From 2c096ccc30bc437de770fb7cb695165e65aa5dee Mon Sep 17 00:00:00 2001
From: Max Karolinskiy <max@brave.com>
Date: Mon, 22 Jul 2019 22:12:17 -0400
Subject: [PATCH] Leverage chrome signing script.

Instead of using a modified copy of sign_chrome.py (named sign_brave.py)
leverage the original sign_chrome.py by patching it to call into brave's
signing_helper.py for a config override.

The patch also comments out a section of sign_chrome.py that causes a
runtime error due to wrong variables names.
---
 build/mac/sign_app.sh                         |  18 +--
 build/mac/sign_brave.py                       | 123 ------------------
 .../chrome-installer-mac-sign_chrome.py.patch |  29 +++++
 script/signing_helper.py                      |  22 ++++
 4 files changed, 61 insertions(+), 131 deletions(-)
 delete mode 100755 build/mac/sign_brave.py
 create mode 100644 patches/chrome-installer-mac-sign_chrome.py.patch

diff --git a/build/mac/sign_app.sh b/build/mac/sign_app.sh
index a737a38cfc3a..33d7f3f9240e 100755
--- a/build/mac/sign_app.sh
+++ b/build/mac/sign_app.sh
@@ -11,10 +11,12 @@ SOURCE_DIR="${1}"
 DEST_DIR="${2}"
 PKG_DIR="${3}"
 DEVELOPMENT=
+MAC_PROVISIONING_PROFILE=
 if [[ "${4}" = "True" ]]; then
-  DEVELOPMENT="--development"
+    DEVELOPMENT="--development"
+else
+    MAC_PROVISIONING_PROFILE="${5}"
 fi
-MAC_PROVISIONING_PROFILE="${5}"
 MAC_SIGNING_KEYCHAIN="${6}"
 MAC_SIGNING_IDENTIFIER="${7}"
 
@@ -36,9 +38,9 @@ function check_exit() {
 
 trap check_exit EXIT
 
-# Copy signing script to the packaging directory
-SCRIPT_DIR=$(dirname ${0})
-cp -f "${SCRIPT_DIR}/sign_brave.py" "${PKG_DIR}"
+# brave/scripts/signing_helper.py will retrieve this value when called from
+# sign_chrome.py
+export MAC_PROVISIONING_PROFILE
 
 # Clear output directory. It seems GN auto-creates directory path to the
 # expected outputs. However, the signing script doesn't expect the path to
@@ -46,13 +48,13 @@ cp -f "${SCRIPT_DIR}/sign_brave.py" "${PKG_DIR}"
 echo "Cleaning $DEST_DIR ..."
 rm -rf $DEST_DIR/*
 
-
 # Invoke python script to do the signing.
+PARAMS="--input $SOURCE_DIR --output $DEST_DIR --keychain $MAC_SIGNING_KEYCHAIN --identity $MAC_SIGNING_IDENTIFIER --no-dmg --no-notarize"
 if [[ -z "${DEVELOPMENT}" ]]; then
   # Copy mac_provisioning_profile to the packaging_dir since that's where the
   # signing scripts expects to find it.
   cp -f "$MAC_PROVISIONING_PROFILE" "$PKG_DIR"
-  "${PKG_DIR}/sign_brave.py" --input "$SOURCE_DIR" --output "$DEST_DIR" --keychain "$MAC_SIGNING_KEYCHAIN" --identity "$MAC_SIGNING_IDENTIFIER" --no-dmg --provisioning-profile "$MAC_PROVISIONING_PROFILE"
 else
-  "${PKG_DIR}/sign_brave.py" --input "$SOURCE_DIR" --output "$DEST_DIR" --keychain "$MAC_SIGNING_KEYCHAIN" --identity "$MAC_SIGNING_IDENTIFIER" --no-dmg "$DEVELOPMENT"
+  PARAMS="$PARAMS $DEVELOPMENT"
 fi
+"${PKG_DIR}/sign_chrome.py" $PARAMS
diff --git a/build/mac/sign_brave.py b/build/mac/sign_brave.py
deleted file mode 100755
index 04064b80fa00..000000000000
--- a/build/mac/sign_brave.py
+++ /dev/null
@@ -1,123 +0,0 @@
-#!/usr/bin/env python
-# Copyright (c) 2019 The Brave Authors. All rights reserved.
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this file,
-# You can obtain one at http://mozilla.org/MPL/2.0/.
-
-# This script is a modified version of chrome/installer/mac/sign_chrome.py
-# that allows to configure provisioning profile on the fly and also adds
-# sparkle to optional parts for signing.
-
-import argparse
-import os.path
-import shutil
-import sys
-
-sys.path.append(os.path.dirname(__file__))
-
-from signing import config, model, pipeline
-
-
-def create_config(identity, keychain, development, provisioning_profile):
-    """Creates the |model.CodeSignConfig| for the signing operations.
-
-    If |development| is True, the config will be modified to not require
-    restricted internal assets, nor will the products be required to match
-    specific certificate hashes.
-
-    Args:
-        identity: The code signing identity to use.
-        keychain: Optional path to the keychain file, in which |identity|
-            will be searched for.
-        development: Boolean indicating whether or not to modify the chosen
-            config for development testing.
-        provisioning_profile: The path to provisioning profile file.
-
-    Returns:
-        An instance of |model.CodeSignConfig|.
-    """
-    config_class = config.CodeSignConfig
-
-    if development:
-
-        class DevelopmentCodeSignConfig(config_class):
-
-            @property
-            def codesign_requirements_basic(self):
-                return ''
-
-            @property
-            def provisioning_profile_basename(self):
-                return None
-
-            @property
-            def run_spctl_assess(self):
-                return False
-
-        config_class = DevelopmentCodeSignConfig
-
-    else:
-
-        class ProvisioningProfileCodeSignConfig(config_class):
-
-            @property
-            def provisioning_profile_basename(self):
-                return os.path.splitext(
-                    os.path.basename(provisioning_profile))[0]
-
-            @property
-            def optional_parts(self):
-                return set(('libwidevinecdm.dylib',
-                            'sparkle-framework',))
-
-            @property
-            def run_spctl_assess(self):
-                return True
-
-        config_class = ProvisioningProfileCodeSignConfig
-
-    return config_class(identity, keychain)
-
-
-def main():
-    parser = argparse.ArgumentParser(
-        description='Code sign and package Brave for channel distribution.')
-    parser.add_argument(
-        '--keychain', help='The keychain to load the identity from.')
-    parser.add_argument(
-        '--identity', required=True, help='The identity to sign with.')
-    parser.add_argument('--development', action='store_true',
-            help='The specified identity is for development. ' \
-                 'Certain codesign requirements will be omitted.')
-    parser.add_argument('--input', required=True,
-            help='Path to the input directory. The input directory should ' \
-                    'contain the products to sign, as well as the Packaging ' \
-                    'directory.')
-    parser.add_argument('--output', required=True,
-            help='Path to the output directory. The signed DMG products and ' \
-                    'installer tools will be placed here.')
-    parser.add_argument(
-        '--no-dmg',
-        action='store_true',
-        help='Only sign Brave and do not package the bundle into a DMG.')
-    parser.add_argument('--provisioning-profile',
-                        help='The path to the provisioning profile file')
-    args = parser.parse_args()
-
-    config = create_config(args.identity, args.keychain, args.development,
-                           args.provisioning_profile)
-    paths = model.Paths(args.input, args.output, None)
-
-    if not os.path.exists(paths.output):
-        os.mkdir(paths.output)
-    else:
-        if args.no_dmg:
-            dest_dir = os.path.join(paths.output, config.dmg_basename)
-            if os.path.exists(dest_dir):
-                shutil.rmtree(dest_dir)
-
-    pipeline.sign_all(paths, config, package_dmg=not args.no_dmg)
-
-
-if __name__ == '__main__':
-    main()
diff --git a/patches/chrome-installer-mac-sign_chrome.py.patch b/patches/chrome-installer-mac-sign_chrome.py.patch
new file mode 100644
index 000000000000..5ec3a20582d9
--- /dev/null
+++ b/patches/chrome-installer-mac-sign_chrome.py.patch
@@ -0,0 +1,29 @@
+diff --git a/chrome/installer/mac/sign_chrome.py b/chrome/installer/mac/sign_chrome.py
+index fa3a88200f5156975d0da5bcc52ed6f9896e792e..9068adc58127d24f50f47b3f1f939e2b6feaef69 100755
+--- a/chrome/installer/mac/sign_chrome.py
++++ b/chrome/installer/mac/sign_chrome.py
+@@ -28,6 +28,7 @@ def create_config(config_args, development):
+         An instance of |model.CodeSignConfig|.
+     """
+     config_class = config.CodeSignConfig
++    """
+     try:
+         import signing.internal_config
+         config_class = signing.internal_config.InternalCodeSignConfig
+@@ -36,6 +37,7 @@ def create_config(config_args, development):
+         # internal config has to be available.
+         if config_class(identity, keychain).product == 'Google Chrome':
+             raise e
++    """
+ 
+     if development:
+ 
+@@ -55,6 +57,8 @@ def create_config(config_args, development):
+ 
+         config_class = DevelopmentCodeSignConfig
+ 
++    from signing_helper import GetBraveSigningConfig
++    config_class = GetBraveSigningConfig(config_class, development)
+     return config_class(*config_args)
+ 
+ 
diff --git a/script/signing_helper.py b/script/signing_helper.py
index b077b81f27fa..46626c754037 100644
--- a/script/signing_helper.py
+++ b/script/signing_helper.py
@@ -83,3 +83,25 @@ def AddBravePartsForSigning(parts, config):
         '{.framework_dir}/Frameworks/Sparkle.framework'.format(config),
         'org.sparkle-project.Sparkle',
         verify_options=VerifyOptions.DEEP + VerifyOptions.NO_STRICT)
+
+
+def GetBraveSigningConfig(config_class, development):
+    if development:
+        return config_class
+
+    # Retrieve provisioning profile exported by build/mac/sign_app.sh
+    provisioning_profile = os.environ['MAC_PROVISIONING_PROFILE']
+    assert len(provisioning_profile), 'MAC_PROVISIONING_PROFILE is not set'
+
+    class ProvisioningProfileCodeSignConfig(config_class):
+
+        @property
+        def provisioning_profile_basename(self):
+            return os.path.splitext(os.path.basename(
+                provisioning_profile))[0]
+
+        @property
+        def run_spctl_assess(self):
+            return True
+
+    return ProvisioningProfileCodeSignConfig