +9,7 @@ # verified. Inner bundle components are expected to be signed before this # script is called. See sign_versioned_dir.sh.in. -set -eu +set -eux # Environment sanitization. Set a known-safe PATH. Clear environment variables # that might impact the interpreter's operation. The |bash -p| invocation @@ -24,18 +24,20 @@ export -n SHELLOPTS ME="$(basename "${0}")" readonly ME -if [[ ${#} -ne 3 && ${#} -ne 4 ]]; then +if [[ ${#} -ne 5 && ${#} -ne 6 ]]; then echo "usage: ${ME} app_path codesign_keychain codesign_id \ -[--development]" >& 2 +provisioning_profile entitlements_plist [--development]" >& 2 exit 1 fi app_path="${1}" codesign_keychain="${2}" codesign_id="${3}" +provisioning_profile="${4}" +entitlements_plist="${5}" is_development= -if [[ ${#} == 4 && "${4}" == "--development" ]]; then +if [[ ${#} == 6 && "${6}" == "--development" ]]; then is_development=1 fi @@ -45,7 +47,8 @@ source "${script_dir}/variables.sh" # Use custom resource rules for the browser application. browser_app_rules="${script_dir}/app_resource_rules.plist" -versioned_dir="${app_path}/Contents/Versions/@VERSION@" +contents_dir="${app_path}/Contents" +versioned_dir="${contents_dir}/Versions/@VERSION@" browser_app="${app_path}" framework="${versioned_dir}/@MAC_PRODUCT_NAME@ Framework.framework" @@ -55,6 +58,9 @@ helper_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper.app" app_mode_loader_app="${framework}/Resources/app_mode_loader.app" app_mode_loader="${app_mode_loader_app}/Contents/MacOS/app_mode_loader" +# Embed the supplied provisioning profile. +cp "${provisioning_profile}" "${contents_dir}/embedded.provisionprofile" + requirement="\ designated => \ (identifier \"com.google.Chrome\" or \ @@ -69,6 +75,7 @@ codesign_cmd=( "${browser_app}" --options "${enforcement_flags_app}" --resource-rules "${browser_app_rules}" + --entitlements "${entitlements_plist}" ) if [[ -z "${is_development}" ]]; then codesign_cmd+=( -r="${requirement}" )