pkgs/os-specific/darwin/signing-utils/utils.sh

   1 # Work around for some odd behaviour where we can't codesign a file
   2 # in-place if it has been called before. This happens for example if
   3 # you try to fix-up a binary using strip/install_name_tool, after it
   4 # had been used previous.  The solution is to copy the binary (with
   5 # the corrupted signature from strip/install_name_tool) to some
   6 # location, sign it there and move it back into place.
   7 #
   8 # This does not appear to happen with the codesign tool that ships
   9 # with recent macOS BigSur installs on M1 arm64 machines.  However it
  10 # had also been happening with the tools that shipped with the DTKs.
  11 sign() {
  12     local tmpdir
  13     tmpdir=$(mktemp -d)
  14
  15     # $1 is the file
  16
  17     cp "$1" "$tmpdir"
  18     CODESIGN_ALLOCATE=@codesignAllocate@ \
  19         @sigtool@/bin/codesign -f -s - "$tmpdir/$(basename "$1")"
  20     mv "$tmpdir/$(basename "$1")" "$1"
  21     rmdir "$tmpdir"
  22 }
  23
  24 checkRequiresSignature() {
  25     local file=$1
  26     local rc=0
  27
  28     @sigtool@/bin/sigtool --file "$file" check-requires-signature || rc=$?
  29
  30     if [ "$rc" -eq 0 ] || [ "$rc" -eq 1 ]; then
  31         return "$rc"
  32     fi
  33
  34     echo "Unexpected exit status from sigtool: $rc"
  35     exit 1
  36 }
  37
  38 signIfRequired() {
  39     local file=$1
  40     if checkRequiresSignature "$file"; then
  41         sign "$file"
  42     fi
  43 }