diff mbox series

hvf: Sign the code after installation

Message ID 20210225000614.46919-1-akihiko.odaki@gmail.com (mailing list archive)
State New, archived
Headers show
Series hvf: Sign the code after installation | expand

Commit Message

Akihiko Odaki Feb. 25, 2021, 12:06 a.m. UTC
Before this change, the code signed during the build was installed
directly.

However, the signature gets invalidated because meson modifies the code
to fix dynamic library install names during the install process.

It also prevents meson to strip the code because the pre-signed file is
not marked as an executable (although it is somehow able to perform the
modification described above).

With this change, the unsigned code will be installed and modified by
meson first, and a script signs it later.

Signed-off-by: Akihiko Odaki <akihiko.odaki@gmail.com>
---
 meson.build                                      | 11 +++++++----
 scripts/{entitlement.sh => entitlement/build.sh} |  0
 scripts/entitlement/install.sh                   | 11 +++++++++++
 3 files changed, 18 insertions(+), 4 deletions(-)
 rename scripts/{entitlement.sh => entitlement/build.sh} (100%)
 create mode 100755 scripts/entitlement/install.sh

Comments

Paolo Bonzini Feb. 25, 2021, 1:48 p.m. UTC | #1
On 25/02/21 01:06, Akihiko Odaki wrote:
> Before this change, the code signed during the build was installed
> directly.
> 
> However, the signature gets invalidated because meson modifies the code
> to fix dynamic library install names during the install process.
> 
> It also prevents meson to strip the code because the pre-signed file is
> not marked as an executable (although it is somehow able to perform the
> modification described above).
> 
> With this change, the unsigned code will be installed and modified by
> meson first, and a script signs it later.
> 
> Signed-off-by: Akihiko Odaki <akihiko.odaki@gmail.com>

Thanks very much!  As mentioned in the other message, I would prefer to 
have a single script so here is what I came up with.

#!/bin/sh -e
#
# Helper script for the build process to apply entitlements

copy=:
if [ "$1" = --install ]; then
   shift
   copy=false
   cd "$MESON_INSTALL_DESTDIR_PREFIX"
fi

SRC="$1"
DST="$2"
ENTITLEMENT="$3"

if $copy; then
   trap 'rm "$DST.tmp"' exit
   cp -af "$SRC" "$DST.tmp"
   SRC="$DST.tmp"
fi

codesign --entitlements "$ENTITLEMENT" --force -s - "$SRC"
mv -f "$SRC" "$DST"
trap '' exit


I'll include this in the next pull request, since I was able to test it 
with Cirrus CI.

Thanks,

Paolo
Akihiko Odaki Feb. 26, 2021, 4:58 a.m. UTC | #2
2021年2月25日(木) 22:48 Paolo Bonzini <pbonzini@redhat.com>:
>
> On 25/02/21 01:06, Akihiko Odaki wrote:
> > Before this change, the code signed during the build was installed
> > directly.
> >
> > However, the signature gets invalidated because meson modifies the code
> > to fix dynamic library install names during the install process.
> >
> > It also prevents meson to strip the code because the pre-signed file is
> > not marked as an executable (although it is somehow able to perform the
> > modification described above).
> >
> > With this change, the unsigned code will be installed and modified by
> > meson first, and a script signs it later.
> >
> > Signed-off-by: Akihiko Odaki <akihiko.odaki@gmail.com>
>
> Thanks very much!  As mentioned in the other message, I would prefer to
> have a single script so here is what I came up with.
>
> #!/bin/sh -e
> #
> # Helper script for the build process to apply entitlements
>
> copy=:
> if [ "$1" = --install ]; then
>    shift
>    copy=false
>    cd "$MESON_INSTALL_DESTDIR_PREFIX"
> fi
>
> SRC="$1"
> DST="$2"
> ENTITLEMENT="$3"
>
> if $copy; then
>    trap 'rm "$DST.tmp"' exit
>    cp -af "$SRC" "$DST.tmp"
>    SRC="$DST.tmp"
> fi
>
> codesign --entitlements "$ENTITLEMENT" --force -s - "$SRC"
> mv -f "$SRC" "$DST"
> trap '' exit
>
>
> I'll include this in the next pull request, since I was able to test it
> with Cirrus CI.
>
> Thanks,
>
> Paolo
>

I wonder what happens if codesign fails when modifying "$SRC" during
installation. The half-modified binary is still at "$SRC" and mtime is
newer than the binary in the build directory, so meson given
--only-changed may think it is "not changed" and leave it corrupted.
"mv" should be performed earlier to avoid such a case.

It is kind of theoretical and *very* unlikely to happen anyway, so it
is fine for me to include it. Anything else looks good for me and
should solve the problem nicely.

Thanks,
Akihiko Odaki
diff mbox series

Patch

diff --git a/meson.build b/meson.build
index 05a67c20d93..76691023c2c 100644
--- a/meson.build
+++ b/meson.build
@@ -2224,7 +2224,7 @@  foreach target : target_dirs
     endif
 
     emulator = executable(exe_name, exe['sources'],
-               install: not exe_sign,
+               install: true,
                c_args: c_args,
                dependencies: arch_deps + deps + exe['dependencies'],
                objects: lib.extract_all_objects(recursive: true),
@@ -2235,17 +2235,20 @@  foreach target : target_dirs
 
     if exe_sign
       emulators += {exe['name'] : custom_target(exe['name'],
-                   install: true,
-                   install_dir: get_option('bindir'),
                    depends: emulator,
                    output: exe['name'],
                    command: [
-                     meson.current_source_dir() / 'scripts/entitlement.sh',
+                     meson.current_source_dir() / 'scripts/entitlement/build.sh',
                      meson.current_build_dir() / exe_name,
                      meson.current_build_dir() / exe['name'],
                      meson.current_source_dir() / 'accel/hvf/entitlements.plist'
                    ])
       }
+
+      meson.add_install_script('scripts/entitlement/install.sh',
+                               get_option('bindir') / exe_name,
+                               get_option('bindir') / exe['name'],
+                               meson.current_source_dir() / 'accel/hvf/entitlements.plist')
     else
       emulators += {exe['name']: emulator}
     endif
diff --git a/scripts/entitlement.sh b/scripts/entitlement/build.sh
similarity index 100%
rename from scripts/entitlement.sh
rename to scripts/entitlement/build.sh
diff --git a/scripts/entitlement/install.sh b/scripts/entitlement/install.sh
new file mode 100755
index 00000000000..0c88d48110d
--- /dev/null
+++ b/scripts/entitlement/install.sh
@@ -0,0 +1,11 @@ 
+#!/bin/sh -e
+#
+# Helper script for the install process to apply entitlements
+
+SRC="$1"
+DST="$2"
+ENTITLEMENT="$3"
+
+cd "$MESON_INSTALL_DESTDIR_PREFIX"
+mv -f "$SRC" "$DST"
+codesign --entitlements "$ENTITLEMENT" --force -s - "$DST"