qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH] hvf: Sign the code after installation

From: Akihiko Odaki
Subject: [PATCH] hvf: Sign the code after installation
Date: Thu, 25 Feb 2021 09:06:14 +0900 
Before this change, the code signed during the build was installed
directly.

However, the signature gets invalidated because meson modifies the code
to fix dynamic library install names during the install process.

It also prevents meson to strip the code because the pre-signed file is
not marked as an executable (although it is somehow able to perform the
modification described above).

With this change, the unsigned code will be installed and modified by
meson first, and a script signs it later.

Signed-off-by: Akihiko Odaki <akihiko.odaki@gmail.com>
---
 meson.build                                      | 11 +++++++----
 scripts/{entitlement.sh => entitlement/build.sh} |  0
 scripts/entitlement/install.sh                   | 11 +++++++++++
 3 files changed, 18 insertions(+), 4 deletions(-)
 rename scripts/{entitlement.sh => entitlement/build.sh} (100%)
 create mode 100755 scripts/entitlement/install.sh

diff --git a/meson.build b/meson.build
index 05a67c20d93..76691023c2c 100644
--- a/meson.build
+++ b/meson.build
@@ -2224,7 +2224,7 @@ foreach target : target_dirs
     endif
 
     emulator = executable(exe_name, exe['sources'],
-               install: not exe_sign,
+               install: true,
                c_args: c_args,
                dependencies: arch_deps + deps + exe['dependencies'],
                objects: lib.extract_all_objects(recursive: true),
@@ -2235,17 +2235,20 @@ foreach target : target_dirs
 
     if exe_sign
       emulators += {exe['name'] : custom_target(exe['name'],
-                   install: true,
-                   install_dir: get_option('bindir'),
                    depends: emulator,
                    output: exe['name'],
                    command: [
-                     meson.current_source_dir() / 'scripts/entitlement.sh',
+                     meson.current_source_dir() / 
'scripts/entitlement/build.sh',
                      meson.current_build_dir() / exe_name,
                      meson.current_build_dir() / exe['name'],
                      meson.current_source_dir() / 
'accel/hvf/entitlements.plist'
                    ])
       }
+
+      meson.add_install_script('scripts/entitlement/install.sh',
+                               get_option('bindir') / exe_name,
+                               get_option('bindir') / exe['name'],
+                               meson.current_source_dir() / 
'accel/hvf/entitlements.plist')
     else
       emulators += {exe['name']: emulator}
     endif
diff --git a/scripts/entitlement.sh b/scripts/entitlement/build.sh
similarity index 100%
rename from scripts/entitlement.sh
rename to scripts/entitlement/build.sh
diff --git a/scripts/entitlement/install.sh b/scripts/entitlement/install.sh
new file mode 100755
index 00000000000..0c88d48110d
--- /dev/null
+++ b/scripts/entitlement/install.sh
@@ -0,0 +1,11 @@
+#!/bin/sh -e
+#
+# Helper script for the install process to apply entitlements
+
+SRC="$1"
+DST="$2"
+ENTITLEMENT="$3"
+
+cd "$MESON_INSTALL_DESTDIR_PREFIX"
+mv -f "$SRC" "$DST"
+codesign --entitlements "$ENTITLEMENT" --force -s - "$DST"
-- 
2.24.3 (Apple Git-128)
reply via email to
[Prev in Thread] Current Thread [Next in Thread]