From 4665bb8e663c6d0ef452f4c124742732c96f8fd6 Mon Sep 17 00:00:00 2001
From: Francois-Xavier Coudert <fxcoudert@gmail.com>
Date: Tue, 10 Nov 2020 23:52:33 +0100
Subject: [PATCH] keg: add codesigning

---
 Library/Homebrew/os/mac/keg.rb | 35 ++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/Library/Homebrew/os/mac/keg.rb b/Library/Homebrew/os/mac/keg.rb
index b5805975c6..2e2e24dccc 100644
--- a/Library/Homebrew/os/mac/keg.rb
+++ b/Library/Homebrew/os/mac/keg.rb
@@ -8,6 +8,7 @@ class Keg
     @require_relocation = true
     odebug "Changing dylib ID of #{file}\n  from #{file.dylib_id}\n    to #{id}"
     MachO::Tools.change_dylib_id(file, id, strict: false)
+    apply_ad_hoc_signature(file)
   rescue MachO::MachOError
     onoe <<~EOS
       Failed changing dylib ID of #{file}
@@ -23,6 +24,7 @@ class Keg
     @require_relocation = true
     odebug "Changing install name in #{file}\n  from #{old}\n    to #{new}"
     MachO::Tools.change_install_name(file, old, new, strict: false)
+    apply_ad_hoc_signature(file)
   rescue MachO::MachOError
     onoe <<~EOS
       Failed changing install name in #{file}
@@ -31,4 +33,37 @@ class Keg
     EOS
     raise
   end
+
+  def apply_ad_hoc_signature(file)
+    return if MacOS.version < :big_sur
+    return unless Hardware::CPU.arm?
+
+    odebug "Codesigning #{file}"
+    # Use quiet_system to squash notifications about resigning binaries
+    # which already have valid signatures.
+    return if quiet_system("codesign", "--sign", "-", "--force",
+                           "--preserve-metadata=entitlements,requirements,flags,runtime",
+                           file)
+
+    # If the codesigning fails, it may be a bug in Apple's codesign utility
+    # A known workaround is to copy the file to another inode, then move it back
+    # erasing the previous file. Then sign again.
+    #
+    # TODO: remove this once the bug in Apple's codesign utility is fixed
+    Dir::Tmpname.create("workaround") do |tmppath|
+      FileUtils.cp file, tmppath
+      FileUtils.mv tmppath, file, force: true
+    end
+
+    # Try signing again
+    odebug "Codesigning (2nd try) #{file}"
+    return if quiet_system("codesign", "--sign", "-", "--force",
+                           "--preserve-metadata=entitlements,requirements,flags,runtime",
+                           file)
+
+    # If it fails again, error out
+    onoe <<~EOS
+      Failed applying an ad-hoc signature to #{file}
+    EOS
+  end
 end