From 24a56dbe42c3e2bf0289fa68839a7e332292bdf0 Mon Sep 17 00:00:00 2001 From: CrazyMax Date: Sat, 26 Aug 2023 09:58:59 +0200 Subject: [PATCH] docker(install): SIGN_QEMU_BINARY env as workaround to replace existing signature Signed-off-by: CrazyMax --- __tests__/docker/install.test.itg.ts | 16 +++++++++++--- src/docker/assets.ts | 11 ++++++++++ src/docker/install.ts | 32 +++++++++++++++++++++++++++- 3 files changed, 55 insertions(+), 4 deletions(-) diff --git a/__tests__/docker/install.test.itg.ts b/__tests__/docker/install.test.itg.ts index e94b5d83..01c20eb3 100644 --- a/__tests__/docker/install.test.itg.ts +++ b/__tests__/docker/install.test.itg.ts @@ -15,7 +15,7 @@ */ import path from 'path'; -import {jest, describe, expect, test} from '@jest/globals'; +import {jest, describe, expect, test, beforeEach, afterEach} from '@jest/globals'; import {Install} from '../../src/docker/install'; import {Docker} from '../../src/docker/docker'; @@ -24,7 +24,17 @@ import {Docker} from '../../src/docker/docker'; const tmpDir = path.join(process.env.TEMP || '/tmp', 'docker-install-jest'); describe('install', () => { - jest.retryTimes(2, {logErrorsBeforeRetry: true}); + const originalEnv = process.env; + beforeEach(() => { + jest.resetModules(); + process.env = { + ...originalEnv, + SIGN_QEMU_BINARY: '1' + }; + }); + afterEach(() => { + process.env = originalEnv; + }); // prettier-ignore test.each(['v24.0.5'])( 'install docker %s', async (version) => { @@ -40,5 +50,5 @@ describe('install', () => { await Docker.printInfo(); await install.tearDown(); })()).resolves.not.toThrow(); - }, 100000); + }, 600000); }); diff --git a/src/docker/assets.ts b/src/docker/assets.ts index 6ebed435..89f46e90 100644 --- a/src/docker/assets.ts +++ b/src/docker/assets.ts @@ -336,3 +336,14 @@ mounts: [] # Default: {} env: {} `; + +export const qemuEntitlements = ` + + + + + com.apple.security.hypervisor + + + +`; diff --git a/src/docker/install.ts b/src/docker/install.ts index 3a348e23..0e5f0b51 100644 --- a/src/docker/install.ts +++ b/src/docker/install.ts @@ -29,7 +29,7 @@ import * as tc from '@actions/tool-cache'; import {Context} from '../context'; import {Exec} from '../exec'; import {Util} from '../util'; -import {colimaYamlData, dockerServiceLogsPs1, setupDockerLinuxSh, setupDockerWinPs1} from './assets'; +import {colimaYamlData, dockerServiceLogsPs1, qemuEntitlements, setupDockerLinuxSh, setupDockerWinPs1} from './assets'; import {GitHubRelease} from '../types/github'; export interface InstallOpts { @@ -147,6 +147,21 @@ export class Install { core.info(colimaCfg); }); + const qemuArch = await Install.qemuArch(); + await core.group('QEMU version', async () => { + await Exec.exec(`qemu-system-${qemuArch} --version`); + }); + + // https://github.com/abiosoft/colima/issues/786#issuecomment-1693629650 + if (process.env.SIGN_QEMU_BINARY === '1') { + await core.group('Signing QEMU binary with entitlements', async () => { + const qemuEntitlementsFile = path.join(Context.tmpDir(), 'qemu-entitlements.xml'); + core.info(`Writing entitlements to ${qemuEntitlementsFile}`); + fs.writeFileSync(qemuEntitlementsFile, qemuEntitlements); + await Exec.exec(`codesign --sign - --entitlements ${qemuEntitlementsFile} --force /usr/local/bin/qemu-system-${qemuArch}`); + }); + } + // colima is already started on the runner so env var added in download // method is not expanded to the running process. const envs = Object.assign({}, process.env, { @@ -154,6 +169,7 @@ export class Install { }) as { [key: string]: string; }; + await core.group('Starting colima', async () => { try { await Exec.exec('colima', ['start', '--very-verbose'], {env: envs}); @@ -377,6 +393,20 @@ export class Install { }); } + private static async qemuArch(): Promise { + switch (os.arch()) { + case 'x64': { + return 'x86_64'; + } + case 'arm64': { + return 'aarch64'; + } + default: { + return os.arch(); + } + } + } + public static async getRelease(version: string): Promise { const url = `https://raw.githubusercontent.com/docker/actions-toolkit/main/.github/docker-releases.json`; const http: httpm.HttpClient = new httpm.HttpClient('docker-actions-toolkit');