chrome/installer/mac/sign_app.sh.in - platform/external/chromium_org - Git at Google

 #!/bin/bash -p

 # Copyright (c) 2012 The Chromium Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 # Using codesign, sign the application. After signing, the signatures on the
 # inner bundle components are verified, and the application's own signature is
 # verified. Inner bundle components are expected to be signed before this
 # script is called. See sign_versioned_dir.sh.

 set -eu

 # Environment sanitization. Set a known-safe PATH. Clear environment variables
 # that might impact the interpreter's operation. The |bash -p| invocation
 # on the #! line takes the bite out of BASH_ENV, ENV, and SHELLOPTS (among
 # other features), but clearing them here ensures that they won't impact any
 # shell scripts used as utility programs. SHELLOPTS is read-only and can't be
 # unset, only unexported.
 export PATH="/usr/bin:/bin:/usr/sbin:/sbin"
 unset BASH_ENV CDPATH ENV GLOBIGNORE IFS POSIXLY_CORRECT
 export -n SHELLOPTS

 ME="$(basename "${0}")"
 readonly ME

 if [[ ${#} -ne 3 ]]; then
   echo "usage: ${ME} app_path codesign_keychain codesign_id" >& 2
   exit 1
 fi

 app_path="${1}"
 codesign_keychain="${2}"
 codesign_id="${3}"

 # Use custom resource rules for the browser application.
 script_dir="$(dirname "${0}")"
 browser_app_rules="${script_dir}/app_resource_rules.plist"

 versioned_dir="${app_path}/Contents/Versions/@VERSION@"

 browser_app="${app_path}"
 framework="${versioned_dir}/@MAC_PRODUCT_NAME@ Framework.framework"
 helper_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper.app"
 helper_eh_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper EH.app"
 helper_np_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper NP.app"

 requirement_string="\
 designated => \
 (identifier \"com.google.Chrome\" or identifier \"com.google.Chrome.canary\") \
 and certificate leaf = H\"85cee8254216185620ddc8851c7a9fc4dfe120ef\"\
 "

 codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \
     "${browser_app}" --resource-rules "${browser_app_rules}" \
     -r="${requirement_string}"

 # Show the signature.
 codesign --display -r- -vvvvvv "${browser_app}"

 # Verify everything. Check the framework and helper apps to make sure that the
 # signatures are present and weren't altered by the signing process. Don't use
 # --deep on the framework because Keystone's signature is in a transitional
 # state (radar 18474911). Use --no-strict on the app because it uses custom
 # resource rules.
 codesign --verify -vvvvvv "${framework}"
 codesign --verify --deep -vvvvvv "${helper_app}"
 codesign --verify --deep -vvvvvv "${helper_eh_app}"
 codesign --verify --deep -vvvvvv "${helper_np_app}"
 codesign --verify --deep --no-strict -vvvvvv "${browser_app}"

 # Verify with spctl, which uses the same rules that Gatekeeper does for
 # validation.
 spctl --assess -vv "${browser_app}"
	#!/bin/bash -p

	# Copyright (c) 2012 The Chromium Authors. All rights reserved.
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	# Using codesign, sign the application. After signing, the signatures on the
	# inner bundle components are verified, and the application's own signature is
	# verified. Inner bundle components are expected to be signed before this
	# script is called. See sign_versioned_dir.sh.

	set -eu

	# Environment sanitization. Set a known-safe PATH. Clear environment variables
	# that might impact the interpreter's operation. The \|bash -p\| invocation
	# on the #! line takes the bite out of BASH_ENV, ENV, and SHELLOPTS (among
	# other features), but clearing them here ensures that they won't impact any
	# shell scripts used as utility programs. SHELLOPTS is read-only and can't be
	# unset, only unexported.
	export PATH="/usr/bin:/bin:/usr/sbin:/sbin"
	unset BASH_ENV CDPATH ENV GLOBIGNORE IFS POSIXLY_CORRECT
	export -n SHELLOPTS

	ME="$(basename "${0}")"
	readonly ME

	if [[ ${#} -ne 3 ]]; then
	echo "usage: ${ME} app_path codesign_keychain codesign_id" >& 2
	exit 1
	fi

	app_path="${1}"
	codesign_keychain="${2}"
	codesign_id="${3}"

	# Use custom resource rules for the browser application.
	script_dir="$(dirname "${0}")"
	browser_app_rules="${script_dir}/app_resource_rules.plist"

	versioned_dir="${app_path}/Contents/Versions/@VERSION@"

	browser_app="${app_path}"
	framework="${versioned_dir}/@MAC_PRODUCT_NAME@ Framework.framework"
	helper_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper.app"
	helper_eh_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper EH.app"
	helper_np_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper NP.app"

	requirement_string="\
	designated => \
	(identifier \"com.google.Chrome\" or identifier \"com.google.Chrome.canary\") \
	and certificate leaf = H\"85cee8254216185620ddc8851c7a9fc4dfe120ef\"\
	"

	codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \
	"${browser_app}" --resource-rules "${browser_app_rules}" \
	-r="${requirement_string}"

	# Show the signature.
	codesign --display -r- -vvvvvv "${browser_app}"

	# Verify everything. Check the framework and helper apps to make sure that the
	# signatures are present and weren't altered by the signing process. Don't use
	# --deep on the framework because Keystone's signature is in a transitional
	# state (radar 18474911). Use --no-strict on the app because it uses custom
	# resource rules.
	codesign --verify -vvvvvv "${framework}"
	codesign --verify --deep -vvvvvv "${helper_app}"
	codesign --verify --deep -vvvvvv "${helper_eh_app}"
	codesign --verify --deep -vvvvvv "${helper_np_app}"
	codesign --verify --deep --no-strict -vvvvvv "${browser_app}"

	# Verify with spctl, which uses the same rules that Gatekeeper does for
	# validation.
	spctl --assess -vv "${browser_app}"