fix permission error codesigning when parent directory is not writeable

timbertson · Feb 2, 2024 · d03f698 · d03f698
1 parent 0a1c794
commit d03f698
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 7 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,7 @@
 [workspace]
 members = [ "cli", "builder" ]
 exclude = ["redhook"]
+resolver = "2"
 
 [profile.release]
 opt-level = "s" # optimize for binary size

diff --git a/cli/src/paths.rs b/cli/src/paths.rs
@@ -143,7 +143,8 @@ use std::os::unix::fs::{PermissionsExt, symlink};
 		if mode != writeable {
 			debug!("making writeable: {:?}", path.as_ref());
 			perms.set_mode(writeable);
-			fs::set_permissions(path, perms)?;
+			fs::set_permissions(&path, perms)
+				.with_context(|| format!("adding write permissions to {:?}", path.as_ref()))?;
 		}
 		Ok(())
 	}
@@ -162,28 +163,30 @@ use std::os::unix::fs::{PermissionsExt, symlink};
 		if mode != executable {
 			debug!("making executable: {:?}", path);
 			perms.set_mode(executable);
-			fs::set_permissions(path, perms)?;
+			fs::set_permissions(path, perms)
+				.with_context(|| format!("adding execute permissions to {:?}", path.display()))?;
 		}
 		Ok(())
 	}
 
 	pub fn ensure_unwriteable<P: AsRef<Path>>(path: P) -> Result<()> {
 		let path = path.as_ref();
-		let stat = symlink_metadata(path).context("ensure_unwriteable")?;
+		let stat = symlink_metadata(path).context("ensure_unwriteable lstat")?;
 		let mut perms = stat.permissions();
 		let mode = perms.mode();
 		let unwriteable = mode & !0o222;
 		if mode != unwriteable {
 			debug!("making unwriteable: {:?}", path);
 			perms.set_mode(unwriteable);
-			fs::set_permissions(path, perms)?;
+			fs::set_permissions(&path, perms)
+				.with_context(|| format!("removing write permissions from {}", path.display()))?;
 		}
 		Ok(())
 	}
 
 	pub fn rm_recursive<P: AsRef<Path>>(path: P) -> Result<()> {
 		let path = path.as_ref();
-		let stat = symlink_metadata(path).context("rm_recursive")?;
+		let stat = symlink_metadata(path).context("rm_recursive lstat")?;
 		ensure_writeable_stat(path, &stat)?;
 		if stat.is_dir() {
 			for entry in fs::read_dir(path)? {

diff --git a/cli/src/rewrite.rs b/cli/src/rewrite.rs
@@ -108,6 +108,17 @@ pub fn rewrite_all_recursively<'a, P: AsRef<Path>, R: IntoIterator<Item=&'a Stor
 		Some(x) => x,
 	};
 
+	// first walk (top down): make all directories user-writable
+	for entry in WalkDir::new(src_path).follow_links(false).contents_first(false) {
+		let entry = entry?;
+		let stat = entry.metadata()?;
+		if stat.is_dir() {
+			let path = entry.path();
+			paths::util::ensure_writeable_stat(&path, &stat)?;
+		}
+	}
+
+	// second walk (bottom up): rewrite files and then remove write permissions
 	for entry in WalkDir::new(src_path).follow_links(false).contents_first(true) {
 		let entry = entry?;
 		let path = entry.path();
@@ -119,8 +130,9 @@ pub fn rewrite_all_recursively<'a, P: AsRef<Path>, R: IntoIterator<Item=&'a Stor
 				let file = fs::OpenOptions::new()
 					.read(true)
 					.write(true)
-					.open(&path)?;
-				let mut mmap = unsafe { MmapMut::map_mut(&file)? };
+					.open(&path)
+					.with_context(|| format!("opening {}", path.display()))?;
+				let mut mmap = unsafe { MmapMut::map_mut(&file).context("MmapMut.map_mut")? };
 				rewrite.replace_all(&mut mmap)
 			};
 			if count > 0 {