Do Keychain reauthorization at update time

chrome/installer/mac/keystone_install.sh

 #!/bin/bash -p
 
-# Copyright (c) 2011 The Chromium Authors. All rights reserved.
+# Copyright (c) 2012 The Chromium Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
 # usage: keystone_install.sh update_dmg_mount_point
 #
 # Called by the Keystone system to update the installed application with a new
 # version from a disk image.
 #
 # Environment variables:
 # GOOGLE_CHROME_UPDATER_DEBUG
@@ skipping 392 matching lines @@
   readonly FRAMEWORK_NAME="${PRODUCT_NAME} Framework"
   readonly FRAMEWORK_DIR="${FRAMEWORK_NAME}.framework"
   readonly PATCH_DIR=".patch"
   readonly CONTENTS_DIR="Contents"
   readonly APP_PLIST="${CONTENTS_DIR}/Info"
   readonly VERSIONS_DIR="${CONTENTS_DIR}/Versions"
   readonly UNROOTED_BRAND_PLIST="Library/Google/Google Chrome Brand"
   readonly UNROOTED_DEBUG_FILE="Library/Google/Google Chrome Updater Debug"
 
   readonly APP_VERSION_KEY="CFBundleShortVersionString"
+  readonly APP_BUNDLEID_KEY="CFBundleIdentifier"
   readonly KS_VERSION_KEY="KSVersion"
   readonly KS_PRODUCT_KEY="KSProductID"
   readonly KS_URL_KEY="KSUpdateURL"
   readonly KS_CHANNEL_KEY="KSChannelID"
   readonly KS_BRAND_KEY="KSBrandID"
 
   readonly QUARANTINE_ATTR="com.apple.quarantine"
+  readonly KEYCHAIN_REAUTHORIZE_DIR=".keychain_reauthorize"
 
   # Don't use rsync -a, because -a expands to -rlptgoD.  -g and -o copy owners
   # and groups, respectively, from the source, and that is undesirable in this
   # case.  -D copies devices and special files; copying devices only works
   # when running as root, so for consistency between privileged and
   # unprivileged operation, this option is omitted as well.
   #  -I, --ignore-times  don't skip files that match in size and mod-time
   #  -l, --links         copy symlinks as symlinks
   #  -r, --recursive     recurse into directories
   #  -p, --perms         preserve permissions
@@ skipping 828 matching lines @@
   if [[ ${os_major} -gt 10 ]] ||
      ([[ ${os_major} -eq 10 ]] && [[ ${os_minor} -ge 6 ]]); then
     # On 10.6, xattr supports -r for recursive operation.
     xattr -d -r "${QUARANTINE_ATTR}" "${installed_app}" 2> /dev/null
   else
     # On earlier systems, xattr doesn't support -r, so run xattr via find.
     find "${installed_app}" -exec xattr -d "${QUARANTINE_ATTR}" {} + \
         2> /dev/null
   fi
 
+  # Do Keychain reauthorization. This involves running a stub executable on
+  # the dmg that loads the newly-updated framework and jumps to it to perform
+  # the reauthorization. The stub executable can be signed by the old
+  # certificate even after the rest of Chrome switches to the new certificate,
+  # so it still has access to the old Keychain items. The stub executable is
+  # an unbundled flat file executable whose name matches the real
+  # application's bundle identifier, so it's permitted access to the Keychain
+  # items. Doing a reauthorization step at update time reauthorizes Keychain
+  # items for users who never bother restarting Chrome, and provides a
+  # mechanism to continue doing reauthorizations even after the certificate
+  # changes. However, it only works for non-system ticket installations of
+  # Chrome, because the updater runs as root when on a system ticket, and root
+  # can't access individual user Keychains.
+  #
+  # Even if the reauthorization tool is launched, it doesn't necessarily try
+  # to do anything. It will only attempt to perform a reauthorization if one
+  # hasn't yet been done at update time.
+  note "maybe reauthorizing Keychain"
+
+  if [[ -z "${system_ticket}" ]]; then
+    local new_bundleid_app
+    new_bundleid_app="$(defaults read "${installed_app_plist}" \
+                                      "${APP_BUNDLEID_KEY}" || true)"
+    note "new_bundleid_app = ${new_bundleid_app}"
+
+    local keychain_reauthorize_dir="\
+${update_dmg_mount_point}/${KEYCHAIN_REAUTHORIZE_DIR}"
+    local keychain_reauthorize_path="\
+${keychain_reauthorize_dir}/${new_bundleid_app}"
+    note "keychain_reauthorize_path = ${keychain_reauthorize_path}"
+
+    if [[ -x "${keychain_reauthorize_path}" ]]; then
+      local framework_dir="${new_versioned_dir}/${FRAMEWORK_DIR}"
+      local framework_code_path="${framework_dir}/${FRAMEWORK_NAME}"
+      note "framework_code_path = ${framework_code_path}"
+
+      if [[ -f "${framework_code_path}" ]]; then
+        note "reauthorizing Keychain"
+        "${keychain_reauthorize_path}" "${framework_code_path}"
+      fi
+    fi
+  else
+    note "system ticket, not reauthorizing Keychain"
+  fi
+
   # Great success!
   note "done!"
 
   trap - EXIT
 
   return 0
 }
 
 # Check "less than" instead of "not equal to" in case Keystone ever changes to
 # pass more arguments.
 if [[ ${#} -lt 1 ]]; then
   usage
   exit 2
 fi
 
 main "${@}"
 exit ${?}