commit 7eb1e3695dfae415700b46725e5fda51df05bc3c · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

fork atom

darwin.signingUtils: init

Helper scripts for code signing on darwin.

Andrew Childs 4 years ago 7eb1e369 bfd9a778

+93

4 changed files

expand all

unified split

pkgs

os-specific

darwin

signing-utils

auto-sign-hook.sh

default.nix

utils.sh

top-level

darwin-packages.nix

+20

pkgs/os-specific/darwin/signing-utils/auto-sign-hook.sh

···

··· 1 + fixupOutputHooks+=('signDarwinBinariesIn $prefix') 2 + 3 + # Uses signingUtils, see definition of autoSignDarwinBinariesHook in 4 + # darwin-packages.nix 5 + 6 + signDarwinBinariesIn() { 7 + local dir="$1" 8 + 9 + if [ ! -d "$dir" ]; then 10 + return 0 11 + fi 12 + 13 + if [ "${darwinDontCodeSign:-}" ]; then 14 + return 0 15 + fi 16 + 17 + while IFS= read -r -d $'\0' f; do 18 + signIfRequired "$f" 19 + done < <(find "$dir" -type f -print0) 20 + }

+24

pkgs/os-specific/darwin/signing-utils/default.nix

···

··· 1 + { stdenvNoCC 2 + , sigtool 3 + , cctools 4 + }: 5 + 6 + let 7 + stdenv = stdenvNoCC; 8 + in 9 + 10 + stdenv.mkDerivation { 11 + name = "signing-utils"; 12 + 13 + dontUnpack = true; 14 + dontConfigure = true; 15 + dontBuild = true; 16 + 17 + installPhase = '' 18 + substituteAll ${./utils.sh} $out 19 + ''; 20 + 21 + # Substituted variables 22 + inherit sigtool; 23 + codesignAllocate = "${cctools}/bin/${cctools.targetPrefix}codesign_allocate"; 24 + }

+43

pkgs/os-specific/darwin/signing-utils/utils.sh

···

··· 1 + # Work around for some odd behaviour where we can't codesign a file 2 + # in-place if it has been called before. This happens for example if 3 + # you try to fix-up a binary using strip/install_name_tool, after it 4 + # had been used previous. The solution is to copy the binary (with 5 + # the corrupted signature from strip/install_name_tool) to some 6 + # location, sign it there and move it back into place. 7 + # 8 + # This does not appear to happen with the codesign tool that ships 9 + # with recent macOS BigSur installs on M1 arm64 machines. However it 10 + # had also been happening with the tools that shipped with the DTKs. 11 + sign() { 12 + local tmpdir 13 + tmpdir=$(mktemp -d) 14 + 15 + # $1 is the file 16 + 17 + cp "$1" "$tmpdir" 18 + CODESIGN_ALLOCATE=@codesignAllocate@ \ 19 + @sigtool@/bin/codesign -f -s - "$tmpdir/$(basename "$1")" 20 + mv "$tmpdir/$(basename "$1")" "$1" 21 + rmdir "$tmpdir" 22 + } 23 + 24 + checkRequiresSignature() { 25 + local file=$1 26 + local rc=0 27 + 28 + @sigtool@/bin/sigtool --file "$file" check-requires-signature || rc=$? 29 + 30 + if [ "$rc" -eq 0 ] || [ "$rc" -eq 1 ]; then 31 + return "$rc" 32 + fi 33 + 34 + echo "Unexpected exit status from sigtool: $rc" 35 + exit 1 36 + } 37 + 38 + signIfRequired() { 39 + local file=$1 40 + if checkRequiresSignature "$file"; then 41 + sign "$file" 42 + fi 43 + }

pkgs/top-level/darwin-packages.nix

··· 120 ''; 121 }; 122 123 maloader = callPackage ../os-specific/darwin/maloader { 124 }; 125

··· 120 ''; 121 }; 122 123 + signingUtils = callPackage ../os-specific/darwin/signing-utils { }; 124 + 125 + autoSignDarwinBinariesHook = pkgs.makeSetupHook { 126 + deps = [ self.signingUtils ]; 127 + } ../os-specific/darwin/signing-utils/auto-sign-hook.sh; 128 + 129 maloader = callPackage ../os-specific/darwin/maloader { 130 }; 131