Fully match the upstream codesign requirements

[bsclifton]

Description

In Chromium 98.0.4758.109, there was a commit which changed signature verification for PWAs
https://chromium.googlesource.com/chromium/src/+/e660f5610cf324520b9db9ce86259424df1f15fb

We got this passing with brave/brave-core#12418 - but part of codesign_requirements_basic is commented out: we are missing and certificate leaf[subject.OU] = KL8N8XSYF4 at the end

return 'and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */'

[diracdeltas]

do we know what security consequences there are to having this part commented out? that should affect the prioritization

[bridiver]

do we know what security consequences there are to having this part commented out? that should affect the prioritization

@diracdeltas @bsclifton this ticket is not correct. We are missing and certificate leaf[subject.OU] = KL8N8XSYF4 at the end.

[diracdeltas]

KL8N8XSYF4 is our macos code signing cert? not clear to me what signatures codesign_requirements_basic and codesign_requirements_outer_app apply to

[bridiver]

KL8N8XSYF4 is our macos code signing cert? not clear to me what signatures codesign_requirements_basic and codesign_requirements_outer_app apply to

Not our signing cert, our team id. codesign_requirements_basic apply to everything. codesign_requirements_outer_app is just in there because for some reason the .app signature drops the identify when we add codesign_requirements_basic. None of the others do.

[bsclifton]

Updated original post - thanks @bridiver

[diracdeltas]

any update here?