|
From: | Paolo Bonzini |
Subject: | Re: [PATCH] hvf: Sign the code after installation |
Date: | Thu, 25 Feb 2021 14:48:42 +0100 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.0 |
On 25/02/21 01:06, Akihiko Odaki wrote:
Before this change, the code signed during the build was installed directly. However, the signature gets invalidated because meson modifies the code to fix dynamic library install names during the install process. It also prevents meson to strip the code because the pre-signed file is not marked as an executable (although it is somehow able to perform the modification described above). With this change, the unsigned code will be installed and modified by meson first, and a script signs it later. Signed-off-by: Akihiko Odaki <akihiko.odaki@gmail.com>
Thanks very much! As mentioned in the other message, I would prefer to have a single script so here is what I came up with.
#!/bin/sh -e # # Helper script for the build process to apply entitlements copy=: if [ "$1" = --install ]; then shift copy=false cd "$MESON_INSTALL_DESTDIR_PREFIX" fi SRC="$1" DST="$2" ENTITLEMENT="$3" if $copy; then trap 'rm "$DST.tmp"' exit cp -af "$SRC" "$DST.tmp" SRC="$DST.tmp" fi codesign --entitlements "$ENTITLEMENT" --force -s - "$SRC" mv -f "$SRC" "$DST" trap '' exitI'll include this in the next pull request, since I was able to test it with Cirrus CI.
Thanks, Paolo
[Prev in Thread] | Current Thread | [Next in Thread] |