hvf: Sign the code after installation

Before this change, the code signed during the build was installed directly. However, the signature gets invalidated because meson modifies the code to fix dynamic library install names during the install process. It also prevents meson to strip the code because the pre-signed file is not marked as an executable (although it is somehow able to perform the modification described above). With this change, the unsigned code will be installed and modified by meson first, and a script signs it later. Signed-off-by: Akihiko Odaki <akihiko.odaki@gmail.com> Message-Id: <20210225000614.46919-1-akihiko.odaki@gmail.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
qemu · Feb 25, 2021 · 237377a · 237377a
1 parent 00d8ba9
commit 237377a
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 7 deletions.
diff --git a/meson.build b/meson.build
@@ -2224,7 +2224,7 @@ foreach target : target_dirs
     endif
 
     emulator = executable(exe_name, exe['sources'],
-               install: not exe_sign,
+               install: true,
                c_args: c_args,
                dependencies: arch_deps + deps + exe['dependencies'],
                objects: lib.extract_all_objects(recursive: true),
@@ -2235,8 +2235,6 @@ foreach target : target_dirs
 
     if exe_sign
       emulators += {exe['name'] : custom_target(exe['name'],
-                   install: true,
-                   install_dir: get_option('bindir'),
                    depends: emulator,
                    output: exe['name'],
                    command: [
@@ -2246,6 +2244,11 @@ foreach target : target_dirs
                      meson.current_source_dir() / 'accel/hvf/entitlements.plist'
                    ])
       }
+
+      meson.add_install_script('scripts/entitlement.sh', '--install',
+                               get_option('bindir') / exe_name,
+                               get_option('bindir') / exe['name'],
+                               meson.current_source_dir() / 'accel/hvf/entitlements.plist')
     else
       emulators += {exe['name']: emulator}
     endif

diff --git a/scripts/entitlement.sh b/scripts/entitlement.sh
@@ -2,12 +2,24 @@
 #
 # Helper script for the build process to apply entitlements
 
+in_place=:
+if [ "$1" = --install ]; then
+  shift
+  in_place=false
+fi
+
 SRC="$1"
 DST="$2"
 ENTITLEMENT="$3"
 
-trap 'rm "$DST.tmp"' exit
-cp -af "$SRC" "$DST.tmp"
-codesign --entitlements "$ENTITLEMENT" --force -s - "$DST.tmp"
-mv "$DST.tmp" "$DST"
+if $in_place; then
+  trap 'rm "$DST.tmp"' exit
+  cp -af "$SRC" "$DST.tmp"
+  SRC="$DST.tmp"
+else
+  cd "$MESON_INSTALL_DESTDIR_PREFIX"
+fi
+
+codesign --entitlements "$ENTITLEMENT" --force -s - "$SRC"
+mv -f "$SRC" "$DST"
 trap '' exit