diff options
Diffstat (limited to 'contrib')
-rw-r--r-- | contrib/cirrus/CIModes.md | 10 | ||||
-rwxr-xr-x | contrib/cirrus/setup_environment.sh | 4 | ||||
-rw-r--r-- | contrib/pkginstaller/Makefile | 19 | ||||
-rw-r--r-- | contrib/pkginstaller/README.md | 5 | ||||
-rw-r--r-- | contrib/pkginstaller/hvf.entitlements | 8 | ||||
-rwxr-xr-x | contrib/pkginstaller/package.sh | 42 |
6 files changed, 76 insertions, 12 deletions
diff --git a/contrib/cirrus/CIModes.md b/contrib/cirrus/CIModes.md index c782ca64b..0b5a189a6 100644 --- a/contrib/cirrus/CIModes.md +++ b/contrib/cirrus/CIModes.md @@ -85,6 +85,16 @@ of this document, it's not possible to override the behavior of `$CIRRUS_PR`. + meta + success +### Intended `[CI:COPR]` PR Tasks: ++ ext_svc_check ++ automation ++ *build* ++ validate ++ swagger ++ consistency ++ meta ++ success + ### Intend `[CI:BUILD]` PR Tasks: + ext_svc_check + automation diff --git a/contrib/cirrus/setup_environment.sh b/contrib/cirrus/setup_environment.sh index c3b7811bc..f84f78ee9 100755 --- a/contrib/cirrus/setup_environment.sh +++ b/contrib/cirrus/setup_environment.sh @@ -277,7 +277,7 @@ case "$TEST_FLAVOR" in ;& # continue with next item compose) make install.tools - rpm -ivh $PACKAGE_DOWNLOAD_DIR/podman-docker* + dnf install -y $PACKAGE_DOWNLOAD_DIR/podman-docker* ;& # continue with next item int) ;& sys) ;& @@ -307,7 +307,7 @@ case "$TEST_FLAVOR" in install_test_configs ;; machine) - rpm -ivh $PACKAGE_DOWNLOAD_DIR/podman-gvproxy* + dnf install -y $PACKAGE_DOWNLOAD_DIR/podman-gvproxy* remove_packaged_podman_files make install.tools make install PREFIX=/usr ETCDIR=/etc diff --git a/contrib/pkginstaller/Makefile b/contrib/pkginstaller/Makefile index 19c9b51aa..c84a08482 100644 --- a/contrib/pkginstaller/Makefile +++ b/contrib/pkginstaller/Makefile @@ -9,14 +9,15 @@ QEMU_RELEASE_URL ?= https://github.com/containers/podman-machine-qemu/releases/d PACKAGE_DIR ?= out/packaging TMP_DOWNLOAD ?= tmp-download PACKAGE_ROOT ?= root +PKG_NAME := podman-installer-macos-$(ARCH).pkg default: pkginstaller -get_gvproxy: +$(TMP_DOWNLOAD)/gvproxy: mkdir -p $(TMP_DOWNLOAD) cd $(TMP_DOWNLOAD) && curl -sLo gvproxy $(GVPROXY_RELEASE_URL) -get_qemu: +$(TMP_DOWNLOAD)/podman-machine-qemu-$(ARCH)-$(QEMU_VERSION).tar.xz: mkdir -p $(TMP_DOWNLOAD) cd $(TMP_DOWNLOAD) && curl -sLO $(QEMU_RELEASE_URL) @@ -32,8 +33,9 @@ packagedir: package_root Distribution welcome.html echo -n $(PODMAN_VERSION) > $(PACKAGE_DIR)/VERSION echo -n $(ARCH) > $(PACKAGE_DIR)/ARCH cp ../../LICENSE $(PACKAGE_DIR)/Resources/LICENSE.txt + cp hvf.entitlements $(PACKAGE_DIR)/ -package_root: get_gvproxy get_qemu +package_root: clean-pkgroot $(TMP_DOWNLOAD)/podman-machine-qemu-$(ARCH)-$(QEMU_VERSION).tar.xz $(TMP_DOWNLOAD)/gvproxy mkdir -p $(PACKAGE_ROOT)/podman/bin $(PACKAGE_ROOT)/podman/qemu tar -C $(PACKAGE_ROOT)/podman/qemu -xf $(TMP_DOWNLOAD)/podman-machine-qemu-$(ARCH)-$(QEMU_VERSION).tar.xz cp $(TMP_DOWNLOAD)/gvproxy $(PACKAGE_ROOT)/podman/bin/ @@ -45,6 +47,15 @@ package_root: get_gvproxy get_qemu pkginstaller: packagedir cd $(PACKAGE_DIR) && ./package.sh .. -.PHONY: clean +_notarize: pkginstaller + xcrun notarytool submit --apple-id $(NOTARIZE_USERNAME) --password $(NOTARIZE_PASSWORD) --team-id=$(NOTARIZE_TEAM) -f json --wait out/$(PKG_NAME) + +notarize: _notarize + xcrun stapler staple out/$(PKG_NAME) + +.PHONY: clean clean-pkgroot clean: rm -rf $(TMP_DOWNLOAD) $(PACKAGE_ROOT) $(PACKAGE_DIR) Distribution welcome.html + +clean-pkgroot: + rm -rf $(PACKAGE_ROOT) $(PACKAGE_DIR) Distribution welcome.html diff --git a/contrib/pkginstaller/README.md b/contrib/pkginstaller/README.md index 37c59ce04..7aaf64808 100644 --- a/contrib/pkginstaller/README.md +++ b/contrib/pkginstaller/README.md @@ -5,10 +5,13 @@ $ make ARCH=<amd64 | aarch64> NO_CODESIGN=1 pkginstaller # or to create signed pkg $ make ARCH=<amd64 | aarch64> CODESIGN_IDENTITY=<ID> PRODUCTSIGN_IDENTITY=<ID> pkginstaller + +# or to prepare a signed and notarized pkg for release +$ make ARCH=<amd64 | aarch64> CODESIGN_IDENTITY=<ID> PRODUCTSIGN_IDENTITY=<ID> NOTARIZE_USERNAME=<appleID> NOTARIZE_PASSWORD=<appleID-password> NOTARIZE_TEAM=<team-id> notarize ``` The generated pkg will be written to `out/podman-macos-installer-*.pkg`. -Currently the pkg installs `podman`, `qemu`, `gvproxy` and `podman-mac-helper` to `/Applications/podman` +Currently the pkg installs `podman`, `qemu`, `gvproxy` and `podman-mac-helper` to `/opt/podman` The `qemu` build it uses is from [containers/podman-machine-qemu](https://github.com/containers/podman-machine-qemu) diff --git a/contrib/pkginstaller/hvf.entitlements b/contrib/pkginstaller/hvf.entitlements new file mode 100644 index 000000000..154f3308e --- /dev/null +++ b/contrib/pkginstaller/hvf.entitlements @@ -0,0 +1,8 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> +<plist version="1.0"> +<dict> + <key>com.apple.security.hypervisor</key> + <true/> +</dict> +</plist> diff --git a/contrib/pkginstaller/package.sh b/contrib/pkginstaller/package.sh index b7b33954d..f6f7cef16 100755 --- a/contrib/pkginstaller/package.sh +++ b/contrib/pkginstaller/package.sh @@ -10,11 +10,19 @@ NO_CODESIGN=${NO_CODESIGN:-0} HELPER_BINARIES_DIR="/opt/podman/qemu/bin" binDir="${BASEDIR}/root/podman/bin" +qemuBinDir="${BASEDIR}/root/podman/qemu/bin" + +version=$(cat "${BASEDIR}/VERSION") +arch=$(cat "${BASEDIR}/ARCH") function build_podman() { pushd "$1" - make podman-remote HELPER_BINARIES_DIR="${HELPER_BINARIES_DIR}" - make podman-mac-helper + local goArch="${arch}" + if [ "${goArch}" = aarch64 ]; then + goArch=arm64 + fi + make GOARCH="${goArch}" podman-remote HELPER_BINARIES_DIR="${HELPER_BINARIES_DIR}" + make GOARCH="${goArch}" podman-mac-helper cp bin/darwin/podman "contrib/pkginstaller/out/packaging/${binDir}/podman" cp bin/darwin/podman-mac-helper "contrib/pkginstaller/out/packaging/${binDir}/podman-mac-helper" popd @@ -29,16 +37,40 @@ function sign() { if [ -f "${entitlements}" ]; then opts="--entitlements ${entitlements}" fi - codesign --deep --sign "${CODESIGN_IDENTITY}" --options runtime --force --timestamp "${opts}" "$1" + codesign --deep --sign "${CODESIGN_IDENTITY}" --options runtime --timestamp --force ${opts} "$1" } -version=$(cat "${BASEDIR}/VERSION") -arch=$(cat "${BASEDIR}/ARCH") +function signQemu() { + if [ "${NO_CODESIGN}" -eq "1" ]; then + return + fi + + local qemuArch="${arch}" + if [ "${qemuArch}" = amd64 ]; then + qemuArch=x86_64 + fi + + # sign the files inside /opt/podman/qemu/lib + libs=$(find "${BASEDIR}"/root/podman/qemu/lib -depth -name "*.dylib" -or -type f -perm +111) + echo "${libs}" | xargs -t -I % codesign --deep --sign "${CODESIGN_IDENTITY}" --options runtime --timestamp --force % || true + + # sign the files inside /opt/podman/qemu/bin except qemu-system-* + bins=$(find "${BASEDIR}"/root/podman/qemu/bin -depth -type f -perm +111 ! -name "qemu-system-${qemuArch}") + echo "${bins}" | xargs -t -I % codesign --deep --sign "${CODESIGN_IDENTITY}" --options runtime --timestamp --force % || true + + # sign the qemu-system-* binary + # need to remove any extended attributes, otherwise codesign complains: + # qemu-system-aarch64: resource fork, Finder information, or similar detritus not allowed + xattr -cr "${qemuBinDir}/qemu-system-${qemuArch}" + codesign --deep --sign "${CODESIGN_IDENTITY}" --options runtime --timestamp --force \ + --entitlements "${BASEDIR}/hvf.entitlements" "${qemuBinDir}/qemu-system-${qemuArch}" +} build_podman "../../../../" sign "${binDir}/podman" sign "${binDir}/gvproxy" sign "${binDir}/podman-mac-helper" +signQemu pkgbuild --identifier com.redhat.podman --version "${version}" \ --scripts "${BASEDIR}/scripts" \ |