wrap the privileged helper executable identifier string in quotes

pztalon · copybara-github · commit e3b2ae832a00 · 2025-11-21T04:30:37.000-08:00
The browser's Info.plist contains the bundle id of the updater's privileged helper; in cases where the bundle id contains non-alphanumeric non-period characters (e.g. a hyphen) it must be enclosed by double quotes - otherwise the browser cannot launch the privileged helper. This adds the required quotes. See documentation here: https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/RequirementLang/RequirementLang.html Change-Id: I429e15cae2659324496da5a62ea4154e89eb5506 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7168963 Reviewed-by: Mark Mentovai <mark@chromium.org> Commit-Queue: Joshua Pawlicki <waffles@chromium.org> Reviewed-by: Joshua Pawlicki <waffles@chromium.org> Cr-Commit-Position: refs/heads/main@{#1548372} NOKEYCHECK=True GitOrigin-RevId: accf9ff7d8a27c96102f2a69d09695d86d588b55
diff --git a/apple/tweak_info_plist.py b/apple/tweak_info_plist.py
@@ -189,6 +189,12 @@ def _RemoveBreakpadKeys(plist):
               'BreakpadSendAndExit', 'BreakpadSkipConfirm')
 
 
+def _IsValidBundleId(bundle_identifier):
+  # Based on apple developer documentation, see
+  # https://developer.apple.com/documentation/bundleresources/information-property-list/cfbundleidentifier
+  return re.match(r'^[0-9a-zA-Z-.]+$', bundle_identifier) is not None
+
+
 def _TagSuffixes():
   # Keep this list sorted in the order that tag suffix components are to
   # appear in a tag value. That is to say, it should be sorted per ASCII.
@@ -248,7 +254,7 @@ def _RemoveGTMKeys(plist):
 
 def _AddPrivilegedHelperId(plist, privileged_helper_id):
   plist['SMPrivilegedExecutables'] = {
-      privileged_helper_id: 'identifier ' + privileged_helper_id
+      privileged_helper_id: f'identifier "{privileged_helper_id}"'
   }
 
 
@@ -415,6 +421,9 @@ def Main(argv):
     if options.bundle_identifier is None:
       print('Use of Keystone requires the bundle id.', file=sys.stderr)
       return 1
+    if not _IsValidBundleId(options.bundle_identifier):
+      print(f'Invalid bundle id: {options.bundle_identifier}', file=sys.stderr)
+      return 1
     _AddKeystoneKeys(plist, options.bundle_identifier,
                      options.keystone_base_tag)
   else:
@@ -432,6 +441,10 @@ def Main(argv):
 
   # Add SMPrivilegedExecutables keys.
   if options.privileged_helper_id:
+    if not _IsValidBundleId(options.privileged_helper_id):
+      print(f'Invalid privileged helper id: {options.privileged_helper_id}',
+            file=sys.stderr)
+      return 1
     _AddPrivilegedHelperId(plist, options.privileged_helper_id)
   else:
     _RemovePrivilegedHelperId(plist)
