macOS Installer: Remove keychain reauth code from kestyone_installer.sh.
This removes one of the last bits of teh keychain reauthorization code. Bug: 953092 Change-Id: I44209fa20fa835af8f2c1d72668a83bcbece7582 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1568385 Reviewed-by: Mark Mentovai <mark@chromium.org> Commit-Queue: Greg Kerr <kerrnel@chromium.org> Cr-Commit-Position: refs/heads/master@{#651355}
This commit is contained in:
Greg Kerr
@ -596,7 +596,6 @@ main() {
|
||||
readonly KS_BRAND_KEY="KSBrandID"
|
||||
|
||||
readonly QUARANTINE_ATTR="com.apple.quarantine"
|
||||
readonly KEYCHAIN_REAUTHORIZE_DIR=".keychain_reauthorize"
|
||||
|
||||
# Don't use rsync -a, because -a expands to -rlptgoD. -g and -o copy owners
|
||||
# and groups, respectively, from the source, and that is undesirable in this
|
||||
@ -1447,51 +1446,6 @@ main() {
|
||||
|
||||
xattr -d -r "${QUARANTINE_ATTR}" "${installed_app}" 2> /dev/null
|
||||
|
||||
# Do Keychain reauthorization. This involves running a stub executable on
|
||||
# the dmg that loads the newly-updated framework and jumps to it to perform
|
||||
# the reauthorization. The stub executable can be signed by the old
|
||||
# certificate even after the rest of Chrome switches to the new certificate,
|
||||
# so it still has access to the old Keychain items. The stub executable is
|
||||
# an unbundled flat file executable whose name matches the real
|
||||
# application's bundle identifier, so it's permitted access to the Keychain
|
||||
# items. Doing a reauthorization step at update time reauthorizes Keychain
|
||||
# items for users who never bother restarting Chrome, and provides a
|
||||
# mechanism to continue doing reauthorizations even after the certificate
|
||||
# changes. However, it only works for non-system ticket installations of
|
||||
# Chrome, because the updater runs as root when on a system ticket, and root
|
||||
# can't access individual user Keychains.
|
||||
#
|
||||
# Even if the reauthorization tool is launched, it doesn't necessarily try
|
||||
# to do anything. It will only attempt to perform a reauthorization if one
|
||||
# hasn't yet been done at update time.
|
||||
note "maybe reauthorizing Keychain"
|
||||
|
||||
if [[ -z "${system_ticket}" ]]; then
|
||||
local new_bundleid_app
|
||||
new_bundleid_app="$(defaults read "${installed_app_plist}" \
|
||||
"${APP_BUNDLEID_KEY}" || true)"
|
||||
note "new_bundleid_app = ${new_bundleid_app}"
|
||||
|
||||
local keychain_reauthorize_dir="\
|
||||
${update_dmg_mount_point}/${KEYCHAIN_REAUTHORIZE_DIR}"
|
||||
local keychain_reauthorize_path="\
|
||||
${keychain_reauthorize_dir}/${new_bundleid_app}"
|
||||
note "keychain_reauthorize_path = ${keychain_reauthorize_path}"
|
||||
|
||||
if [[ -x "${keychain_reauthorize_path}" ]]; then
|
||||
local framework_dir="${new_versioned_dir}/${FRAMEWORK_DIR}"
|
||||
local framework_dylib_path="${framework_dir}/${FRAMEWORK_NAME}"
|
||||
note "framework_dylib_path = ${framework_dylib_path}"
|
||||
|
||||
if [[ -f "${framework_dylib_path}" ]]; then
|
||||
note "reauthorizing Keychain"
|
||||
"${keychain_reauthorize_path}" "${framework_dylib_path}"
|
||||
fi
|
||||
fi
|
||||
else
|
||||
note "system ticket, not reauthorizing Keychain"
|
||||
fi
|
||||
|
||||
# Great success!
|
||||
note "done!"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user