tjh.dev
nixpkgs mirror (for testing)
github.com/NixOS/nixpkgs
nix
1# Work around for some odd behaviour where we can't codesign a file
2# in-place if it has been called before. This happens for example if
3# you try to fix-up a binary using strip/install_name_tool, after it
4# had been used previous. The solution is to copy the binary (with
5# the corrupted signature from strip/install_name_tool) to some
6# location, sign it there and move it back into place.
7#
8# This does not appear to happen with the codesign tool that ships
9# with recent macOS BigSur installs on M1 arm64 machines. However it
10# had also been happening with the tools that shipped with the DTKs.
11sign() {
12 local tmpdir
13 tmpdir=$(mktemp -d)
14
15 # $1 is the file
16
17 cp "$1" "$tmpdir"
18 CODESIGN_ALLOCATE=@codesignAllocate@ \
19 @sigtool@/bin/codesign -f -s - "$tmpdir/$(basename "$1")"
20 mv "$tmpdir/$(basename "$1")" "$1"
21 rmdir "$tmpdir"
22}
23
24checkRequiresSignature() {
25 local file=$1
26 local rc=0
27
28 @sigtool@/bin/sigtool --file "$file" check-requires-signature || rc=$?
29
30 if [ "$rc" -eq 0 ] || [ "$rc" -eq 1 ]; then
31 return "$rc"
32 fi
33
34 echo "Unexpected exit status from sigtool: $rc"
35 exit 1
36}
37
38signIfRequired() {
39 local file=$1
40 if checkRequiresSignature "$file"; then
41 sign "$file"
42 fi
43}