Do Keychain reauthorization at update time

chrome/browser/chrome_browser_main_mac.mm

Index: chrome/browser/chrome_browser_main_mac.mm
===================================================================
--- chrome/browser/chrome_browser_main_mac.mm	(revision 137420)
+++ chrome/browser/chrome_browser_main_mac.mm	(working copy)
@@ -28,6 +28,28 @@
 #include "ui/base/resource/resource_bundle.h"
 #include "ui/base/resource/resource_handle.h"
 
+namespace {
+
+// This preference is used to track whether the KeychainReauthorize operation
+// has occurred at launch. This operation only makes sense while the
+// application continues to be signed by the old certificate.
+NSString* const kKeychainReauthorizeAtLaunchPref =
+    @"KeychainReauthorizeInAppMay2012";
+const int kKeychainReauthorizeAtLaunchMaxTries = 2;
+
+// Some users rarely restart Chrome, so they might never get a chance to run
+// the at-launch KeychainReauthorize. To account for them, there's also an
+// at-update KeychainReauthorize option, which runs from .keystone_install for
+// users on a user Keystone ticket. This operation may make sense for a period
+// of time after the application switches to being signed by the new
+// certificate, as long as the at-update stub executable is still signed by
+// the old one.
+NSString* const kKeychainReauthorizeAtUpdatePref =
+    @"KeychainReauthorizeAtUpdateMay2012";
+const int kKeychainReauthorizeAtUpdateMaxTries = 3;
+
+}  // namespace
+
 void RecordBreakpadStatusUMA(MetricsService* metrics) {
   metrics->RecordBreakpadRegistration(IsCrashReporterEnabled());
   metrics->RecordBreakpadHasDebugger(base::debug::BeingDebugged());
@@ -55,6 +77,27 @@
 }
 
 void ChromeBrowserMainPartsMac::PreEarlyInitialization() {
+  if (parsed_command_line().HasSwitch(switches::kKeychainReauthorize)) {
+    if (base::mac::AmIBundled()) {
+      LOG(FATAL) << "Inappropriate process type for Keychain reauthorization";
+    }
+
+    // Do Keychain reauthorization at the time of update installation. This
+    // gets three chances to run. If the first or second try doesn't complete
+    // successfully (crashes or is interrupted for any reason), there will be
+    // another chance. Once this step completes successfully, it should never
+    // have to run again.
+    //
+    // This is kicked off by a special stub executable during an automatic
+    // update. See chrome/installer/mac/keychain_reauthorize_main.cc. This is
+    // done during update installation in additon to browser app launch to
+    // help reauthorize Keychain items for users who never restart Chrome.
+    chrome::browser::mac::KeychainReauthorizeIfNeeded(
+        kKeychainReauthorizeAtUpdatePref, kKeychainReauthorizeAtUpdateMaxTries);
+
+    exit(0);
+  }
+
   ChromeBrowserMainPartsPosix::PreEarlyInitialization();
 
   if (base::mac::WasLaunchedAsHiddenLoginItem()) {
@@ -137,16 +180,12 @@
   [[NSUserDefaults standardUserDefaults]
       setObject:@"NO" forKey:@"NSTreatUnknownArgumentsAsOpen"];
 
-  // Do Keychain reauthorization. This gets two chances to run. If the first
-  // try doesn't complete successfully (crashes or is interrupted for any
-  // reason), there will be a second chance. Once this step completes
-  // successfully, it should never have to run again.
-  NSString* const keychain_reauthorize_pref =
-      @"KeychainReauthorizeInAppMay2012";
-  const int kKeychainReauthorizeMaxTries = 2;
-
+  // Do Keychain reauthorization at browser app launch. This gets two chances
+  // to run. If the first try doesn't complete successfully (crashes or is
+  // interrupted for any reason), there will be a second chance. Once this
+  // step completes successfully, it should never have to run again.
   chrome::browser::mac::KeychainReauthorizeIfNeeded(
-      keychain_reauthorize_pref, kKeychainReauthorizeMaxTries);
+      kKeychainReauthorizeAtLaunchPref, kKeychainReauthorizeAtLaunchMaxTries);
 }
 
 void ChromeBrowserMainPartsMac::DidEndMainMessageLoop() {