diff options
author | Ben Murdoch <benm@google.com> | 2014-10-22 18:55:17 +0100 |
---|---|---|
committer | Ben Murdoch <benm@google.com> | 2014-10-22 18:55:17 +0100 |
commit | 1675a649fd7a8b3cb80ffddae2dc181f122353c5 (patch) | |
tree | eb1ec66a619d0b0680d83b54523dc381a74e04ae /chrome/installer | |
parent | b985a5157c04424e8c2fd5091938349a768d4329 (diff) | |
download | chromium_org-1675a649fd7a8b3cb80ffddae2dc181f122353c5.tar.gz |
Merge from Chromium at DEPS revision 39.0.2171.37
This commit was generated by merge_to_master.py.
Change-Id: I4ca18a1d6d089e98b0511ad83f49e89d62401760
Diffstat (limited to 'chrome/installer')
-rw-r--r-- | chrome/installer/mac/sign_app.sh.in | 24 | ||||
-rw-r--r-- | chrome/installer/mac/sign_versioned_dir.sh.in | 21 |
2 files changed, 29 insertions, 16 deletions
diff --git a/chrome/installer/mac/sign_app.sh.in b/chrome/installer/mac/sign_app.sh.in index 4738ed7122..25b78298a5 100644 --- a/chrome/installer/mac/sign_app.sh.in +++ b/chrome/installer/mac/sign_app.sh.in @@ -51,14 +51,24 @@ designated => \ and certificate leaf = H\"85cee8254216185620ddc8851c7a9fc4dfe120ef\"\ " -codesign -s "${codesign_id}" --keychain "${codesign_keychain}" \ +codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \ "${browser_app}" --resource-rules "${browser_app_rules}" \ -r="${requirement_string}" +# Show the signature. +codesign --display -r- -vvvvvv "${browser_app}" + # Verify everything. Check the framework and helper apps to make sure that the -# signatures are present and weren't altered by the signing process. -codesign -v "${framework}" -codesign -v "${helper_app}" -codesign -v "${helper_eh_app}" -codesign -v "${helper_np_app}" -codesign -v "${browser_app}" +# signatures are present and weren't altered by the signing process. Don't use +# --deep on the framework because Keystone's signature is in a transitional +# state (radar 18474911). Use --no-strict on the app because it uses custom +# resource rules. +codesign --verify -vvvvvv "${framework}" +codesign --verify --deep -vvvvvv "${helper_app}" +codesign --verify --deep -vvvvvv "${helper_eh_app}" +codesign --verify --deep -vvvvvv "${helper_np_app}" +codesign --verify --deep --no-strict -vvvvvv "${browser_app}" + +# Verify with spctl, which uses the same rules that Gatekeeper does for +# validation. +spctl --assess -vv "${browser_app}" diff --git a/chrome/installer/mac/sign_versioned_dir.sh.in b/chrome/installer/mac/sign_versioned_dir.sh.in index eb3ffb04b5..82a11c696b 100644 --- a/chrome/installer/mac/sign_versioned_dir.sh.in +++ b/chrome/installer/mac/sign_versioned_dir.sh.in @@ -49,23 +49,26 @@ requirement_suffix="\ and certificate leaf = H\"85cee8254216185620ddc8851c7a9fc4dfe120ef\"\ " -codesign -s "${codesign_id}" --keychain "${codesign_keychain}" "${framework}" \ +codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \ + "${framework}" \ -r="designated => identifier \"com.google.Chrome.framework\" \ ${requirement_suffix}" -codesign -s "${codesign_id}" --keychain "${codesign_keychain}" "${helper_app}" \ +codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \ + "${helper_app}" \ -r="designated => identifier \"com.google.Chrome.helper\" \ ${requirement_suffix}" -codesign -s "${codesign_id}" --keychain "${codesign_keychain}" \ +codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \ "${helper_eh_app}" \ -r="designated => identifier \"com.google.Chrome.helper.EH\" \ ${requirement_suffix}" -codesign -s "${codesign_id}" --keychain "${codesign_keychain}" \ +codesign --sign "${codesign_id}" --keychain "${codesign_keychain}" \ "${helper_np_app}" \ -r="designated => identifier \"com.google.Chrome.helper.NP\" \ ${requirement_suffix}" -# Verify everything. -codesign -v "${framework}" -codesign -v "${helper_app}" -codesign -v "${helper_eh_app}" -codesign -v "${helper_np_app}" +# Verify everything. Don't use --deep on the framework because Keystone's +# signature is in a transitional state (radar 18474911). +codesign --verify "${framework}" +codesign --verify --deep "${helper_app}" +codesign --verify --deep "${helper_eh_app}" +codesign --verify --deep "${helper_np_app}" |