summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--contrib/pkginstaller/Makefile1
-rw-r--r--contrib/pkginstaller/hvf.entitlements8
-rwxr-xr-xcontrib/pkginstaller/package.sh34
3 files changed, 40 insertions, 3 deletions
diff --git a/contrib/pkginstaller/Makefile b/contrib/pkginstaller/Makefile
index 19c9b51aa..984365ccb 100644
--- a/contrib/pkginstaller/Makefile
+++ b/contrib/pkginstaller/Makefile
@@ -32,6 +32,7 @@ packagedir: package_root Distribution welcome.html
echo -n $(PODMAN_VERSION) > $(PACKAGE_DIR)/VERSION
echo -n $(ARCH) > $(PACKAGE_DIR)/ARCH
cp ../../LICENSE $(PACKAGE_DIR)/Resources/LICENSE.txt
+ cp hvf.entitlements $(PACKAGE_DIR)/
package_root: get_gvproxy get_qemu
mkdir -p $(PACKAGE_ROOT)/podman/bin $(PACKAGE_ROOT)/podman/qemu
diff --git a/contrib/pkginstaller/hvf.entitlements b/contrib/pkginstaller/hvf.entitlements
new file mode 100644
index 000000000..154f3308e
--- /dev/null
+++ b/contrib/pkginstaller/hvf.entitlements
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+ <key>com.apple.security.hypervisor</key>
+ <true/>
+</dict>
+</plist>
diff --git a/contrib/pkginstaller/package.sh b/contrib/pkginstaller/package.sh
index b7b33954d..ca8d54f7f 100755
--- a/contrib/pkginstaller/package.sh
+++ b/contrib/pkginstaller/package.sh
@@ -10,6 +10,10 @@ NO_CODESIGN=${NO_CODESIGN:-0}
HELPER_BINARIES_DIR="/opt/podman/qemu/bin"
binDir="${BASEDIR}/root/podman/bin"
+qemuBinDir="${BASEDIR}/root/podman/qemu/bin"
+
+version=$(cat "${BASEDIR}/VERSION")
+arch=$(cat "${BASEDIR}/ARCH")
function build_podman() {
pushd "$1"
@@ -29,16 +33,40 @@ function sign() {
if [ -f "${entitlements}" ]; then
opts="--entitlements ${entitlements}"
fi
- codesign --deep --sign "${CODESIGN_IDENTITY}" --options runtime --force --timestamp "${opts}" "$1"
+ codesign --deep --sign "${CODESIGN_IDENTITY}" --options runtime --timestamp --force ${opts} "$1"
}
-version=$(cat "${BASEDIR}/VERSION")
-arch=$(cat "${BASEDIR}/ARCH")
+function signQemu() {
+ if [ "${NO_CODESIGN}" -eq "1" ]; then
+ return
+ fi
+
+ local qemuArch="${arch}"
+ if [ "${qemuArch}" = amd64 ]; then
+ qemuArch=x86_64
+ fi
+
+ # sign the files inside /opt/podman/qemu/lib
+ libs=$(find "${BASEDIR}"/root/podman/qemu/lib -depth -name "*.dylib" -or -type f -perm +111)
+ echo "${libs}" | xargs -t -I % codesign --deep --sign "${CODESIGN_IDENTITY}" --options runtime --timestamp --force % || true
+
+ # sign the files inside /opt/podman/qemu/bin except qemu-system-*
+ bins=$(find "${BASEDIR}"/root/podman/qemu/bin -depth -type f -perm +111 ! -name "qemu-system-${qemuArch}")
+ echo "${bins}" | xargs -t -I % codesign --deep --sign "${CODESIGN_IDENTITY}" --options runtime --timestamp --force % || true
+
+ # sign the qemu-system-* binary
+ # need to remove any extended attributes, otherwise codesign complains:
+ # qemu-system-aarch64: resource fork, Finder information, or similar detritus not allowed
+ xattr -cr "${qemuBinDir}/qemu-system-${qemuArch}"
+ codesign --deep --sign "${CODESIGN_IDENTITY}" --options runtime --timestamp --force \
+ --entitlements "${BASEDIR}/hvf.entitlements" "${qemuBinDir}/qemu-system-${qemuArch}"
+}
build_podman "../../../../"
sign "${binDir}/podman"
sign "${binDir}/gvproxy"
sign "${binDir}/podman-mac-helper"
+signQemu
pkgbuild --identifier com.redhat.podman --version "${version}" \
--scripts "${BASEDIR}/scripts" \