aboutsummaryrefslogtreecommitdiff
path: root/contrib
diff options
context:
space:
mode:
Diffstat (limited to 'contrib')
-rw-r--r--contrib/cirrus/CIModes.md10
-rwxr-xr-xcontrib/cirrus/setup_environment.sh4
-rw-r--r--contrib/pkginstaller/Makefile19
-rw-r--r--contrib/pkginstaller/README.md5
-rw-r--r--contrib/pkginstaller/hvf.entitlements8
-rwxr-xr-xcontrib/pkginstaller/package.sh42
6 files changed, 76 insertions, 12 deletions
diff --git a/contrib/cirrus/CIModes.md b/contrib/cirrus/CIModes.md
index c782ca64b..0b5a189a6 100644
--- a/contrib/cirrus/CIModes.md
+++ b/contrib/cirrus/CIModes.md
@@ -85,6 +85,16 @@ of this document, it's not possible to override the behavior of `$CIRRUS_PR`.
+ meta
+ success
+### Intended `[CI:COPR]` PR Tasks:
++ ext_svc_check
++ automation
++ *build*
++ validate
++ swagger
++ consistency
++ meta
++ success
+
### Intend `[CI:BUILD]` PR Tasks:
+ ext_svc_check
+ automation
diff --git a/contrib/cirrus/setup_environment.sh b/contrib/cirrus/setup_environment.sh
index c3b7811bc..f84f78ee9 100755
--- a/contrib/cirrus/setup_environment.sh
+++ b/contrib/cirrus/setup_environment.sh
@@ -277,7 +277,7 @@ case "$TEST_FLAVOR" in
;& # continue with next item
compose)
make install.tools
- rpm -ivh $PACKAGE_DOWNLOAD_DIR/podman-docker*
+ dnf install -y $PACKAGE_DOWNLOAD_DIR/podman-docker*
;& # continue with next item
int) ;&
sys) ;&
@@ -307,7 +307,7 @@ case "$TEST_FLAVOR" in
install_test_configs
;;
machine)
- rpm -ivh $PACKAGE_DOWNLOAD_DIR/podman-gvproxy*
+ dnf install -y $PACKAGE_DOWNLOAD_DIR/podman-gvproxy*
remove_packaged_podman_files
make install.tools
make install PREFIX=/usr ETCDIR=/etc
diff --git a/contrib/pkginstaller/Makefile b/contrib/pkginstaller/Makefile
index 19c9b51aa..c84a08482 100644
--- a/contrib/pkginstaller/Makefile
+++ b/contrib/pkginstaller/Makefile
@@ -9,14 +9,15 @@ QEMU_RELEASE_URL ?= https://github.com/containers/podman-machine-qemu/releases/d
PACKAGE_DIR ?= out/packaging
TMP_DOWNLOAD ?= tmp-download
PACKAGE_ROOT ?= root
+PKG_NAME := podman-installer-macos-$(ARCH).pkg
default: pkginstaller
-get_gvproxy:
+$(TMP_DOWNLOAD)/gvproxy:
mkdir -p $(TMP_DOWNLOAD)
cd $(TMP_DOWNLOAD) && curl -sLo gvproxy $(GVPROXY_RELEASE_URL)
-get_qemu:
+$(TMP_DOWNLOAD)/podman-machine-qemu-$(ARCH)-$(QEMU_VERSION).tar.xz:
mkdir -p $(TMP_DOWNLOAD)
cd $(TMP_DOWNLOAD) && curl -sLO $(QEMU_RELEASE_URL)
@@ -32,8 +33,9 @@ packagedir: package_root Distribution welcome.html
echo -n $(PODMAN_VERSION) > $(PACKAGE_DIR)/VERSION
echo -n $(ARCH) > $(PACKAGE_DIR)/ARCH
cp ../../LICENSE $(PACKAGE_DIR)/Resources/LICENSE.txt
+ cp hvf.entitlements $(PACKAGE_DIR)/
-package_root: get_gvproxy get_qemu
+package_root: clean-pkgroot $(TMP_DOWNLOAD)/podman-machine-qemu-$(ARCH)-$(QEMU_VERSION).tar.xz $(TMP_DOWNLOAD)/gvproxy
mkdir -p $(PACKAGE_ROOT)/podman/bin $(PACKAGE_ROOT)/podman/qemu
tar -C $(PACKAGE_ROOT)/podman/qemu -xf $(TMP_DOWNLOAD)/podman-machine-qemu-$(ARCH)-$(QEMU_VERSION).tar.xz
cp $(TMP_DOWNLOAD)/gvproxy $(PACKAGE_ROOT)/podman/bin/
@@ -45,6 +47,15 @@ package_root: get_gvproxy get_qemu
pkginstaller: packagedir
cd $(PACKAGE_DIR) && ./package.sh ..
-.PHONY: clean
+_notarize: pkginstaller
+ xcrun notarytool submit --apple-id $(NOTARIZE_USERNAME) --password $(NOTARIZE_PASSWORD) --team-id=$(NOTARIZE_TEAM) -f json --wait out/$(PKG_NAME)
+
+notarize: _notarize
+ xcrun stapler staple out/$(PKG_NAME)
+
+.PHONY: clean clean-pkgroot
clean:
rm -rf $(TMP_DOWNLOAD) $(PACKAGE_ROOT) $(PACKAGE_DIR) Distribution welcome.html
+
+clean-pkgroot:
+ rm -rf $(PACKAGE_ROOT) $(PACKAGE_DIR) Distribution welcome.html
diff --git a/contrib/pkginstaller/README.md b/contrib/pkginstaller/README.md
index 37c59ce04..7aaf64808 100644
--- a/contrib/pkginstaller/README.md
+++ b/contrib/pkginstaller/README.md
@@ -5,10 +5,13 @@ $ make ARCH=<amd64 | aarch64> NO_CODESIGN=1 pkginstaller
# or to create signed pkg
$ make ARCH=<amd64 | aarch64> CODESIGN_IDENTITY=<ID> PRODUCTSIGN_IDENTITY=<ID> pkginstaller
+
+# or to prepare a signed and notarized pkg for release
+$ make ARCH=<amd64 | aarch64> CODESIGN_IDENTITY=<ID> PRODUCTSIGN_IDENTITY=<ID> NOTARIZE_USERNAME=<appleID> NOTARIZE_PASSWORD=<appleID-password> NOTARIZE_TEAM=<team-id> notarize
```
The generated pkg will be written to `out/podman-macos-installer-*.pkg`.
-Currently the pkg installs `podman`, `qemu`, `gvproxy` and `podman-mac-helper` to `/Applications/podman`
+Currently the pkg installs `podman`, `qemu`, `gvproxy` and `podman-mac-helper` to `/opt/podman`
The `qemu` build it uses is from [containers/podman-machine-qemu](https://github.com/containers/podman-machine-qemu)
diff --git a/contrib/pkginstaller/hvf.entitlements b/contrib/pkginstaller/hvf.entitlements
new file mode 100644
index 000000000..154f3308e
--- /dev/null
+++ b/contrib/pkginstaller/hvf.entitlements
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+ <key>com.apple.security.hypervisor</key>
+ <true/>
+</dict>
+</plist>
diff --git a/contrib/pkginstaller/package.sh b/contrib/pkginstaller/package.sh
index b7b33954d..f6f7cef16 100755
--- a/contrib/pkginstaller/package.sh
+++ b/contrib/pkginstaller/package.sh
@@ -10,11 +10,19 @@ NO_CODESIGN=${NO_CODESIGN:-0}
HELPER_BINARIES_DIR="/opt/podman/qemu/bin"
binDir="${BASEDIR}/root/podman/bin"
+qemuBinDir="${BASEDIR}/root/podman/qemu/bin"
+
+version=$(cat "${BASEDIR}/VERSION")
+arch=$(cat "${BASEDIR}/ARCH")
function build_podman() {
pushd "$1"
- make podman-remote HELPER_BINARIES_DIR="${HELPER_BINARIES_DIR}"
- make podman-mac-helper
+ local goArch="${arch}"
+ if [ "${goArch}" = aarch64 ]; then
+ goArch=arm64
+ fi
+ make GOARCH="${goArch}" podman-remote HELPER_BINARIES_DIR="${HELPER_BINARIES_DIR}"
+ make GOARCH="${goArch}" podman-mac-helper
cp bin/darwin/podman "contrib/pkginstaller/out/packaging/${binDir}/podman"
cp bin/darwin/podman-mac-helper "contrib/pkginstaller/out/packaging/${binDir}/podman-mac-helper"
popd
@@ -29,16 +37,40 @@ function sign() {
if [ -f "${entitlements}" ]; then
opts="--entitlements ${entitlements}"
fi
- codesign --deep --sign "${CODESIGN_IDENTITY}" --options runtime --force --timestamp "${opts}" "$1"
+ codesign --deep --sign "${CODESIGN_IDENTITY}" --options runtime --timestamp --force ${opts} "$1"
}
-version=$(cat "${BASEDIR}/VERSION")
-arch=$(cat "${BASEDIR}/ARCH")
+function signQemu() {
+ if [ "${NO_CODESIGN}" -eq "1" ]; then
+ return
+ fi
+
+ local qemuArch="${arch}"
+ if [ "${qemuArch}" = amd64 ]; then
+ qemuArch=x86_64
+ fi
+
+ # sign the files inside /opt/podman/qemu/lib
+ libs=$(find "${BASEDIR}"/root/podman/qemu/lib -depth -name "*.dylib" -or -type f -perm +111)
+ echo "${libs}" | xargs -t -I % codesign --deep --sign "${CODESIGN_IDENTITY}" --options runtime --timestamp --force % || true
+
+ # sign the files inside /opt/podman/qemu/bin except qemu-system-*
+ bins=$(find "${BASEDIR}"/root/podman/qemu/bin -depth -type f -perm +111 ! -name "qemu-system-${qemuArch}")
+ echo "${bins}" | xargs -t -I % codesign --deep --sign "${CODESIGN_IDENTITY}" --options runtime --timestamp --force % || true
+
+ # sign the qemu-system-* binary
+ # need to remove any extended attributes, otherwise codesign complains:
+ # qemu-system-aarch64: resource fork, Finder information, or similar detritus not allowed
+ xattr -cr "${qemuBinDir}/qemu-system-${qemuArch}"
+ codesign --deep --sign "${CODESIGN_IDENTITY}" --options runtime --timestamp --force \
+ --entitlements "${BASEDIR}/hvf.entitlements" "${qemuBinDir}/qemu-system-${qemuArch}"
+}
build_podman "../../../../"
sign "${binDir}/podman"
sign "${binDir}/gvproxy"
sign "${binDir}/podman-mac-helper"
+signQemu
pkgbuild --identifier com.redhat.podman --version "${version}" \
--scripts "${BASEDIR}/scripts" \