darwin: wrap strip and install_name_tool to codesign modified files
Co-authored-by: Moritz Angermann <moritz.angermann@gmail.com>
This commit is contained in:
parent
7eb1e3695d
commit
772b66531a
49
pkgs/build-support/bintools-wrapper/darwin-install_name_tool-wrapper.sh
Executable file
49
pkgs/build-support/bintools-wrapper/darwin-install_name_tool-wrapper.sh
Executable file
@ -0,0 +1,49 @@
|
||||
#! @shell@
|
||||
# shellcheck shell=bash
|
||||
|
||||
set -eu -o pipefail +o posix
|
||||
shopt -s nullglob
|
||||
|
||||
if (( "${NIX_DEBUG:-0}" >= 7 )); then
|
||||
set -x
|
||||
fi
|
||||
|
||||
source @signingUtils@
|
||||
|
||||
extraAfter=()
|
||||
extraBefore=()
|
||||
params=("$@")
|
||||
|
||||
input=
|
||||
|
||||
pprev=
|
||||
prev=
|
||||
for p in \
|
||||
${extraBefore+"${extraBefore[@]}"} \
|
||||
${params+"${params[@]}"} \
|
||||
${extraAfter+"${extraAfter[@]}"}
|
||||
do
|
||||
if [ "$pprev" != "-change" ] && [[ "$prev" != -* ]] && [[ "$p" != -* ]]; then
|
||||
input="$p"
|
||||
fi
|
||||
pprev="$prev"
|
||||
prev="$p"
|
||||
done
|
||||
|
||||
# Optionally print debug info.
|
||||
if (( "${NIX_DEBUG:-0}" >= 1 )); then
|
||||
# Old bash workaround, see above.
|
||||
echo "extra flags before to @prog@:" >&2
|
||||
printf " %q\n" ${extraBefore+"${extraBefore[@]}"} >&2
|
||||
echo "original flags to @prog@:" >&2
|
||||
printf " %q\n" ${params+"${params[@]}"} >&2
|
||||
echo "extra flags after to @prog@:" >&2
|
||||
printf " %q\n" ${extraAfter+"${extraAfter[@]}"} >&2
|
||||
fi
|
||||
|
||||
@prog@ \
|
||||
${extraBefore+"${extraBefore[@]}"} \
|
||||
${params+"${params[@]}"} \
|
||||
${extraAfter+"${extraAfter[@]}"}
|
||||
|
||||
sign "$input"
|
78
pkgs/build-support/bintools-wrapper/darwin-strip-wrapper.sh
Executable file
78
pkgs/build-support/bintools-wrapper/darwin-strip-wrapper.sh
Executable file
@ -0,0 +1,78 @@
|
||||
#! @shell@
|
||||
# shellcheck shell=bash
|
||||
|
||||
set -eu -o pipefail +o posix
|
||||
shopt -s nullglob
|
||||
|
||||
if (( "${NIX_DEBUG:-0}" >= 7 )); then
|
||||
set -x
|
||||
fi
|
||||
|
||||
source @signingUtils@
|
||||
|
||||
extraAfter=()
|
||||
extraBefore=()
|
||||
params=("$@")
|
||||
|
||||
output=
|
||||
inputs=()
|
||||
|
||||
restAreFiles=
|
||||
prev=
|
||||
for p in \
|
||||
${extraBefore+"${extraBefore[@]}"} \
|
||||
${params+"${params[@]}"} \
|
||||
${extraAfter+"${extraAfter[@]}"}
|
||||
do
|
||||
if [ "$restAreFiles" ]; then
|
||||
inputs+=("$p")
|
||||
else
|
||||
case "$prev" in
|
||||
-s|-R|-d|-arch)
|
||||
# Unrelated arguments with values
|
||||
;;
|
||||
-o)
|
||||
# Explicit output
|
||||
output="$p"
|
||||
;;
|
||||
*)
|
||||
# Any other orgument either takes no value, or is a file.
|
||||
if [[ "$p" != -* ]]; then
|
||||
inputs+=("$p")
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ "$p" == - ]; then
|
||||
restAreFiles=1
|
||||
fi
|
||||
fi
|
||||
|
||||
prev="$p"
|
||||
done
|
||||
|
||||
# Optionally print debug info.
|
||||
if (( "${NIX_DEBUG:-0}" >= 1 )); then
|
||||
# Old bash workaround, see above.
|
||||
echo "extra flags before to @prog@:" >&2
|
||||
printf " %q\n" ${extraBefore+"${extraBefore[@]}"} >&2
|
||||
echo "original flags to @prog@:" >&2
|
||||
printf " %q\n" ${params+"${params[@]}"} >&2
|
||||
echo "extra flags after to @prog@:" >&2
|
||||
printf " %q\n" ${extraAfter+"${extraAfter[@]}"} >&2
|
||||
fi
|
||||
|
||||
@prog@ \
|
||||
${extraBefore+"${extraBefore[@]}"} \
|
||||
${params+"${params[@]}"} \
|
||||
${extraAfter+"${extraAfter[@]}"}
|
||||
|
||||
if [ "$output" ]; then
|
||||
# Single explicit output
|
||||
signIfRequired "$output"
|
||||
else
|
||||
# Multiple inputs, rewritten in place
|
||||
for input in "${inputs[@]}"; do
|
||||
signIfRequired "$input"
|
||||
done
|
||||
fi
|
@ -14,6 +14,9 @@
|
||||
, extraPackages ? [], extraBuildCommands ? ""
|
||||
, buildPackages ? {}
|
||||
, useMacosReexportHack ? false
|
||||
|
||||
# Darwin code signing support utilities
|
||||
, postLinkSignHook ? null, signingUtils ? null
|
||||
}:
|
||||
|
||||
with lib;
|
||||
@ -339,6 +342,24 @@ stdenv.mkDerivation {
|
||||
''
|
||||
)
|
||||
|
||||
##
|
||||
## Code signing on Apple Silicon
|
||||
##
|
||||
+ optionalString (targetPlatform.isDarwin && targetPlatform.isAarch64) ''
|
||||
echo 'source ${postLinkSignHook}' >> $out/nix-support/post-link-hook
|
||||
|
||||
export signingUtils=${signingUtils}
|
||||
|
||||
wrap \
|
||||
${targetPrefix}install_name_tool \
|
||||
${./darwin-install_name_tool-wrapper.sh} \
|
||||
"${bintools_bin}/bin/${targetPrefix}install_name_tool"
|
||||
|
||||
wrap \
|
||||
${targetPrefix}strip ${./darwin-strip-wrapper.sh} \
|
||||
"${bintools_bin}/bin/${targetPrefix}strip"
|
||||
''
|
||||
|
||||
##
|
||||
## Extra custom steps
|
||||
##
|
||||
|
@ -11857,6 +11857,7 @@ in
|
||||
noLibc = (self.libc == null);
|
||||
|
||||
inherit bintools libc;
|
||||
inherit (darwin) postLinkSignHook signingUtils;
|
||||
} // extraArgs; in self);
|
||||
|
||||
yaml-language-server = nodePackages.yaml-language-server;
|
||||
|
Loading…
Reference in New Issue
Block a user