summaryrefslogtreecommitdiff
path: root/src/ipa/ipa-sign-install.sh
AgeCommit message (Collapse)Author
2020-05-13ipa: Only sign IPA modules that are being installedLaurent Pinchart
The ipa-sign-install.sh script, run when installing libcamera, signs all IPA modules present in the module directory. This would result in third-party modules being signed if any are present in the directory. Fix it by explicitly passing the list of IPA modules to the ipa-sign-install.sh script. Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Tested-by: Tomasz Figa <tfiga@chromium.org> Reviewed-by: Tomasz Figa <tfiga@chromium.org>
2020-04-29libcamera: Regenerate IPA module signatures at install timeLaurent Pinchart
When the IPA modules are installed, meson strips the DT_RPATH and DT_RUNPATH from the binaries. This invalidates the signatures. Disable installation of the .sign files and add an installation script to regenerate them directly in the target directory. The .sign files still need to be created at build time to support running IPA modules from the build tree. Two alternative approaches have been considered: - meson could be taught a new target argument to preserve binary compatibility by skipping any operation that modifies files. This has been proposed in the #mesonbuild IRC channel. While this could be interesting in the longer term, we need to fix the issue now. - The module signatures could be computed on selected sections only. While skipping the .dynamic section when signing may not cause security issues, it would make signature generation and verification more complex, and wasn't deemed worth it. Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Reviewed-by: Kieran Bingham <kieran.bingham@ideasonboard.com>