1#!/bin/bash -p 2 3# Copyright (c) 2012 The Chromium Authors. All rights reserved. 4# Use of this source code is governed by a BSD-style license that can be 5# found in the LICENSE file. 6 7# Using codesign, sign the application. After signing, the signatures on the 8# inner bundle components are verified, and the application's own signature is 9# verified. Inner bundle components are expected to be signed before this 10# script is called. See sign_versioned_dir.sh. 11 12set -eu 13 14# Environment sanitization. Set a known-safe PATH. Clear environment variables 15# that might impact the interpreter's operation. The |bash -p| invocation 16# on the #! line takes the bite out of BASH_ENV, ENV, and SHELLOPTS (among 17# other features), but clearing them here ensures that they won't impact any 18# shell scripts used as utility programs. SHELLOPTS is read-only and can't be 19# unset, only unexported. 20export PATH="/usr/bin:/bin:/usr/sbin:/sbin" 21unset BASH_ENV CDPATH ENV GLOBIGNORE IFS POSIXLY_CORRECT 22export -n SHELLOPTS 23 24ME="$(basename "${0}")" 25readonly ME 26 27if [[ ${#} -ne 3 ]]; then 28 echo "usage: ${ME} app_path codesign_keychain codesign_id" >& 2 29 exit 1 30fi 31 32app_path="${1}" 33codesign_keychain="${2}" 34codesign_id="${3}" 35 36# Use custom resource rules for the browser application. 37script_dir="$(dirname "${0}")" 38browser_app_rules="${script_dir}/app_resource_rules.plist" 39 40versioned_dir="${app_path}/Contents/Versions/@VERSION@" 41 42browser_app="${app_path}" 43framework="${versioned_dir}/@MAC_PRODUCT_NAME@ Framework.framework" 44helper_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper.app" 45helper_eh_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper EH.app" 46helper_np_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper NP.app" 47 48requirement_string="\ 49designated => \ 50(identifier \"com.google.Chrome\" or identifier \"com.google.Chrome.canary\") \ 51and certificate leaf = H\"85cee8254216185620ddc8851c7a9fc4dfe120ef\"\ 52" 53 54codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \ 55 "${browser_app}" --resource-rules "${browser_app_rules}" \ 56 -r="${requirement_string}" 57 58# Show the signature. 59codesign --display -r- -vvvvvv "${browser_app}" 60 61# Verify everything. Check the framework and helper apps to make sure that the 62# signatures are present and weren't altered by the signing process. Don't use 63# --deep on the framework because Keystone's signature is in a transitional 64# state (radar 18474911). Use --no-strict on the app because it uses custom 65# resource rules. 66codesign --verify -vvvvvv "${framework}" 67codesign --verify --deep -vvvvvv "${helper_app}" 68codesign --verify --deep -vvvvvv "${helper_eh_app}" 69codesign --verify --deep -vvvvvv "${helper_np_app}" 70codesign --verify --deep --no-strict -vvvvvv "${browser_app}" 71 72# Verify with spctl, which uses the same rules that Gatekeeper does for 73# validation. 74spctl --assess -vv "${browser_app}" 75