diff options
-rw-r--r-- | contrib/pkginstaller/Makefile | 1 | ||||
-rw-r--r-- | contrib/pkginstaller/hvf.entitlements | 8 | ||||
-rwxr-xr-x | contrib/pkginstaller/package.sh | 34 |
3 files changed, 40 insertions, 3 deletions
diff --git a/contrib/pkginstaller/Makefile b/contrib/pkginstaller/Makefile index 19c9b51aa..984365ccb 100644 --- a/contrib/pkginstaller/Makefile +++ b/contrib/pkginstaller/Makefile @@ -32,6 +32,7 @@ packagedir: package_root Distribution welcome.html echo -n $(PODMAN_VERSION) > $(PACKAGE_DIR)/VERSION echo -n $(ARCH) > $(PACKAGE_DIR)/ARCH cp ../../LICENSE $(PACKAGE_DIR)/Resources/LICENSE.txt + cp hvf.entitlements $(PACKAGE_DIR)/ package_root: get_gvproxy get_qemu mkdir -p $(PACKAGE_ROOT)/podman/bin $(PACKAGE_ROOT)/podman/qemu diff --git a/contrib/pkginstaller/hvf.entitlements b/contrib/pkginstaller/hvf.entitlements new file mode 100644 index 000000000..154f3308e --- /dev/null +++ b/contrib/pkginstaller/hvf.entitlements @@ -0,0 +1,8 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> +<plist version="1.0"> +<dict> + <key>com.apple.security.hypervisor</key> + <true/> +</dict> +</plist> diff --git a/contrib/pkginstaller/package.sh b/contrib/pkginstaller/package.sh index b7b33954d..ca8d54f7f 100755 --- a/contrib/pkginstaller/package.sh +++ b/contrib/pkginstaller/package.sh @@ -10,6 +10,10 @@ NO_CODESIGN=${NO_CODESIGN:-0} HELPER_BINARIES_DIR="/opt/podman/qemu/bin" binDir="${BASEDIR}/root/podman/bin" +qemuBinDir="${BASEDIR}/root/podman/qemu/bin" + +version=$(cat "${BASEDIR}/VERSION") +arch=$(cat "${BASEDIR}/ARCH") function build_podman() { pushd "$1" @@ -29,16 +33,40 @@ function sign() { if [ -f "${entitlements}" ]; then opts="--entitlements ${entitlements}" fi - codesign --deep --sign "${CODESIGN_IDENTITY}" --options runtime --force --timestamp "${opts}" "$1" + codesign --deep --sign "${CODESIGN_IDENTITY}" --options runtime --timestamp --force ${opts} "$1" } -version=$(cat "${BASEDIR}/VERSION") -arch=$(cat "${BASEDIR}/ARCH") +function signQemu() { + if [ "${NO_CODESIGN}" -eq "1" ]; then + return + fi + + local qemuArch="${arch}" + if [ "${qemuArch}" = amd64 ]; then + qemuArch=x86_64 + fi + + # sign the files inside /opt/podman/qemu/lib + libs=$(find "${BASEDIR}"/root/podman/qemu/lib -depth -name "*.dylib" -or -type f -perm +111) + echo "${libs}" | xargs -t -I % codesign --deep --sign "${CODESIGN_IDENTITY}" --options runtime --timestamp --force % || true + + # sign the files inside /opt/podman/qemu/bin except qemu-system-* + bins=$(find "${BASEDIR}"/root/podman/qemu/bin -depth -type f -perm +111 ! -name "qemu-system-${qemuArch}") + echo "${bins}" | xargs -t -I % codesign --deep --sign "${CODESIGN_IDENTITY}" --options runtime --timestamp --force % || true + + # sign the qemu-system-* binary + # need to remove any extended attributes, otherwise codesign complains: + # qemu-system-aarch64: resource fork, Finder information, or similar detritus not allowed + xattr -cr "${qemuBinDir}/qemu-system-${qemuArch}" + codesign --deep --sign "${CODESIGN_IDENTITY}" --options runtime --timestamp --force \ + --entitlements "${BASEDIR}/hvf.entitlements" "${qemuBinDir}/qemu-system-${qemuArch}" +} build_podman "../../../../" sign "${binDir}/podman" sign "${binDir}/gvproxy" sign "${binDir}/podman-mac-helper" +signQemu pkgbuild --identifier com.redhat.podman --version "${version}" \ --scripts "${BASEDIR}/scripts" \ |