Merge pull request #15105 from anjannath/sign-qemu

Add steps to sign included qemu and notarize the built pkg
2022-08-03 17:55:57 +00:00 · 2022-08-03 17:55:57 +00:00 · 0f002c1600
parent 5fc7339aa1 44212b90bb
commit 0f002c1600
4 changed files with 57 additions and 7 deletions
--- a/contrib/pkginstaller/Makefile
+++ b/contrib/pkginstaller/Makefile
@ -9,14 +9,15 @@ QEMU_RELEASE_URL ?= https://github.com/containers/podman-machine-qemu/releases/d
 PACKAGE_DIR ?= out/packaging
 TMP_DOWNLOAD ?= tmp-download
 PACKAGE_ROOT ?= root
+PKG_NAME := podman-installer-macos-$(ARCH).pkg

 default: pkginstaller

-get_gvproxy:
+$(TMP_DOWNLOAD)/gvproxy:
 	mkdir -p $(TMP_DOWNLOAD)
 	cd $(TMP_DOWNLOAD) && curl -sLo gvproxy $(GVPROXY_RELEASE_URL)

-get_qemu:
+$(TMP_DOWNLOAD)/podman-machine-qemu-$(ARCH)-$(QEMU_VERSION).tar.xz:
 	mkdir -p $(TMP_DOWNLOAD)
 	cd $(TMP_DOWNLOAD) && curl -sLO $(QEMU_RELEASE_URL)

@ -32,8 +33,9 @@ packagedir: package_root Distribution welcome.html
 	echo -n $(PODMAN_VERSION) > $(PACKAGE_DIR)/VERSION
 	echo -n $(ARCH) > $(PACKAGE_DIR)/ARCH
 	cp ../../LICENSE $(PACKAGE_DIR)/Resources/LICENSE.txt
+	cp hvf.entitlements $(PACKAGE_DIR)/

-package_root: get_gvproxy get_qemu
+package_root: clean-pkgroot $(TMP_DOWNLOAD)/podman-machine-qemu-$(ARCH)-$(QEMU_VERSION).tar.xz $(TMP_DOWNLOAD)/gvproxy
 	mkdir -p $(PACKAGE_ROOT)/podman/bin $(PACKAGE_ROOT)/podman/qemu
 	tar -C $(PACKAGE_ROOT)/podman/qemu -xf $(TMP_DOWNLOAD)/podman-machine-qemu-$(ARCH)-$(QEMU_VERSION).tar.xz
 	cp $(TMP_DOWNLOAD)/gvproxy $(PACKAGE_ROOT)/podman/bin/
@ -45,6 +47,15 @@ package_root: get_gvproxy get_qemu
 pkginstaller: packagedir
 	cd $(PACKAGE_DIR) && ./package.sh ..

-.PHONY: clean
+_notarize: pkginstaller
+	xcrun notarytool submit --apple-id $(NOTARIZE_USERNAME) --password $(NOTARIZE_PASSWORD) --team-id=$(NOTARIZE_TEAM) -f json --wait out/$(PKG_NAME)
+
+notarize: _notarize
+	xcrun stapler staple out/$(PKG_NAME)
+
+.PHONY: clean clean-pkgroot
 clean:
 	rm -rf $(TMP_DOWNLOAD) $(PACKAGE_ROOT) $(PACKAGE_DIR) Distribution welcome.html
+
+clean-pkgroot:
+	rm -rf $(PACKAGE_ROOT) $(PACKAGE_DIR) Distribution welcome.html
--- a/contrib/pkginstaller/README.md
+++ b/contrib/pkginstaller/README.md
@ -5,6 +5,9 @@ $ make ARCH=<amd64 | aarch64> NO_CODESIGN=1 pkginstaller

 # or to create signed pkg
 $ make ARCH=<amd64 | aarch64> CODESIGN_IDENTITY=<ID> PRODUCTSIGN_IDENTITY=<ID> pkginstaller
+
+# or to prepare a signed and notarized pkg for release
+$ make ARCH=<amd64 | aarch64> CODESIGN_IDENTITY=<ID> PRODUCTSIGN_IDENTITY=<ID> NOTARIZE_USERNAME=<appleID> NOTARIZE_PASSWORD=<appleID-password> NOTARIZE_TEAM=<team-id> notarize
 ```

 The generated pkg will be written to `out/podman-macos-installer-*.pkg`.
--- a/contrib/pkginstaller/hvf.entitlements
+++ b/contrib/pkginstaller/hvf.entitlements
@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.hypervisor</key>
+    <true/>
+</dict>
+</plist>
--- a/contrib/pkginstaller/package.sh
+++ b/contrib/pkginstaller/package.sh
@ -10,6 +10,10 @@ NO_CODESIGN=${NO_CODESIGN:-0}
 HELPER_BINARIES_DIR="/opt/podman/qemu/bin"

 binDir="${BASEDIR}/root/podman/bin"
+qemuBinDir="${BASEDIR}/root/podman/qemu/bin"
+
+version=$(cat "${BASEDIR}/VERSION")
+arch=$(cat "${BASEDIR}/ARCH")

 function build_podman() {
  pushd "$1"
@ -29,16 +33,40 @@ function sign() {
  if [ -f "${entitlements}" ]; then
      opts="--entitlements ${entitlements}"
  fi
-  codesign --deep --sign "${CODESIGN_IDENTITY}" --options runtime --force --timestamp "${opts}" "$1"
+  codesign --deep --sign "${CODESIGN_IDENTITY}" --options runtime --timestamp --force ${opts} "$1"
 }

-version=$(cat "${BASEDIR}/VERSION")
-arch=$(cat "${BASEDIR}/ARCH")
+function signQemu() {
+  if [ "${NO_CODESIGN}" -eq "1" ]; then
+    return
+  fi
+
+  local qemuArch="${arch}"
+  if [ "${qemuArch}" = amd64 ]; then
+      qemuArch=x86_64
+  fi
+
+  # sign the files inside /opt/podman/qemu/lib
+  libs=$(find "${BASEDIR}"/root/podman/qemu/lib -depth -name "*.dylib" -or -type f -perm +111)
+  echo "${libs}" | xargs -t -I % codesign --deep --sign "${CODESIGN_IDENTITY}" --options runtime --timestamp --force % || true
+
+  # sign the files inside /opt/podman/qemu/bin except qemu-system-*
+  bins=$(find "${BASEDIR}"/root/podman/qemu/bin -depth -type f -perm +111 ! -name "qemu-system-${qemuArch}")
+  echo "${bins}" | xargs -t -I % codesign --deep --sign "${CODESIGN_IDENTITY}" --options runtime --timestamp --force  % || true
+
+  # sign the qemu-system-* binary
+  # need to remove any extended attributes, otherwise codesign complains:
+  # qemu-system-aarch64: resource fork, Finder information, or similar detritus not allowed
+  xattr -cr "${qemuBinDir}/qemu-system-${qemuArch}"
+  codesign --deep --sign "${CODESIGN_IDENTITY}" --options runtime --timestamp --force \
+    --entitlements "${BASEDIR}/hvf.entitlements" "${qemuBinDir}/qemu-system-${qemuArch}"
+}

 build_podman "../../../../"
 sign "${binDir}/podman"
 sign "${binDir}/gvproxy"
 sign "${binDir}/podman-mac-helper"
+signQemu

 pkgbuild --identifier com.redhat.podman --version "${version}" \
  --scripts "${BASEDIR}/scripts" \