macos-installer: bundle krunkit

Extend Makefile and package.sh to download, sign and bundle krunkit and its dependencies into the package. Signed-off-by: Sergio Lopez <slp@redhat.com>
2025-10-17 11:14:40 +08:00 · 2024-06-24 12:42:59 +02:00
parent 673dde9ec5
commit 5815195528
3 changed files with 30 additions and 2 deletions
--- a/contrib/pkginstaller/Makefile
+++ b/contrib/pkginstaller/Makefile
@ -8,8 +8,10 @@ else
 endif
 GVPROXY_VERSION ?= 0.7.3
 VFKIT_VERSION ?= 0.5.1
+KRUNKIT_VERSION ?= 0.1.1
 GVPROXY_RELEASE_URL ?= https://github.com/containers/gvisor-tap-vsock/releases/download/v$(GVPROXY_VERSION)/gvproxy-darwin
 VFKIT_RELEASE_URL ?= https://github.com/crc-org/vfkit/releases/download/v$(VFKIT_VERSION)/vfkit-unsigned
+KRUNKIT_RELEASE_URL ?= https://github.com/containers/krunkit/releases/download/v$(KRUNKIT_VERSION)/krunkit-podman-unsigned-$(KRUNKIT_VERSION).tgz
 PACKAGE_DIR ?= out/packaging
 TMP_BIN ?= tmp-bin
 PACKAGE_ROOT ?= root
@ -28,6 +30,10 @@ $(TMP_BIN)/vfkit:
 	mkdir -p $(TMP_BIN)
 	cd $(TMP_BIN) && curl -sLo vfkit $(VFKIT_RELEASE_URL)

+$(TMP_BIN)/krunkit.tgz:
+	mkdir -p $(TMP_BIN)
+	cd $(TMP_BIN) && curl -sLo krunkit.tgz $(KRUNKIT_RELEASE_URL)
+
 packagedir: podman_version package_root Distribution welcome.html
 	mkdir -p $(PACKAGE_DIR)
 	cp -r Resources $(PACKAGE_DIR)/
@ -41,11 +47,13 @@ packagedir: podman_version package_root Distribution welcome.html
 	echo -n $(ARCH) > $(PACKAGE_DIR)/ARCH
 	cp ../../LICENSE $(PACKAGE_DIR)/Resources/LICENSE.txt
 	cp vfkit.entitlements $(PACKAGE_DIR)/
+	cp krunkit.entitlements $(PACKAGE_DIR)/

-package_root: clean-pkgroot $(TMP_BIN)/gvproxy $(TMP_BIN)/vfkit
+package_root: clean-pkgroot $(TMP_BIN)/gvproxy $(TMP_BIN)/vfkit $(TMP_BIN)/krunkit.tgz
 	mkdir -p $(PACKAGE_ROOT)/podman/bin
 	cp $(TMP_BIN)/gvproxy $(PACKAGE_ROOT)/podman/bin/
 	cp $(TMP_BIN)/vfkit $(PACKAGE_ROOT)/podman/bin/
+	tar xf $(TMP_BIN)/krunkit.tgz -C $(PACKAGE_ROOT)/podman
 	chmod a+x $(PACKAGE_ROOT)/podman/bin/*
 	# Leaving for future considerations
 	# mkdir $(PACKAGE_ROOT)/podman/config
--- a/contrib/pkginstaller/krunkit.entitlements
+++ b/contrib/pkginstaller/krunkit.entitlements
@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.security.hypervisor</key>
+	<true/>
+	<key>com.apple.security.cs.disable-library-validationr</key>
+	<true/>
+</dict>
+</plist>
--- a/contrib/pkginstaller/package.sh
+++ b/contrib/pkginstaller/package.sh
@ -13,6 +13,7 @@ MACHINE_POLICY_JSON_DIR="/opt/podman/config"
 tmpBin="contrib/pkginstaller/tmp-bin"

 binDir="${BASEDIR}/root/podman/bin"
+libDir="${BASEDIR}/root/podman/lib"

 version=$(cat "${BASEDIR}/VERSION")
 arch=$(cat "${BASEDIR}/ARCH")
@ -65,7 +66,10 @@ function sign() {
  if [ -f "${entitlements}" ]; then
      opts="--entitlements ${entitlements}"
  fi
-  codesign --deep --sign "${CODESIGN_IDENTITY}" --options runtime --timestamp --force ${opts} "$1"
+  if [ ! "${NO_CODESIGN}" -eq "1" ]; then
+      opts="$opts --options runtime"
+  fi
+  codesign --deep --sign "${CODESIGN_IDENTITY}" --timestamp --force ${opts} "$1"
 }

 goArch="${arch}"
@ -80,6 +84,12 @@ sign "${binDir}/gvproxy"
 sign "${binDir}/vfkit"
 sign "${binDir}/podman-mac-helper"

+sign "${binDir}/krunkit"
+sign "${libDir}/libkrun-efi.dylib"
+sign "${libDir}/libvirglrenderer.1.dylib"
+sign "${libDir}/libepoxy.0.dylib"
+sign "${libDir}/libMoltenVK.dylib"
+
 pkgbuild --identifier com.redhat.podman --version "${version}" \
  --scripts "${BASEDIR}/scripts" \
  --root "${BASEDIR}/root" \