pkginstaller: sign qemu-system-* binary for the pkg

add file hvf.entitlements which has the com.apple.security.hypervisor entitlement needed for qemu [NO NEW TESTS NEEDED] Signed-off-by: Anjan Nath <kaludios@gmail.com>
2025-09-10 02:02:22 +08:00 · 2022-07-28 18:49:39 +05:30
parent 47a814aa6d
commit c5029d2eea
3 changed files with 40 additions and 3 deletions
--- a/contrib/pkginstaller/Makefile
+++ b/contrib/pkginstaller/Makefile
@ -32,6 +32,7 @@ packagedir: package_root Distribution welcome.html
 	echo -n $(PODMAN_VERSION) > $(PACKAGE_DIR)/VERSION
 	echo -n $(ARCH) > $(PACKAGE_DIR)/ARCH
 	cp ../../LICENSE $(PACKAGE_DIR)/Resources/LICENSE.txt
+	cp hvf.entitlements $(PACKAGE_DIR)/

 package_root: get_gvproxy get_qemu
 	mkdir -p $(PACKAGE_ROOT)/podman/bin $(PACKAGE_ROOT)/podman/qemu
--- a/contrib/pkginstaller/hvf.entitlements
+++ b/contrib/pkginstaller/hvf.entitlements
@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.hypervisor</key>
+    <true/>
+</dict>
+</plist>
--- a/contrib/pkginstaller/package.sh
+++ b/contrib/pkginstaller/package.sh
@ -10,6 +10,10 @@ NO_CODESIGN=${NO_CODESIGN:-0}
 HELPER_BINARIES_DIR="/opt/podman/qemu/bin"

 binDir="${BASEDIR}/root/podman/bin"
+qemuBinDir="${BASEDIR}/root/podman/qemu/bin"
+
+version=$(cat "${BASEDIR}/VERSION")
+arch=$(cat "${BASEDIR}/ARCH")

 function build_podman() {
  pushd "$1"
@ -29,16 +33,40 @@ function sign() {
  if [ -f "${entitlements}" ]; then
      opts="--entitlements ${entitlements}"
  fi
-  codesign --deep --sign "${CODESIGN_IDENTITY}" --options runtime --force --timestamp "${opts}" "$1"
+  codesign --deep --sign "${CODESIGN_IDENTITY}" --options runtime --timestamp --force ${opts} "$1"
 }

-version=$(cat "${BASEDIR}/VERSION")
-arch=$(cat "${BASEDIR}/ARCH")
+function signQemu() {
+  if [ "${NO_CODESIGN}" -eq "1" ]; then
+    return
+  fi
+
+  local qemuArch="${arch}"
+  if [ "${qemuArch}" = amd64 ]; then
+      qemuArch=x86_64
+  fi
+
+  # sign the files inside /opt/podman/qemu/lib
+  libs=$(find "${BASEDIR}"/root/podman/qemu/lib -depth -name "*.dylib" -or -type f -perm +111)
+  echo "${libs}" | xargs -t -I % codesign --deep --sign "${CODESIGN_IDENTITY}" --options runtime --timestamp --force % || true
+
+  # sign the files inside /opt/podman/qemu/bin except qemu-system-*
+  bins=$(find "${BASEDIR}"/root/podman/qemu/bin -depth -type f -perm +111 ! -name "qemu-system-${qemuArch}")
+  echo "${bins}" | xargs -t -I % codesign --deep --sign "${CODESIGN_IDENTITY}" --options runtime --timestamp --force  % || true
+
+  # sign the qemu-system-* binary
+  # need to remove any extended attributes, otherwise codesign complains:
+  # qemu-system-aarch64: resource fork, Finder information, or similar detritus not allowed
+  xattr -cr "${qemuBinDir}/qemu-system-${qemuArch}"
+  codesign --deep --sign "${CODESIGN_IDENTITY}" --options runtime --timestamp --force \
+    --entitlements "${BASEDIR}/hvf.entitlements" "${qemuBinDir}/qemu-system-${qemuArch}"
+}

 build_podman "../../../../"
 sign "${binDir}/podman"
 sign "${binDir}/gvproxy"
 sign "${binDir}/podman-mac-helper"
+signQemu

 pkgbuild --identifier com.redhat.podman --version "${version}" \
  --scripts "${BASEDIR}/scripts" \