From 7eb1e3695dfae415700b46725e5fda51df05bc3c Mon Sep 17 00:00:00 2001 From: Andrew Childs Date: Mon, 15 Feb 2021 14:54:58 +0900 Subject: darwin.signingUtils: init Helper scripts for code signing on darwin. --- pkgs/os-specific/darwin/signing-utils/utils.sh | 43 ++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 pkgs/os-specific/darwin/signing-utils/utils.sh (limited to 'pkgs/os-specific/darwin/signing-utils/utils.sh') diff --git a/pkgs/os-specific/darwin/signing-utils/utils.sh b/pkgs/os-specific/darwin/signing-utils/utils.sh new file mode 100644 index 00000000000..6d23a461fc9 --- /dev/null +++ b/pkgs/os-specific/darwin/signing-utils/utils.sh @@ -0,0 +1,43 @@ +# Work around for some odd behaviour where we can't codesign a file +# in-place if it has been called before. This happens for example if +# you try to fix-up a binary using strip/install_name_tool, after it +# had been used previous. The solution is to copy the binary (with +# the corrupted signature from strip/install_name_tool) to some +# location, sign it there and move it back into place. +# +# This does not appear to happen with the codesign tool that ships +# with recent macOS BigSur installs on M1 arm64 machines. However it +# had also been happening with the tools that shipped with the DTKs. +sign() { + local tmpdir + tmpdir=$(mktemp -d) + + # $1 is the file + + cp "$1" "$tmpdir" + CODESIGN_ALLOCATE=@codesignAllocate@ \ + @sigtool@/bin/codesign -f -s - "$tmpdir/$(basename "$1")" + mv "$tmpdir/$(basename "$1")" "$1" + rmdir "$tmpdir" +} + +checkRequiresSignature() { + local file=$1 + local rc=0 + + @sigtool@/bin/sigtool --file "$file" check-requires-signature || rc=$? + + if [ "$rc" -eq 0 ] || [ "$rc" -eq 1 ]; then + return "$rc" + fi + + echo "Unexpected exit status from sigtool: $rc" + exit 1 +} + +signIfRequired() { + local file=$1 + if checkRequiresSignature "$file"; then + sign "$file" + fi +} -- cgit 1.4.1