2021年2月25日(木) 22:48 Paolo Bonzini <pbonz...@redhat.com>: > > On 25/02/21 01:06, Akihiko Odaki wrote: > > Before this change, the code signed during the build was installed > > directly. > > > > However, the signature gets invalidated because meson modifies the code > > to fix dynamic library install names during the install process. > > > > It also prevents meson to strip the code because the pre-signed file is > > not marked as an executable (although it is somehow able to perform the > > modification described above). > > > > With this change, the unsigned code will be installed and modified by > > meson first, and a script signs it later. > > > > Signed-off-by: Akihiko Odaki <akihiko.od...@gmail.com> > > Thanks very much! As mentioned in the other message, I would prefer to > have a single script so here is what I came up with. > > #!/bin/sh -e > # > # Helper script for the build process to apply entitlements > > copy=: > if [ "$1" = --install ]; then > shift > copy=false > cd "$MESON_INSTALL_DESTDIR_PREFIX" > fi > > SRC="$1" > DST="$2" > ENTITLEMENT="$3" > > if $copy; then > trap 'rm "$DST.tmp"' exit > cp -af "$SRC" "$DST.tmp" > SRC="$DST.tmp" > fi > > codesign --entitlements "$ENTITLEMENT" --force -s - "$SRC" > mv -f "$SRC" "$DST" > trap '' exit > > > I'll include this in the next pull request, since I was able to test it > with Cirrus CI. > > Thanks, > > Paolo >
I wonder what happens if codesign fails when modifying "$SRC" during installation. The half-modified binary is still at "$SRC" and mtime is newer than the binary in the build directory, so meson given --only-changed may think it is "not changed" and leave it corrupted. "mv" should be performed earlier to avoid such a case. It is kind of theoretical and *very* unlikely to happen anyway, so it is fine for me to include it. Anything else looks good for me and should solve the problem nicely. Thanks, Akihiko Odaki
