hvf: Sign the code after installation

Before this change, the code signed during the build was installed directly. However, the signature gets invalidated because meson modifies the code to fix dynamic library install names during the install process. It also prevents meson to strip the code because the pre-signed file is not marked as an executable (although it is somehow able to perform the modification described above). With this change, the unsigned code will be installed and modified by meson first, and a script signs it later. Signed-off-by: Akihiko Odaki <akihiko.odaki@gmail.com> Message-Id: <20210225000614.46919-1-akihiko.odaki@gmail.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2021-02-25 09:06:14 +09:00 · 2021-02-25 09:06:14 +09:00 · 237377ac72
commit 237377ac72
parent 00d8ba9e0d
2 changed files with 22 additions and 7 deletions
--- a/meson.build
+++ b/meson.build
@ -2224,7 +2224,7 @@ foreach target : target_dirs
    endif

    emulator = executable(exe_name, exe['sources'],
-               install: not exe_sign,
+               install: true,
               c_args: c_args,
               dependencies: arch_deps + deps + exe['dependencies'],
               objects: lib.extract_all_objects(recursive: true),
@ -2235,8 +2235,6 @@ foreach target : target_dirs

    if exe_sign
      emulators += {exe['name'] : custom_target(exe['name'],
-                   install: true,
-                   install_dir: get_option('bindir'),
                   depends: emulator,
                   output: exe['name'],
                   command: [
@ -2246,6 +2244,11 @@ foreach target : target_dirs
                     meson.current_source_dir() / 'accel/hvf/entitlements.plist'
                   ])
      }
+
+      meson.add_install_script('scripts/entitlement.sh', '--install',
+                               get_option('bindir') / exe_name,
+                               get_option('bindir') / exe['name'],
+                               meson.current_source_dir() / 'accel/hvf/entitlements.plist')
    else
      emulators += {exe['name']: emulator}
    endif
--- a/scripts/entitlement.sh
+++ b/scripts/entitlement.sh
@ -2,12 +2,24 @@
 #
 # Helper script for the build process to apply entitlements

+in_place=:
+if [ "$1" = --install ]; then
+  shift
+  in_place=false
+fi
+
 SRC="$1"
 DST="$2"
 ENTITLEMENT="$3"

-trap 'rm "$DST.tmp"' exit
-cp -af "$SRC" "$DST.tmp"
-codesign --entitlements "$ENTITLEMENT" --force -s - "$DST.tmp"
-mv "$DST.tmp" "$DST"
+if $in_place; then
+  trap 'rm "$DST.tmp"' exit
+  cp -af "$SRC" "$DST.tmp"
+  SRC="$DST.tmp"
+else
+  cd "$MESON_INSTALL_DESTDIR_PREFIX"
+fi
+
+codesign --entitlements "$ENTITLEMENT" --force -s - "$SRC"
+mv -f "$SRC" "$DST"
 trap '' exit