aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAkihiko Odaki <akihiko.odaki@gmail.com>2021-02-25 09:06:14 +0900
committerPaolo Bonzini <pbonzini@redhat.com>2021-02-25 13:57:34 +0100
commit237377ac72b38f030058948f2d744c230b62be40 (patch)
treed4a8a9d884dafd3fa77f95b2bf2c345b514801bb
parent00d8ba9e0d62ea1c7459c25aeabf9c8bb7659462 (diff)
hvf: Sign the code after installation
Before this change, the code signed during the build was installed directly. However, the signature gets invalidated because meson modifies the code to fix dynamic library install names during the install process. It also prevents meson to strip the code because the pre-signed file is not marked as an executable (although it is somehow able to perform the modification described above). With this change, the unsigned code will be installed and modified by meson first, and a script signs it later. Signed-off-by: Akihiko Odaki <akihiko.odaki@gmail.com> Message-Id: <20210225000614.46919-1-akihiko.odaki@gmail.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-rw-r--r--meson.build9
-rwxr-xr-xscripts/entitlement.sh20
2 files changed, 22 insertions, 7 deletions
diff --git a/meson.build b/meson.build
index 05a67c20d9..c79cb20993 100644
--- a/meson.build
+++ b/meson.build
@@ -2224,7 +2224,7 @@ foreach target : target_dirs
endif
emulator = executable(exe_name, exe['sources'],
- install: not exe_sign,
+ install: true,
c_args: c_args,
dependencies: arch_deps + deps + exe['dependencies'],
objects: lib.extract_all_objects(recursive: true),
@@ -2235,8 +2235,6 @@ foreach target : target_dirs
if exe_sign
emulators += {exe['name'] : custom_target(exe['name'],
- install: true,
- install_dir: get_option('bindir'),
depends: emulator,
output: exe['name'],
command: [
@@ -2246,6 +2244,11 @@ foreach target : target_dirs
meson.current_source_dir() / 'accel/hvf/entitlements.plist'
])
}
+
+ meson.add_install_script('scripts/entitlement.sh', '--install',
+ get_option('bindir') / exe_name,
+ get_option('bindir') / exe['name'],
+ meson.current_source_dir() / 'accel/hvf/entitlements.plist')
else
emulators += {exe['name']: emulator}
endif
diff --git a/scripts/entitlement.sh b/scripts/entitlement.sh
index c540fa6435..f7aaaf2766 100755
--- a/scripts/entitlement.sh
+++ b/scripts/entitlement.sh
@@ -2,12 +2,24 @@
#
# Helper script for the build process to apply entitlements
+in_place=:
+if [ "$1" = --install ]; then
+ shift
+ in_place=false
+fi
+
SRC="$1"
DST="$2"
ENTITLEMENT="$3"
-trap 'rm "$DST.tmp"' exit
-cp -af "$SRC" "$DST.tmp"
-codesign --entitlements "$ENTITLEMENT" --force -s - "$DST.tmp"
-mv "$DST.tmp" "$DST"
+if $in_place; then
+ trap 'rm "$DST.tmp"' exit
+ cp -af "$SRC" "$DST.tmp"
+ SRC="$DST.tmp"
+else
+ cd "$MESON_INSTALL_DESTDIR_PREFIX"
+fi
+
+codesign --entitlements "$ENTITLEMENT" --force -s - "$SRC"
+mv -f "$SRC" "$DST"
trap '' exit