hvf: Sign the code after installation

Before this change, the code signed during the build was installed
directly.

However, the signature gets invalidated because meson modifies the code
to fix dynamic library install names during the install process.

It also prevents meson to strip the code because the pre-signed file is
not marked as an executable (although it is somehow able to perform the
modification described above).

With this change, the unsigned code will be installed and modified by
meson first, and a script signs it later.

Signed-off-by: Akihiko Odaki <akihiko.odaki@gmail.com>
Message-Id: <20210225000614.46919-1-akihiko.odaki@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

diff --git a/meson.build b/meson.build
index 05a67c20d937378c1daed73905fab59015851650..c79cb20993b0798d39154a3ee274abc5579011a1 100644 (file)
--- a/meson.build
+++ b/meson.build
@@ -2224,7 +2224,7 @@ foreach target : target_dirs
     endif
 
     emulator = executable(exe_name, exe['sources'],
-               install: not exe_sign,
+               install: true,
                c_args: c_args,
                dependencies: arch_deps + deps + exe['dependencies'],
                objects: lib.extract_all_objects(recursive: true),
@@ -2235,8 +2235,6 @@ foreach target : target_dirs
 
     if exe_sign
       emulators += {exe['name'] : custom_target(exe['name'],
-                   install: true,
-                   install_dir: get_option('bindir'),
                    depends: emulator,
                    output: exe['name'],
                    command: [
@@ -2246,6 +2244,11 @@ foreach target : target_dirs
                      meson.current_source_dir() / 'accel/hvf/entitlements.plist'
                    ])
       }
+
+      meson.add_install_script('scripts/entitlement.sh', '--install',
+                               get_option('bindir') / exe_name,
+                               get_option('bindir') / exe['name'],
+                               meson.current_source_dir() / 'accel/hvf/entitlements.plist')
     else
       emulators += {exe['name']: emulator}
     endif

diff --git a/scripts/entitlement.sh b/scripts/entitlement.sh
index c540fa6435fb6a151e7d2400b28d27bd8f08571b..f7aaaf27662ef2fe345303a28964cec457e2a06f 100755 (executable)
--- a/scripts/entitlement.sh
+++ b/scripts/entitlement.sh
@@ -2,12 +2,24 @@
 #
 # Helper script for the build process to apply entitlements
 
+in_place=:
+if [ "$1" = --install ]; then
+  shift
+  in_place=false
+fi
+
 SRC="$1"
 DST="$2"
 ENTITLEMENT="$3"
 
-trap 'rm "$DST.tmp"' exit
-cp -af "$SRC" "$DST.tmp"
-codesign --entitlements "$ENTITLEMENT" --force -s - "$DST.tmp"
-mv "$DST.tmp" "$DST"
+if $in_place; then
+  trap 'rm "$DST.tmp"' exit
+  cp -af "$SRC" "$DST.tmp"
+  SRC="$DST.tmp"
+else
+  cd "$MESON_INSTALL_DESTDIR_PREFIX"
+fi
+
+codesign --entitlements "$ENTITLEMENT" --force -s - "$SRC"
+mv -f "$SRC" "$DST"
 trap '' exit