From 9a820b480a63f7453512622bc053264c6f1c34fb Mon Sep 17 00:00:00 2001 From: Anjan Nath Date: Wed, 8 Jun 2022 14:38:20 +0530 Subject: Add support for building macOS pkg installer it installs podman and supporting binaries along with qemu to have a functioning podman install using a pkg podman and podman-mac-helper is compiled from source gvproxy binary is downloaded from its github releases and qemu from github release of containers/podman-machine-qemu [NO NEW TESTS NEEDED] Signed-off-by: Anjan Nath --- contrib/pkginstaller/package.sh | 60 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100755 contrib/pkginstaller/package.sh (limited to 'contrib/pkginstaller/package.sh') diff --git a/contrib/pkginstaller/package.sh b/contrib/pkginstaller/package.sh new file mode 100755 index 000000000..b7b33954d --- /dev/null +++ b/contrib/pkginstaller/package.sh @@ -0,0 +1,60 @@ +#!/bin/bash + +set -euxo pipefail + +BASEDIR=$(dirname "$0") +OUTPUT=$1 +CODESIGN_IDENTITY=${CODESIGN_IDENTITY:-mock} +PRODUCTSIGN_IDENTITY=${PRODUCTSIGN_IDENTITY:-mock} +NO_CODESIGN=${NO_CODESIGN:-0} +HELPER_BINARIES_DIR="/opt/podman/qemu/bin" + +binDir="${BASEDIR}/root/podman/bin" + +function build_podman() { + pushd "$1" + make podman-remote HELPER_BINARIES_DIR="${HELPER_BINARIES_DIR}" + make podman-mac-helper + cp bin/darwin/podman "contrib/pkginstaller/out/packaging/${binDir}/podman" + cp bin/darwin/podman-mac-helper "contrib/pkginstaller/out/packaging/${binDir}/podman-mac-helper" + popd +} + +function sign() { + if [ "${NO_CODESIGN}" -eq "1" ]; then + return + fi + local opts="" + entitlements="${BASEDIR}/$(basename "$1").entitlements" + if [ -f "${entitlements}" ]; then + opts="--entitlements ${entitlements}" + fi + codesign --deep --sign "${CODESIGN_IDENTITY}" --options runtime --force --timestamp "${opts}" "$1" +} + +version=$(cat "${BASEDIR}/VERSION") +arch=$(cat "${BASEDIR}/ARCH") + +build_podman "../../../../" +sign "${binDir}/podman" +sign "${binDir}/gvproxy" +sign "${binDir}/podman-mac-helper" + +pkgbuild --identifier com.redhat.podman --version "${version}" \ + --scripts "${BASEDIR}/scripts" \ + --root "${BASEDIR}/root" \ + --install-location /opt \ + --component-plist "${BASEDIR}/component.plist" \ + "${OUTPUT}/podman.pkg" + +productbuild --distribution "${BASEDIR}/Distribution" \ + --resources "${BASEDIR}/Resources" \ + --package-path "${OUTPUT}" \ + "${OUTPUT}/podman-unsigned.pkg" +rm "${OUTPUT}/podman.pkg" + +if [ ! "${NO_CODESIGN}" -eq "1" ]; then + productsign --timestamp --sign "${PRODUCTSIGN_IDENTITY}" "${OUTPUT}/podman-unsigned.pkg" "${OUTPUT}/podman-installer-macos-${arch}.pkg" +else + mv "${OUTPUT}/podman-unsigned.pkg" "${OUTPUT}/podman-installer-macos-${arch}.pkg" +fi -- cgit v1.2.3-54-g00ecf From 64db955e064af0651fe2e768c0bc934268aeb01a Mon Sep 17 00:00:00 2001 From: Anjan Nath Date: Thu, 28 Jul 2022 18:49:39 +0530 Subject: pkginstaller: sign qemu-system-* binary for the pkg add file hvf.entitlements which has the com.apple.security.hypervisor entitlement needed for qemu [NO NEW TESTS NEEDED] Signed-off-by: Anjan Nath --- contrib/pkginstaller/Makefile | 1 + contrib/pkginstaller/hvf.entitlements | 8 ++++++++ contrib/pkginstaller/package.sh | 34 +++++++++++++++++++++++++++++++--- 3 files changed, 40 insertions(+), 3 deletions(-) create mode 100644 contrib/pkginstaller/hvf.entitlements (limited to 'contrib/pkginstaller/package.sh') diff --git a/contrib/pkginstaller/Makefile b/contrib/pkginstaller/Makefile index 19c9b51aa..984365ccb 100644 --- a/contrib/pkginstaller/Makefile +++ b/contrib/pkginstaller/Makefile @@ -32,6 +32,7 @@ packagedir: package_root Distribution welcome.html echo -n $(PODMAN_VERSION) > $(PACKAGE_DIR)/VERSION echo -n $(ARCH) > $(PACKAGE_DIR)/ARCH cp ../../LICENSE $(PACKAGE_DIR)/Resources/LICENSE.txt + cp hvf.entitlements $(PACKAGE_DIR)/ package_root: get_gvproxy get_qemu mkdir -p $(PACKAGE_ROOT)/podman/bin $(PACKAGE_ROOT)/podman/qemu diff --git a/contrib/pkginstaller/hvf.entitlements b/contrib/pkginstaller/hvf.entitlements new file mode 100644 index 000000000..154f3308e --- /dev/null +++ b/contrib/pkginstaller/hvf.entitlements @@ -0,0 +1,8 @@ + + + + + com.apple.security.hypervisor + + + diff --git a/contrib/pkginstaller/package.sh b/contrib/pkginstaller/package.sh index b7b33954d..ca8d54f7f 100755 --- a/contrib/pkginstaller/package.sh +++ b/contrib/pkginstaller/package.sh @@ -10,6 +10,10 @@ NO_CODESIGN=${NO_CODESIGN:-0} HELPER_BINARIES_DIR="/opt/podman/qemu/bin" binDir="${BASEDIR}/root/podman/bin" +qemuBinDir="${BASEDIR}/root/podman/qemu/bin" + +version=$(cat "${BASEDIR}/VERSION") +arch=$(cat "${BASEDIR}/ARCH") function build_podman() { pushd "$1" @@ -29,16 +33,40 @@ function sign() { if [ -f "${entitlements}" ]; then opts="--entitlements ${entitlements}" fi - codesign --deep --sign "${CODESIGN_IDENTITY}" --options runtime --force --timestamp "${opts}" "$1" + codesign --deep --sign "${CODESIGN_IDENTITY}" --options runtime --timestamp --force ${opts} "$1" } -version=$(cat "${BASEDIR}/VERSION") -arch=$(cat "${BASEDIR}/ARCH") +function signQemu() { + if [ "${NO_CODESIGN}" -eq "1" ]; then + return + fi + + local qemuArch="${arch}" + if [ "${qemuArch}" = amd64 ]; then + qemuArch=x86_64 + fi + + # sign the files inside /opt/podman/qemu/lib + libs=$(find "${BASEDIR}"/root/podman/qemu/lib -depth -name "*.dylib" -or -type f -perm +111) + echo "${libs}" | xargs -t -I % codesign --deep --sign "${CODESIGN_IDENTITY}" --options runtime --timestamp --force % || true + + # sign the files inside /opt/podman/qemu/bin except qemu-system-* + bins=$(find "${BASEDIR}"/root/podman/qemu/bin -depth -type f -perm +111 ! -name "qemu-system-${qemuArch}") + echo "${bins}" | xargs -t -I % codesign --deep --sign "${CODESIGN_IDENTITY}" --options runtime --timestamp --force % || true + + # sign the qemu-system-* binary + # need to remove any extended attributes, otherwise codesign complains: + # qemu-system-aarch64: resource fork, Finder information, or similar detritus not allowed + xattr -cr "${qemuBinDir}/qemu-system-${qemuArch}" + codesign --deep --sign "${CODESIGN_IDENTITY}" --options runtime --timestamp --force \ + --entitlements "${BASEDIR}/hvf.entitlements" "${qemuBinDir}/qemu-system-${qemuArch}" +} build_podman "../../../../" sign "${binDir}/podman" sign "${binDir}/gvproxy" sign "${binDir}/podman-mac-helper" +signQemu pkgbuild --identifier com.redhat.podman --version "${version}" \ --scripts "${BASEDIR}/scripts" \ -- cgit v1.2.3-54-g00ecf From bf2a53a2e0271edb08ad07bb0d5805e8426f72ff Mon Sep 17 00:00:00 2001 From: Anjan Nath Date: Thu, 4 Aug 2022 12:18:31 +0530 Subject: pkginstaller: use correct GOARCH while building podman binaries we were not using the correct GOARCH to build the podman remote and podman-mac-helper binaries, this uses the ARCH value passed to the make invocation to set the GORACH [NO NEW TESTS NEEDED] Signed-off-by: Anjan Nath --- contrib/pkginstaller/README.md | 2 +- contrib/pkginstaller/package.sh | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'contrib/pkginstaller/package.sh') diff --git a/contrib/pkginstaller/README.md b/contrib/pkginstaller/README.md index 1951d4eab..7aaf64808 100644 --- a/contrib/pkginstaller/README.md +++ b/contrib/pkginstaller/README.md @@ -11,7 +11,7 @@ $ make ARCH= CODESIGN_IDENTITY= PRODUCTSIGN_IDENTITY= N ``` The generated pkg will be written to `out/podman-macos-installer-*.pkg`. -Currently the pkg installs `podman`, `qemu`, `gvproxy` and `podman-mac-helper` to `/Applications/podman` +Currently the pkg installs `podman`, `qemu`, `gvproxy` and `podman-mac-helper` to `/opt/podman` The `qemu` build it uses is from [containers/podman-machine-qemu](https://github.com/containers/podman-machine-qemu) diff --git a/contrib/pkginstaller/package.sh b/contrib/pkginstaller/package.sh index ca8d54f7f..bb91fe01f 100755 --- a/contrib/pkginstaller/package.sh +++ b/contrib/pkginstaller/package.sh @@ -17,8 +17,8 @@ arch=$(cat "${BASEDIR}/ARCH") function build_podman() { pushd "$1" - make podman-remote HELPER_BINARIES_DIR="${HELPER_BINARIES_DIR}" - make podman-mac-helper + make GOARCH="${arch}" podman-remote HELPER_BINARIES_DIR="${HELPER_BINARIES_DIR}" + make GOARCH="${arch}" podman-mac-helper cp bin/darwin/podman "contrib/pkginstaller/out/packaging/${binDir}/podman" cp bin/darwin/podman-mac-helper "contrib/pkginstaller/out/packaging/${binDir}/podman-mac-helper" popd -- cgit v1.2.3-54-g00ecf