Merge pull request #15194 from ashley-cui/backports

[CI:DOCS] [4.2] Backport MacOS pkginstaller

Author: openshift-ci[bot]

contrib/pkginstaller/.gitignore

@@ -0,0 +1,6 @@
+out
+Distribution
+welcome.html
+tmp-download
+.vscode
+root

contrib/pkginstaller/Distribution.in

@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="utf-8" standalone="no"?>
+<installer-script minSpecVersion="1.000000">
+    <title>Podman __VERSION__</title>
+    <background mime-type="image/png" file="banner.png" scaling="proportional"/>
+    <welcome file="welcome.html" mime-type="text/html" />
+    <conclusion file="conclusion.html" mime-type="text/html" />
+    <license file="LICENSE.txt"/>
+    <options customize="never" hostArchitectures="x86_64,arm64" />
+    <domains enable_localSystem="true" />
+    <choices-outline>
+        <line choice="podman"/>
+    </choices-outline>
+    <choice id="podman" title="podman">
+        <pkg-ref id="podman.pkg"/>
+    </choice>
+    <pkg-ref id="podman.pkg">podman.pkg</pkg-ref>
+</installer-script>

contrib/pkginstaller/Makefile

@@ -0,0 +1,61 @@
+SHELL := bash
+
+ARCH ?= aarch64
+PODMAN_VERSION ?= 4.1.0
+GVPROXY_VERSION ?= 0.4.0
+QEMU_VERSION ?= 7.0.0-2
+GVPROXY_RELEASE_URL ?= https://github.com/containers/gvisor-tap-vsock/releases/download/v$(GVPROXY_VERSION)/gvproxy-darwin
+QEMU_RELEASE_URL ?= https://github.com/containers/podman-machine-qemu/releases/download/v$(QEMU_VERSION)/podman-machine-qemu-$(ARCH)-$(QEMU_VERSION).tar.xz
+PACKAGE_DIR ?= out/packaging
+TMP_DOWNLOAD ?= tmp-download
+PACKAGE_ROOT ?= root
+PKG_NAME := podman-installer-macos-$(ARCH).pkg
+
+default: pkginstaller
+
+$(TMP_DOWNLOAD)/gvproxy:
+	mkdir -p $(TMP_DOWNLOAD)
+	cd $(TMP_DOWNLOAD) && curl -sLo gvproxy $(GVPROXY_RELEASE_URL)
+
+$(TMP_DOWNLOAD)/podman-machine-qemu-$(ARCH)-$(QEMU_VERSION).tar.xz:
+	mkdir -p $(TMP_DOWNLOAD)
+	cd $(TMP_DOWNLOAD) && curl -sLO $(QEMU_RELEASE_URL)
+
+packagedir: package_root Distribution welcome.html
+	mkdir -p $(PACKAGE_DIR)
+	cp -r Resources $(PACKAGE_DIR)/
+	cp welcome.html $(PACKAGE_DIR)/Resources/
+	cp Distribution $(PACKAGE_DIR)/
+	cp -r scripts $(PACKAGE_DIR)/
+	cp -r $(PACKAGE_ROOT) $(PACKAGE_DIR)/
+	cp package.sh $(PACKAGE_DIR)/
+	cd $(PACKAGE_DIR) && pkgbuild --analyze --root ./root component.plist
+	echo -n $(PODMAN_VERSION) > $(PACKAGE_DIR)/VERSION
+	echo -n $(ARCH) > $(PACKAGE_DIR)/ARCH
+	cp ../../LICENSE $(PACKAGE_DIR)/Resources/LICENSE.txt
+	cp hvf.entitlements $(PACKAGE_DIR)/
+
+package_root: clean-pkgroot $(TMP_DOWNLOAD)/podman-machine-qemu-$(ARCH)-$(QEMU_VERSION).tar.xz $(TMP_DOWNLOAD)/gvproxy
+	mkdir -p $(PACKAGE_ROOT)/podman/bin $(PACKAGE_ROOT)/podman/qemu
+	tar -C $(PACKAGE_ROOT)/podman/qemu -xf $(TMP_DOWNLOAD)/podman-machine-qemu-$(ARCH)-$(QEMU_VERSION).tar.xz
+	cp $(TMP_DOWNLOAD)/gvproxy $(PACKAGE_ROOT)/podman/bin/
+	chmod a+x $(PACKAGE_ROOT)/podman/bin/*
+
+%: %.in
+	@sed -e 's/__VERSION__/'$(PODMAN_VERSION)'/g' $< >$@
+
+pkginstaller: packagedir
+	cd $(PACKAGE_DIR) && ./package.sh ..
+
+_notarize: pkginstaller
+	xcrun notarytool submit --apple-id $(NOTARIZE_USERNAME) --password $(NOTARIZE_PASSWORD) --team-id=$(NOTARIZE_TEAM) -f json --wait out/$(PKG_NAME)
+
+notarize: _notarize
+	xcrun stapler staple out/$(PKG_NAME)
+
+.PHONY: clean clean-pkgroot
+clean:
+	rm -rf $(TMP_DOWNLOAD) $(PACKAGE_ROOT) $(PACKAGE_DIR) Distribution welcome.html
+
+clean-pkgroot:
+	rm -rf $(PACKAGE_ROOT) $(PACKAGE_DIR) Distribution welcome.html

contrib/pkginstaller/README.md

@@ -0,0 +1,25 @@
+## How to build
+
+```sh
+$ make ARCH=<amd64 | aarch64> NO_CODESIGN=1 pkginstaller
+
+# or to create signed pkg
+$ make ARCH=<amd64 | aarch64> CODESIGN_IDENTITY=<ID> PRODUCTSIGN_IDENTITY=<ID> pkginstaller
+
+# or to prepare a signed and notarized pkg for release
+$ make ARCH=<amd64 | aarch64> CODESIGN_IDENTITY=<ID> PRODUCTSIGN_IDENTITY=<ID> NOTARIZE_USERNAME=<appleID> NOTARIZE_PASSWORD=<appleID-password> NOTARIZE_TEAM=<team-id> notarize
+```
+
+The generated pkg will be written to `out/podman-macos-installer-*.pkg`.
+Currently the pkg installs `podman`, `qemu`, `gvproxy` and `podman-mac-helper` to `/opt/podman`
+
+The `qemu` build it uses is from [containers/podman-machine-qemu](https://github.com/containers/podman-machine-qemu)
+
+## Uninstalling
+
+```sh
+$ sudo rm -rf /opt/podman
+```
+
+### Screenshot
+<img width="626" alt="screenshot-macOS-pkg-podman" src="https://user-images.githubusercontent.com/8885742/157380992-2e3b1573-34a0-4aa0-bdc1-a85f4792a1d2.png">

contrib/pkginstaller/Resources/banner.png

@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="utf-8"/>
+</head>
+<body>
+<div align="left" style="font-family: Helvetica; padding-left: 10px;">
+    <br/>
+    <p style="color: #020202; font-size: 12px;">Thanks for installing Podman!</p>
+    <p style="color: #020202; font-size: 12px;">You can now start using the 'podman' command. First run 'podman machine init'</b>.</p>
+</div>
+</body>
+</html>

contrib/pkginstaller/Resources/conclusion.html

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.hypervisor</key>
+    <true/>
+</dict>
+</plist>

contrib/pkginstaller/hvf.entitlements

@@ -0,0 +1,88 @@
+#!/bin/bash
+
+set -euxo pipefail
+
+BASEDIR=$(dirname "$0")
+OUTPUT=$1
+CODESIGN_IDENTITY=${CODESIGN_IDENTITY:-mock}
+PRODUCTSIGN_IDENTITY=${PRODUCTSIGN_IDENTITY:-mock}
+NO_CODESIGN=${NO_CODESIGN:-0}
+HELPER_BINARIES_DIR="/opt/podman/qemu/bin"
+
+binDir="${BASEDIR}/root/podman/bin"
+qemuBinDir="${BASEDIR}/root/podman/qemu/bin"
+
+version=$(cat "${BASEDIR}/VERSION")
+arch=$(cat "${BASEDIR}/ARCH")
+
+function build_podman() {
+  pushd "$1"
+    make GOARCH="${arch}" podman-remote HELPER_BINARIES_DIR="${HELPER_BINARIES_DIR}"
+    make GOARCH="${arch}" podman-mac-helper
+    cp bin/darwin/podman "contrib/pkginstaller/out/packaging/${binDir}/podman"
+    cp bin/darwin/podman-mac-helper "contrib/pkginstaller/out/packaging/${binDir}/podman-mac-helper"
+  popd
+}
+
+function sign() {
+  if [ "${NO_CODESIGN}" -eq "1" ]; then
+    return
+  fi
+  local opts=""
+  entitlements="${BASEDIR}/$(basename "$1").entitlements"
+  if [ -f "${entitlements}" ]; then
+      opts="--entitlements ${entitlements}"
+  fi
+  codesign --deep --sign "${CODESIGN_IDENTITY}" --options runtime --timestamp --force ${opts} "$1"
+}
+
+function signQemu() {
+  if [ "${NO_CODESIGN}" -eq "1" ]; then
+    return
+  fi
+
+  local qemuArch="${arch}"
+  if [ "${qemuArch}" = amd64 ]; then
+      qemuArch=x86_64
+  fi
+
+  # sign the files inside /opt/podman/qemu/lib
+  libs=$(find "${BASEDIR}"/root/podman/qemu/lib -depth -name "*.dylib" -or -type f -perm +111)
+  echo "${libs}" | xargs -t -I % codesign --deep --sign "${CODESIGN_IDENTITY}" --options runtime --timestamp --force % || true
+
+  # sign the files inside /opt/podman/qemu/bin except qemu-system-*
+  bins=$(find "${BASEDIR}"/root/podman/qemu/bin -depth -type f -perm +111 ! -name "qemu-system-${qemuArch}")
+  echo "${bins}" | xargs -t -I % codesign --deep --sign "${CODESIGN_IDENTITY}" --options runtime --timestamp --force  % || true
+
+  # sign the qemu-system-* binary
+  # need to remove any extended attributes, otherwise codesign complains:
+  # qemu-system-aarch64: resource fork, Finder information, or similar detritus not allowed
+  xattr -cr "${qemuBinDir}/qemu-system-${qemuArch}"
+  codesign --deep --sign "${CODESIGN_IDENTITY}" --options runtime --timestamp --force \
+    --entitlements "${BASEDIR}/hvf.entitlements" "${qemuBinDir}/qemu-system-${qemuArch}"
+}
+
+build_podman "../../../../"
+sign "${binDir}/podman"
+sign "${binDir}/gvproxy"
+sign "${binDir}/podman-mac-helper"
+signQemu
+
+pkgbuild --identifier com.redhat.podman --version "${version}" \
+  --scripts "${BASEDIR}/scripts" \
+  --root "${BASEDIR}/root" \
+  --install-location /opt \
+  --component-plist "${BASEDIR}/component.plist" \
+  "${OUTPUT}/podman.pkg"
+
+productbuild --distribution "${BASEDIR}/Distribution" \
+  --resources "${BASEDIR}/Resources" \
+  --package-path "${OUTPUT}" \
+  "${OUTPUT}/podman-unsigned.pkg"
+rm "${OUTPUT}/podman.pkg"
+
+if [ ! "${NO_CODESIGN}" -eq "1" ]; then
+  productsign --timestamp --sign "${PRODUCTSIGN_IDENTITY}" "${OUTPUT}/podman-unsigned.pkg" "${OUTPUT}/podman-installer-macos-${arch}.pkg"
+else
+  mv "${OUTPUT}/podman-unsigned.pkg" "${OUTPUT}/podman-installer-macos-${arch}.pkg"
+fi

contrib/pkginstaller/package.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+set -e
+
+BZSH_PODMAN_PATH_EXP='PATH="/opt/podman/bin:$PATH"'
+FISH_PODMAN_PATH_EXP='set PATH "/opt/podman/bin $PATH"'
+BASHRC_PATH="$HOME/.bash_profile"
+ZSHENV_PATH="$HOME/.zshenv"
+ZSHRC_PATH="$HOME/.zshrc"
+FSHCFG_PATH="$HOME/.config/fish/config.fish"
+
+# append /Applications/podman/bin to $PATH
+if [ -f "$BASHRC_PATH" ]; then
+    grep -Fxq "$BZSH_PODMAN_PATH_EXP" "$BASHRC_PATH" || echo "$BZSH_PODMAN_PATH_EXP" >> "$BASHRC_PATH"
+fi
+if [ -f "$ZSHENV_PATH" ]; then
+    grep -Fxq "$BZSH_PODMAN_PATH_EXP" "$ZSHENV_PATH" || echo "$BZSH_PODMAN_PATH_EXP" >> "$ZSHENV_PATH"
+fi
+if [ -f "$ZSHRC_PATH" ]; then
+    grep -Fxq "$BZSH_PODMAN_PATH_EXP" "$ZSHRC_PATH" || echo "$BZSH_PODMAN_PATH_EXP" >> "$ZSHRC_PATH"
+fi
+if [ -f "$FSHCFG_PATH" ]; then
+    grep -Fxq "$FISH_PODMAN_PATH_EXP" "$FSHCFG_PATH" || echo "$FISH_PODMAN_PATH_EXP" >> "$FSHCFG_PATH"
+fi
+
+ln -s /opt/podman/bin/podman-mac-helper /opt/podman/qemu/bin/podman-mac-helper
+ln -s /opt/podman/bin/gvproxy /opt/podman/qemu/bin/gvproxy

contrib/pkginstaller/scripts/postinstall

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+set -e
+
+rm -rf /opt/podman

contrib/pkginstaller/scripts/preinstall

@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="utf-8"/>
+</head>
+<body>
+<div align="left" style="font-family: Helvetica; padding-left: 10px;">
+    <br/>
+    <p style="color: #020202; font-size: 12px;">This will install <span style="color: #46b9d6; font-size: 12px;">Podman __VERSION__</span>
+        on your computer. You will be guided through the steps necessary to install this software.</p>
+    <br/>
+    <p style="color: #abb0b0; font-size: 12px;">Click <span style="color: #626666">“Continue"</span> to continue the
+        setup</p>
+</div>
+</body>
+</html>