1 files changed, 43 insertions, 0 deletions

diff --git a/pkgs/os-specific/darwin/signing-utils/utils.sh b/pkgs/os-specific/darwin/signing-utils/utils.sh
new file mode 100644
index 00000000000..6d23a461fc9
--- /dev/null
+++ b/pkgs/os-specific/darwin/signing-utils/utils.sh
@@ -0,0 +1,43 @@
+# Work around for some odd behaviour where we can't codesign a file
+# in-place if it has been called before. This happens for example if
+# you try to fix-up a binary using strip/install_name_tool, after it
+# had been used previous.  The solution is to copy the binary (with
+# the corrupted signature from strip/install_name_tool) to some
+# location, sign it there and move it back into place.
+#
+# This does not appear to happen with the codesign tool that ships
+# with recent macOS BigSur installs on M1 arm64 machines.  However it
+# had also been happening with the tools that shipped with the DTKs.
+sign() {
+    local tmpdir
+    tmpdir=$(mktemp -d)
+
+    # $1 is the file
+
+    cp "$1" "$tmpdir"
+    CODESIGN_ALLOCATE=@codesignAllocate@ \
+        @sigtool@/bin/codesign -f -s - "$tmpdir/$(basename "$1")"
+    mv "$tmpdir/$(basename "$1")" "$1"
+    rmdir "$tmpdir"
+}
+
+checkRequiresSignature() {
+    local file=$1
+    local rc=0
+
+    @sigtool@/bin/sigtool --file "$file" check-requires-signature || rc=$?
+
+    if [ "$rc" -eq 0 ] || [ "$rc" -eq 1 ]; then
+        return "$rc"
+    fi
+
+    echo "Unexpected exit status from sigtool: $rc"
+    exit 1
+}
+
+signIfRequired() {
+    local file=$1
+    if checkRequiresSignature "$file"; then
+        sign "$file"
+    fi
+}