Minimize patching of chrome/installer/mac/signing/signing.py

Fixes brave/brave-browser#4922
Fixes brave/brave-browser#5036

Rolls a couple of patches into a single function in script/signing_helper.py.
Use single import directive.
Generate Widevine signature file before signing framework part.

patches/chrome-installer-mac-signing-signing.py.patch

@@ -1,26 +1,24 @@
 diff --git a/chrome/installer/mac/signing/signing.py b/chrome/installer/mac/signing/signing.py
-index de69f7ba6cca5729ab83ff076211be36354d0f60..e20bec4a7ea610fb3e713404f480a299d75ea806 100644
+index de69f7ba6cca5729ab83ff076211be36354d0f60..63791734d49a77999e446f1083f137e910fbdd8b 100644
 --- a/chrome/installer/mac/signing/signing.py
 +++ b/chrome/installer/mac/signing/signing.py
-@@ -107,9 +107,17 @@ def get_parts(config):
-                 'app_mode_loader',
-                 options=full_hardened_runtime_options,
-                 verify_options=VerifyOptions.IGNORE_RESOURCES),
-+        'sparkle-framework':
-+            CodeSignedProduct(
-+                '{.framework_dir}/Frameworks/Sparkle.framework'
-+                .format(config),
-+                'org.sparkle-project.Sparkle',
-+                verify_options=VerifyOptions.DEEP + VerifyOptions.NO_STRICT),
-     }
+@@ -11,6 +11,7 @@ import os.path
 
-     dylibs = (
-+        'libchallenge_bypass_ristretto.dylib',
-+        'libadblock.dylib',
-         'libEGL.dylib',
-         'libGLESv2.dylib',
-         'libswiftshader_libEGL.dylib',
-@@ -168,7 +176,7 @@ def sign_part(paths, config, part):
+ from . import commands
+ from .model import CodeSignOptions, CodeSignedProduct, VerifyOptions
++from signing_helper import AddBravePartsForSigning, GenerateBraveWidevineSigFile
+
+ _PROVISIONPROFILE_EXT = '.provisionprofile'
+ _PROVISIONPROFILE_DEST = 'embedded.provisionprofile'
+@@ -124,6 +125,7 @@ def get_parts(config):
+             library_basename.replace('.dylib', ''),
+             verify_options=VerifyOptions.DEEP)
+
++    AddBravePartsForSigning(parts, config)
+     return parts
+
+
+@@ -168,7 +170,7 @@ def sign_part(paths, config, part):
          part: The |model.CodeSignedProduct| to sign. The product's |path| must
              be in |paths.work|.
      """
@@ -29,13 +27,11 @@ index de69f7ba6cca5729ab83ff076211be36354d0f60..e20bec4a7ea610fb3e713404f480a299
      if config.notary_user:
          # Assume if the config has notary authentication information that the
          # products will be notarized, which requires a secure timestamp.
-@@ -262,6 +270,9 @@ def sign_chrome(paths, config, sign_framework=False):
+@@ -260,6 +262,7 @@ def sign_chrome(paths, config, sign_framework=False):
+                 continue
+             sign_part(paths, config, part)
 
++        GenerateBraveWidevineSigFile(paths, config, parts['framework'])
          # Sign the framework bundle.
          sign_part(paths, config, parts['framework'])
-+        from signing_helper import GenerateWidevineSigFile
-+        GenerateWidevineSigFile(paths, config, parts['framework'])
-+        sign_part(paths, config, parts['framework'])
 
-     provisioning_profile_basename = config.provisioning_profile_basename
-     if provisioning_profile_basename:

script/signing_helper.py

@@ -9,6 +9,16 @@
 import subprocess
 import sys
 
+# Construct path to signing modules in chrome/installer/mac/signing
+signing_path = os.path.realpath(os.path.dirname(os.path.realpath(__file__)))
+signing_path = os.path.realpath(os.path.join(
+    signing_path, os.pardir, os.pardir, "chrome", "installer", "mac"))
+sys.path.append(signing_path)
+
+# Import the entire module to avoid circular dependencies in the functions
+import signing.model    # noqa: E402
+import signing.signing  # noqa: E402
+
 sign_widevine_cert = os.environ.get('SIGN_WIDEVINE_CERT')
 sign_widevine_key = os.environ.get('SIGN_WIDEVINE_KEY')
 sign_widevine_passwd = os.environ.get('SIGN_WIDEVINE_PASSPHRASE')
@@ -27,8 +37,15 @@ def run_command(args, **kwargs):
     subprocess.check_call(args, **kwargs)
 
 
-def GenerateWidevineSigFile(paths, config, part):
+def GenerateBraveWidevineSigFile(paths, config, part):
     if sign_widevine_key and sign_widevine_key and sign_widevine_passwd and file_exists(sig_generator_path):
+        # Framework needs to be signed before generating Widevine signature
+        # file. The calling script will re-sign it after Widevine signature
+        # file has been added (see signing.py from where this function is
+        # called).
+        from signing.signing import sign_part
+        sign_part(paths, config, part)
+        # Generate signature file
         chrome_framework_name = config.app_product + ' Framework'
         chrome_framework_version_path = os.path.join(paths.work, part.path, 'Versions', config.version)
         sig_source_file = os.path.join(chrome_framework_version_path, chrome_framework_name)
@@ -43,3 +60,26 @@ def GenerateWidevineSigFile(paths, config, part):
 
         run_command(command)
         assert file_exists(sig_target_file), 'No sig file'
+
+
+def AddBravePartsForSigning(parts, config):
+    from signing.model import CodeSignedProduct, VerifyOptions
+
+    # Add libs
+    brave_dylibs = (
+        'libchallenge_bypass_ristretto.dylib',
+        'libadblock.dylib',
+    )
+    for library in brave_dylibs:
+        library_basename = os.path.basename(library)
+        parts[library_basename] = CodeSignedProduct(
+            '{.framework_dir}/Libraries/{library}'.format(
+                config, library=library),
+            library_basename.replace('.dylib', ''),
+            verify_options=VerifyOptions.DEEP)
+
+    # Add Sparkle
+    parts['sparkle-framework'] = CodeSignedProduct(
+        '{.framework_dir}/Frameworks/Sparkle.framework'.format(config),
+        'org.sparkle-project.Sparkle',
+        verify_options=VerifyOptions.DEEP + VerifyOptions.NO_STRICT)