darwin.signingUtils: init

Helper scripts for code signing on darwin.
This commit is contained in:
Andrew Childs 2021-02-15 14:54:58 +09:00
parent bfd9a7784e
commit 7eb1e3695d
4 changed files with 93 additions and 0 deletions

View File

@ -0,0 +1,20 @@
fixupOutputHooks+=('signDarwinBinariesIn $prefix')
# Uses signingUtils, see definition of autoSignDarwinBinariesHook in
# darwin-packages.nix
signDarwinBinariesIn() {
local dir="$1"
if [ ! -d "$dir" ]; then
return 0
fi
if [ "${darwinDontCodeSign:-}" ]; then
return 0
fi
while IFS= read -r -d $'\0' f; do
signIfRequired "$f"
done < <(find "$dir" -type f -print0)
}

View File

@ -0,0 +1,24 @@
{ stdenvNoCC
, sigtool
, cctools
}:
let
stdenv = stdenvNoCC;
in
stdenv.mkDerivation {
name = "signing-utils";
dontUnpack = true;
dontConfigure = true;
dontBuild = true;
installPhase = ''
substituteAll ${./utils.sh} $out
'';
# Substituted variables
inherit sigtool;
codesignAllocate = "${cctools}/bin/${cctools.targetPrefix}codesign_allocate";
}

View File

@ -0,0 +1,43 @@
# Work around for some odd behaviour where we can't codesign a file
# in-place if it has been called before. This happens for example if
# you try to fix-up a binary using strip/install_name_tool, after it
# had been used previous. The solution is to copy the binary (with
# the corrupted signature from strip/install_name_tool) to some
# location, sign it there and move it back into place.
#
# This does not appear to happen with the codesign tool that ships
# with recent macOS BigSur installs on M1 arm64 machines. However it
# had also been happening with the tools that shipped with the DTKs.
sign() {
local tmpdir
tmpdir=$(mktemp -d)
# $1 is the file
cp "$1" "$tmpdir"
CODESIGN_ALLOCATE=@codesignAllocate@ \
@sigtool@/bin/codesign -f -s - "$tmpdir/$(basename "$1")"
mv "$tmpdir/$(basename "$1")" "$1"
rmdir "$tmpdir"
}
checkRequiresSignature() {
local file=$1
local rc=0
@sigtool@/bin/sigtool --file "$file" check-requires-signature || rc=$?
if [ "$rc" -eq 0 ] || [ "$rc" -eq 1 ]; then
return "$rc"
fi
echo "Unexpected exit status from sigtool: $rc"
exit 1
}
signIfRequired() {
local file=$1
if checkRequiresSignature "$file"; then
sign "$file"
fi
}

View File

@ -120,6 +120,12 @@ impure-cmds // appleSourcePackages // chooseLibs // {
'';
};
signingUtils = callPackage ../os-specific/darwin/signing-utils { };
autoSignDarwinBinariesHook = pkgs.makeSetupHook {
deps = [ self.signingUtils ];
} ../os-specific/darwin/signing-utils/auto-sign-hook.sh;
maloader = callPackage ../os-specific/darwin/maloader {
};