From: Akihiko Odaki <akihiko.odaki@gmail.com>
Date: Thu, 25 Feb 2021 00:06:14 +0000 (+0900)
Subject: hvf: Sign the code after installation
X-Git-Tag: v6.0.0-rc0~67^2~28
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=237377ac72b38f030058948f2d744c230b62be40;p=thirdparty%2Fqemu.git

hvf: Sign the code after installation

Before this change, the code signed during the build was installed
directly.

However, the signature gets invalidated because meson modifies the code
to fix dynamic library install names during the install process.

It also prevents meson to strip the code because the pre-signed file is
not marked as an executable (although it is somehow able to perform the
modification described above).

With this change, the unsigned code will be installed and modified by
meson first, and a script signs it later.

Signed-off-by: Akihiko Odaki <akihiko.odaki@gmail.com>
Message-Id: <20210225000614.46919-1-akihiko.odaki@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---

diff --git a/meson.build b/meson.build
index 05a67c20d93..c79cb20993b 100644
--- a/meson.build
+++ b/meson.build
@@ -2224,7 +2224,7 @@ foreach target : target_dirs
     endif
 
     emulator = executable(exe_name, exe['sources'],
-               install: not exe_sign,
+               install: true,
                c_args: c_args,
                dependencies: arch_deps + deps + exe['dependencies'],
                objects: lib.extract_all_objects(recursive: true),
@@ -2235,8 +2235,6 @@ foreach target : target_dirs
 
     if exe_sign
       emulators += {exe['name'] : custom_target(exe['name'],
-                   install: true,
-                   install_dir: get_option('bindir'),
                    depends: emulator,
                    output: exe['name'],
                    command: [
@@ -2246,6 +2244,11 @@ foreach target : target_dirs
                      meson.current_source_dir() / 'accel/hvf/entitlements.plist'
                    ])
       }
+
+      meson.add_install_script('scripts/entitlement.sh', '--install',
+                               get_option('bindir') / exe_name,
+                               get_option('bindir') / exe['name'],
+                               meson.current_source_dir() / 'accel/hvf/entitlements.plist')
     else
       emulators += {exe['name']: emulator}
     endif
diff --git a/scripts/entitlement.sh b/scripts/entitlement.sh
index c540fa6435f..f7aaaf27662 100755
--- a/scripts/entitlement.sh
+++ b/scripts/entitlement.sh
@@ -2,12 +2,24 @@
 #
 # Helper script for the build process to apply entitlements
 
+in_place=:
+if [ "$1" = --install ]; then
+  shift
+  in_place=false
+fi
+
 SRC="$1"
 DST="$2"
 ENTITLEMENT="$3"
 
-trap 'rm "$DST.tmp"' exit
-cp -af "$SRC" "$DST.tmp"
-codesign --entitlements "$ENTITLEMENT" --force -s - "$DST.tmp"
-mv "$DST.tmp" "$DST"
+if $in_place; then
+  trap 'rm "$DST.tmp"' exit
+  cp -af "$SRC" "$DST.tmp"
+  SRC="$DST.tmp"
+else
+  cd "$MESON_INSTALL_DESTDIR_PREFIX"
+fi
+
+codesign --entitlements "$ENTITLEMENT" --force -s - "$SRC"
+mv -f "$SRC" "$DST"
 trap '' exit