From: Paolo Bonzini <pbonzini@redhat.com>
To: qemu-devel@nongnu.org
Cc: Akihiko Odaki <akihiko.odaki@gmail.com>
Subject: [PULL 01/29] hvf: Sign the code after installation
Date: Fri, 26 Feb 2021 09:04:58 +0100 [thread overview]
Message-ID: <20210226080526.651705-2-pbonzini@redhat.com> (raw)
In-Reply-To: <20210226080526.651705-1-pbonzini@redhat.com>
From: Akihiko Odaki <akihiko.odaki@gmail.com>
Before this change, the code signed during the build was installed
directly.
However, the signature gets invalidated because meson modifies the code
to fix dynamic library install names during the install process.
It also prevents meson to strip the code because the pre-signed file is
not marked as an executable (although it is somehow able to perform the
modification described above).
With this change, the unsigned code will be installed and modified by
meson first, and a script signs it later.
Signed-off-by: Akihiko Odaki <akihiko.odaki@gmail.com>
Message-Id: <20210225000614.46919-1-akihiko.odaki@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
meson.build | 9 ++++++---
scripts/entitlement.sh | 19 +++++++++++++++----
2 files changed, 21 insertions(+), 7 deletions(-)
diff --git a/meson.build b/meson.build
index 05a67c20d9..c79cb20993 100644
--- a/meson.build
+++ b/meson.build
@@ -2224,7 +2224,7 @@ foreach target : target_dirs
endif
emulator = executable(exe_name, exe['sources'],
- install: not exe_sign,
+ install: true,
c_args: c_args,
dependencies: arch_deps + deps + exe['dependencies'],
objects: lib.extract_all_objects(recursive: true),
@@ -2235,8 +2235,6 @@ foreach target : target_dirs
if exe_sign
emulators += {exe['name'] : custom_target(exe['name'],
- install: true,
- install_dir: get_option('bindir'),
depends: emulator,
output: exe['name'],
command: [
@@ -2246,6 +2244,11 @@ foreach target : target_dirs
meson.current_source_dir() / 'accel/hvf/entitlements.plist'
])
}
+
+ meson.add_install_script('scripts/entitlement.sh', '--install',
+ get_option('bindir') / exe_name,
+ get_option('bindir') / exe['name'],
+ meson.current_source_dir() / 'accel/hvf/entitlements.plist')
else
emulators += {exe['name']: emulator}
endif
diff --git a/scripts/entitlement.sh b/scripts/entitlement.sh
index c540fa6435..0f61d15376 100755
--- a/scripts/entitlement.sh
+++ b/scripts/entitlement.sh
@@ -2,12 +2,23 @@
#
# Helper script for the build process to apply entitlements
+copy=:
+if [ "$1" = --install ]; then
+ shift
+ copy=false
+ cd "$MESON_INSTALL_DESTDIR_PREFIX"
+fi
+
SRC="$1"
DST="$2"
ENTITLEMENT="$3"
-trap 'rm "$DST.tmp"' exit
-cp -af "$SRC" "$DST.tmp"
-codesign --entitlements "$ENTITLEMENT" --force -s - "$DST.tmp"
-mv "$DST.tmp" "$DST"
+if $copy; then
+ trap 'rm "$DST.tmp"' exit
+ cp -af "$SRC" "$DST.tmp"
+ SRC="$DST.tmp"
+fi
+
+codesign --entitlements "$ENTITLEMENT" --force -s - "$SRC"
+mv -f "$SRC" "$DST"
trap '' exit
--
2.29.2
next prev parent reply other threads:[~2021-02-26 8:08 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-26 8:04 [PULL 00/29] Misc patches for 2021-02-25 Paolo Bonzini
2021-02-26 8:04 ` Paolo Bonzini [this message]
2021-02-26 8:04 ` [PULL 02/29] configure: fix --enable-fuzzing linker failures Paolo Bonzini
2021-02-26 8:05 ` [PULL 03/29] multiprocess: move feature to meson_options.txt Paolo Bonzini
2021-02-26 8:05 ` [PULL 04/29] scsi: make io_timeout configurable Paolo Bonzini
2021-02-26 8:05 ` [PULL 05/29] scsi: add tracing for SG_IO commands Paolo Bonzini
2021-02-26 8:05 ` [PULL 06/29] scsi: allow user to set werror as report Paolo Bonzini
2021-02-26 8:05 ` [PULL 07/29] virtio-scsi: don't process IO on fenced dataplane Paolo Bonzini
2021-02-26 8:05 ` [PULL 08/29] scsi-disk: move scsi_handle_rw_error earlier Paolo Bonzini
2021-02-26 8:05 ` [PULL 09/29] scsi-disk: do not complete requests early for rerror/werror=ignore Paolo Bonzini
2021-02-26 8:05 ` [PULL 10/29] scsi: introduce scsi_sense_from_errno() Paolo Bonzini
2021-02-26 8:05 ` [PULL 11/29] scsi-disk: pass SCSI status to scsi_handle_rw_error Paolo Bonzini
2021-02-26 8:05 ` [PULL 12/29] scsi-disk: pass guest recoverable errors through even for rerror=stop Paolo Bonzini
2021-02-26 8:05 ` [PULL 13/29] scsi: drop 'result' argument from command_complete callback Paolo Bonzini
2021-02-26 8:05 ` [PULL 14/29] char: don't fail when client is not connected Paolo Bonzini
2021-02-26 8:05 ` [PULL 15/29] gdbstub: use preferred boolean option syntax Paolo Bonzini
2021-02-26 8:05 ` [PULL 16/29] qemu-options: update to show preferred boolean syntax for -chardev Paolo Bonzini
2021-02-26 8:05 ` [PULL 17/29] qemu-options: update to show preferred boolean syntax for -spice Paolo Bonzini
2021-02-26 8:05 ` [PULL 18/29] qemu-options: update to show preferred boolean syntax for -netdev Paolo Bonzini
2021-02-26 8:05 ` [PULL 19/29] qemu-options: update to show preferred boolean syntax for -incoming Paolo Bonzini
2021-02-26 8:05 ` [PULL 20/29] qemu-options: update to show preferred boolean syntax for -vnc Paolo Bonzini
2021-02-26 8:05 ` [PULL 21/29] docs: update to show preferred boolean syntax for -chardev Paolo Bonzini
2021-02-26 8:05 ` [PULL 22/29] docs: update to show preferred boolean syntax for -vnc Paolo Bonzini
2021-02-26 8:05 ` [PULL 23/29] docs: update to show preferred boolean syntax for -cpu Paolo Bonzini
2021-02-26 8:05 ` [PULL 24/29] target/i386: " Paolo Bonzini
2021-02-26 8:05 ` [PULL 25/29] qom/object.c: Fix typo Paolo Bonzini
2021-02-26 8:05 ` [PULL 26/29] target/i386: Add bus lock debug exception support Paolo Bonzini
2021-02-26 8:05 ` [PULL 27/29] vl: deprecate -writeconfig Paolo Bonzini
2021-03-01 8:00 ` Markus Armbruster
2021-03-01 10:09 ` Paolo Bonzini
2021-03-01 13:26 ` Markus Armbruster
2021-03-01 13:45 ` Paolo Bonzini
2021-03-01 14:54 ` Markus Armbruster
2021-03-01 15:05 ` Paolo Bonzini
2021-03-01 16:03 ` About '-readconfig' [Was: Re: [PULL 27/29] vl: deprecate -writeconfig] Kashyap Chamarthy
2021-03-01 16:24 ` Paolo Bonzini
2021-03-02 15:36 ` Kashyap Chamarthy
2021-02-26 8:05 ` [PULL 28/29] chardev: do not use short form boolean options in non-QemuOpts character device descriptions Paolo Bonzini
2021-02-26 8:05 ` [PULL 29/29] tcg/i386: rdpmc: fix the the condtions Paolo Bonzini
2021-02-26 8:51 ` [PULL 00/29] Misc patches for 2021-02-25 no-reply
2021-03-03 16:54 ` Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210226080526.651705-2-pbonzini@redhat.com \
--to=pbonzini@redhat.com \
--cc=akihiko.odaki@gmail.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).