diff options
author | Akihiko Odaki <akihiko.odaki@gmail.com> | 2021-02-25 09:06:14 +0900 |
---|---|---|
committer | Paolo Bonzini <pbonzini@redhat.com> | 2021-02-25 13:57:34 +0100 |
commit | 237377ac72b38f030058948f2d744c230b62be40 (patch) | |
tree | d4a8a9d884dafd3fa77f95b2bf2c345b514801bb /scripts/entitlement.sh | |
parent | 00d8ba9e0d62ea1c7459c25aeabf9c8bb7659462 (diff) |
hvf: Sign the code after installation
Before this change, the code signed during the build was installed
directly.
However, the signature gets invalidated because meson modifies the code
to fix dynamic library install names during the install process.
It also prevents meson to strip the code because the pre-signed file is
not marked as an executable (although it is somehow able to perform the
modification described above).
With this change, the unsigned code will be installed and modified by
meson first, and a script signs it later.
Signed-off-by: Akihiko Odaki <akihiko.odaki@gmail.com>
Message-Id: <20210225000614.46919-1-akihiko.odaki@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat (limited to 'scripts/entitlement.sh')
-rwxr-xr-x | scripts/entitlement.sh | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/scripts/entitlement.sh b/scripts/entitlement.sh index c540fa6435..f7aaaf2766 100755 --- a/scripts/entitlement.sh +++ b/scripts/entitlement.sh @@ -2,12 +2,24 @@ # # Helper script for the build process to apply entitlements +in_place=: +if [ "$1" = --install ]; then + shift + in_place=false +fi + SRC="$1" DST="$2" ENTITLEMENT="$3" -trap 'rm "$DST.tmp"' exit -cp -af "$SRC" "$DST.tmp" -codesign --entitlements "$ENTITLEMENT" --force -s - "$DST.tmp" -mv "$DST.tmp" "$DST" +if $in_place; then + trap 'rm "$DST.tmp"' exit + cp -af "$SRC" "$DST.tmp" + SRC="$DST.tmp" +else + cd "$MESON_INSTALL_DESTDIR_PREFIX" +fi + +codesign --entitlements "$ENTITLEMENT" --force -s - "$SRC" +mv -f "$SRC" "$DST" trap '' exit |