darwin.signingUtils: init

Helper scripts for code signing on darwin.

pkgs/os-specific/darwin/signing-utils/auto-sign-hook.sh

@@ -0,0 +1,20 @@
+fixupOutputHooks+=('signDarwinBinariesIn $prefix')
+
+# Uses signingUtils, see definition of autoSignDarwinBinariesHook in
+# darwin-packages.nix
+
+signDarwinBinariesIn() {
+  local dir="$1"
+
+  if [ ! -d "$dir" ]; then
+    return 0
+  fi
+
+  if [ "${darwinDontCodeSign:-}" ]; then
+    return 0
+  fi
+
+  while IFS= read -r -d $'\0' f; do
+    signIfRequired "$f"
+  done < <(find "$dir" -type f -print0)
+}

pkgs/os-specific/darwin/signing-utils/default.nix

@@ -0,0 +1,24 @@
+{ stdenvNoCC
+, sigtool
+, cctools
+}:
+
+let
+  stdenv = stdenvNoCC;
+in
+
+stdenv.mkDerivation {
+  name = "signing-utils";
+
+  dontUnpack = true;
+  dontConfigure = true;
+  dontBuild = true;
+
+  installPhase = ''
+    substituteAll ${./utils.sh} $out
+  '';
+
+  # Substituted variables
+  inherit sigtool;
+  codesignAllocate = "${cctools}/bin/${cctools.targetPrefix}codesign_allocate";
+}

pkgs/os-specific/darwin/signing-utils/utils.sh

@@ -0,0 +1,43 @@
+# Work around for some odd behaviour where we can't codesign a file
+# in-place if it has been called before. This happens for example if
+# you try to fix-up a binary using strip/install_name_tool, after it
+# had been used previous.  The solution is to copy the binary (with
+# the corrupted signature from strip/install_name_tool) to some
+# location, sign it there and move it back into place.
+#
+# This does not appear to happen with the codesign tool that ships
+# with recent macOS BigSur installs on M1 arm64 machines.  However it
+# had also been happening with the tools that shipped with the DTKs.
+sign() {
+    local tmpdir
+    tmpdir=$(mktemp -d)
+
+    # $1 is the file
+
+    cp "$1" "$tmpdir"
+    CODESIGN_ALLOCATE=@codesignAllocate@ \
+        @sigtool@/bin/codesign -f -s - "$tmpdir/$(basename "$1")"
+    mv "$tmpdir/$(basename "$1")" "$1"
+    rmdir "$tmpdir"
+}
+
+checkRequiresSignature() {
+    local file=$1
+    local rc=0
+
+    @sigtool@/bin/sigtool --file "$file" check-requires-signature || rc=$?
+
+    if [ "$rc" -eq 0 ] || [ "$rc" -eq 1 ]; then
+        return "$rc"
+    fi
+
+    echo "Unexpected exit status from sigtool: $rc"
+    exit 1
+}
+
+signIfRequired() {
+    local file=$1
+    if checkRequiresSignature "$file"; then
+        sign "$file"
+    fi
+}

pkgs/top-level/darwin-packages.nix

@@ -120,6 +120,12 @@ impure-cmds // appleSourcePackages // chooseLibs // {
     '';
   };
 
+  signingUtils = callPackage ../os-specific/darwin/signing-utils { };
+
+  autoSignDarwinBinariesHook = pkgs.makeSetupHook {
+    deps = [ self.signingUtils ];
+  } ../os-specific/darwin/signing-utils/auto-sign-hook.sh;
+
   maloader = callPackage ../os-specific/darwin/maloader {
   };