[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 01/29] hvf: Sign the code after installation
From: |
Paolo Bonzini |
Subject: |
[PULL 01/29] hvf: Sign the code after installation |
Date: |
Fri, 26 Feb 2021 09:04:58 +0100 |
From: Akihiko Odaki <akihiko.odaki@gmail.com>
Before this change, the code signed during the build was installed
directly.
However, the signature gets invalidated because meson modifies the code
to fix dynamic library install names during the install process.
It also prevents meson to strip the code because the pre-signed file is
not marked as an executable (although it is somehow able to perform the
modification described above).
With this change, the unsigned code will be installed and modified by
meson first, and a script signs it later.
Signed-off-by: Akihiko Odaki <akihiko.odaki@gmail.com>
Message-Id: <20210225000614.46919-1-akihiko.odaki@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
meson.build | 9 ++++++---
scripts/entitlement.sh | 19 +++++++++++++++----
2 files changed, 21 insertions(+), 7 deletions(-)
diff --git a/meson.build b/meson.build
index 05a67c20d9..c79cb20993 100644
--- a/meson.build
+++ b/meson.build
@@ -2224,7 +2224,7 @@ foreach target : target_dirs
endif
emulator = executable(exe_name, exe['sources'],
- install: not exe_sign,
+ install: true,
c_args: c_args,
dependencies: arch_deps + deps + exe['dependencies'],
objects: lib.extract_all_objects(recursive: true),
@@ -2235,8 +2235,6 @@ foreach target : target_dirs
if exe_sign
emulators += {exe['name'] : custom_target(exe['name'],
- install: true,
- install_dir: get_option('bindir'),
depends: emulator,
output: exe['name'],
command: [
@@ -2246,6 +2244,11 @@ foreach target : target_dirs
meson.current_source_dir() /
'accel/hvf/entitlements.plist'
])
}
+
+ meson.add_install_script('scripts/entitlement.sh', '--install',
+ get_option('bindir') / exe_name,
+ get_option('bindir') / exe['name'],
+ meson.current_source_dir() /
'accel/hvf/entitlements.plist')
else
emulators += {exe['name']: emulator}
endif
diff --git a/scripts/entitlement.sh b/scripts/entitlement.sh
index c540fa6435..0f61d15376 100755
--- a/scripts/entitlement.sh
+++ b/scripts/entitlement.sh
@@ -2,12 +2,23 @@
#
# Helper script for the build process to apply entitlements
+copy=:
+if [ "$1" = --install ]; then
+ shift
+ copy=false
+ cd "$MESON_INSTALL_DESTDIR_PREFIX"
+fi
+
SRC="$1"
DST="$2"
ENTITLEMENT="$3"
-trap 'rm "$DST.tmp"' exit
-cp -af "$SRC" "$DST.tmp"
-codesign --entitlements "$ENTITLEMENT" --force -s - "$DST.tmp"
-mv "$DST.tmp" "$DST"
+if $copy; then
+ trap 'rm "$DST.tmp"' exit
+ cp -af "$SRC" "$DST.tmp"
+ SRC="$DST.tmp"
+fi
+
+codesign --entitlements "$ENTITLEMENT" --force -s - "$SRC"
+mv -f "$SRC" "$DST"
trap '' exit
--
2.29.2
- [PULL 00/29] Misc patches for 2021-02-25, Paolo Bonzini, 2021/02/26
- [PULL 02/29] configure: fix --enable-fuzzing linker failures, Paolo Bonzini, 2021/02/26
- [PULL 05/29] scsi: add tracing for SG_IO commands, Paolo Bonzini, 2021/02/26
- [PULL 01/29] hvf: Sign the code after installation,
Paolo Bonzini <=
- [PULL 03/29] multiprocess: move feature to meson_options.txt, Paolo Bonzini, 2021/02/26
- [PULL 06/29] scsi: allow user to set werror as report, Paolo Bonzini, 2021/02/26
- [PULL 10/29] scsi: introduce scsi_sense_from_errno(), Paolo Bonzini, 2021/02/26
- [PULL 13/29] scsi: drop 'result' argument from command_complete callback, Paolo Bonzini, 2021/02/26
- [PULL 18/29] qemu-options: update to show preferred boolean syntax for -netdev, Paolo Bonzini, 2021/02/26
- [PULL 12/29] scsi-disk: pass guest recoverable errors through even for rerror=stop, Paolo Bonzini, 2021/02/26
- [PULL 16/29] qemu-options: update to show preferred boolean syntax for -chardev, Paolo Bonzini, 2021/02/26
- [PULL 17/29] qemu-options: update to show preferred boolean syntax for -spice, Paolo Bonzini, 2021/02/26
- [PULL 20/29] qemu-options: update to show preferred boolean syntax for -vnc, Paolo Bonzini, 2021/02/26
- [PULL 21/29] docs: update to show preferred boolean syntax for -chardev, Paolo Bonzini, 2021/02/26