Updater: Fix tagged metainstaller not elevating/deelevating correctly
This CL fixes issues where a tagged metainstaller does not:
* elevate when run with needsadmin=true|prefers from medium integrity.
* deelevate when run with needsadmin=false from high integrity.
This CL also adds detailed steps to create a tagged metainstaller in
the design document.
Bug: 1370538
Change-Id: I1f00846a080158e21805ef88e15e133feb35f095
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3936957
Commit-Queue: S Ganesh <ganesh@chromium.org>
Reviewed-by: Xiaoling Bao <xiaolingbao@chromium.org>
Commit-Queue: Xiaoling Bao <xiaolingbao@chromium.org>
Auto-Submit: S Ganesh <ganesh@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1055593}
This commit is contained in:

committed by
Chromium LUCI CQ

parent
2790f315f1
commit
53ff3a716e
@ -26,6 +26,7 @@
|
||||
#include "base/files/scoped_temp_dir.h"
|
||||
#include "base/logging.h"
|
||||
#include "base/path_service.h"
|
||||
#include "base/strings/strcat.h"
|
||||
#include "base/strings/sys_string_conversions.h"
|
||||
#include "base/threading/platform_thread.h"
|
||||
#include "base/time/time.h"
|
||||
@ -325,14 +326,13 @@ ProcessExitResult WMain(HMODULE module) {
|
||||
return args_result;
|
||||
|
||||
// Both `RunElevated` and `RunDeElevated` use shell APIs to run the process,
|
||||
// which can have issues with relative paths. So we get the full exe path and
|
||||
// substitute it for the program in the command line.
|
||||
// which can have issues with relative paths. So we use the full exe path for
|
||||
// the program in the command line.
|
||||
base::FilePath exe_path;
|
||||
if (!base::PathService::Get(base::FILE_EXE, &exe_path))
|
||||
return ProcessExitResult(UNABLE_TO_GET_EXE_PATH);
|
||||
base::CommandLine command_line =
|
||||
base::CommandLine::FromString(::GetCommandLineW());
|
||||
command_line.SetProgram(exe_path);
|
||||
const base::CommandLine command_line = base::CommandLine::FromString(
|
||||
base::StrCat({L"\"", exe_path.value(), L"\" ", cmd_line_args.get()}));
|
||||
|
||||
const UpdaterScope scope = GetUpdaterScopeForCommandLine(command_line);
|
||||
|
||||
|
@ -416,6 +416,47 @@ installer. See [installdataindex](#installdataindex) below for details.
|
||||
|
||||
#### Dynamic Install Parameters
|
||||
|
||||
##### Steps to create a tagged metainstaller
|
||||
|
||||
A tagged metainstaller can be created using the signing tool
|
||||
[sign.py](https://source.chromium.org/chromium/chromium/src/+/main:chrome/updater/win/signing/sign.py)
|
||||
and the metainstaller tagging tool
|
||||
[tag.py](https://source.chromium.org/chromium/chromium/src/+/main:chrome/updater/tools/tag.py).
|
||||
|
||||
Here are the steps to create a tagged metainstaller for the following tag:
|
||||
`--tag="appguid=FOO_BAR_APP_ID&appname=SomeName&needsadmin=prefers"`
|
||||
|
||||
The source file is the untagged metainstaller `out\Default\UpdaterSetup.exe`,
|
||||
and the final tagged file will be `out\Default\Tagged_UpdaterSetup.signed.exe`.
|
||||
|
||||
* One-time step: from an elevated powershell prompt:
|
||||
```
|
||||
New-SelfSignedCertificate -DnsName id@domain.tld -Type CodeSigning
|
||||
-CertStoreLocation cert:\CurrentUser\My
|
||||
```
|
||||
* Note: all the steps below are run from a medium cmd prompt.
|
||||
* One-time step: `python3 -m pip install pypiwin32`
|
||||
* One-time step:
|
||||
`set PYTHONPATH=C:\src\chromium\src\chrome\tools\build\win`
|
||||
*
|
||||
```
|
||||
python3 C:\src\chromium\src\chrome\updater\win\signing\sign.py --in_file
|
||||
C:\src\chromium\src\out\Default\UpdaterSetup.exe
|
||||
--out_file C:\src\chromium\src\out\Default\UpdaterSetup.signed.exe
|
||||
--lzma_7z "C:\Program Files\7-Zip\7z.exe"
|
||||
--signtool c:\windows_sdk_10\files\bin\10.0.22000.0\x64\signtool.exe
|
||||
--identity id@domain.tld
|
||||
--certificate_tag C:\src\chromium\src\out\Default\certificate_tag.exe
|
||||
```
|
||||
*
|
||||
```
|
||||
python3 C:\src\chromium\src\chrome\updater\tools\tag.py
|
||||
--certificate_tag=C:\src\chromium\src\out\Default\certificate_tag.exe
|
||||
--in_file=C:\src\chromium\src\out\Default\UpdaterSetup.signed.exe
|
||||
--out_file=out\Default\Tagged_UpdaterSetup.signed.exe
|
||||
--tag="appguid=FOO_BAR_APP_ID&appname=SomeName&needsadmin=prefers"
|
||||
```
|
||||
|
||||
##### `needsadmin`
|
||||
|
||||
`needsadmin` is one of the install parameters that can be specified for
|
||||
|
Reference in New Issue
Block a user