From a7a3556d3b4407509b0fae1249925b0ea693904a Mon Sep 17 00:00:00 2001
From: Nikolay Igotti <olonho@users.noreply.github.com>
Date: Thu, 25 Feb 2021 17:46:15 +0300
Subject: [PATCH] Sealing on Linux (#68)

---
 skiko/build.gradle.kts |  21 ++++++++++++++++++++-
 skiko/tools/sealer     | Bin 0 -> 13328 bytes
 2 files changed, 20 insertions(+), 1 deletion(-)
 create mode 100755 skiko/tools/sealer

diff --git a/skiko/build.gradle.kts b/skiko/build.gradle.kts
index 2d6fbd652..d704bdb59 100644
--- a/skiko/build.gradle.kts
+++ b/skiko/build.gradle.kts
@@ -317,6 +317,21 @@ fun localSign(signer: String, lib: File): File {
     return lib
 }
 
+// See https://github.com/olonho/sealer.
+fun sealBinary(sealer: String, lib: File) {
+    println("Sealing $lib by $sealer")
+    val proc = ProcessBuilder(sealer, "-f", lib.absolutePath, "-p", "Java_")
+        .redirectOutput(ProcessBuilder.Redirect.INHERIT)
+        .redirectError(ProcessBuilder.Redirect.INHERIT)
+        .start()
+    proc.waitFor(2, TimeUnit.MINUTES)
+    if (proc.exitValue() != 0) {
+        throw GradleException("Cannot seal $lib")
+    }
+    println("Sealed!")
+}
+
+
 fun remoteSign(signHost: String, lib: File, out: File) {
     println("Remote signing $lib on $signHost")
     val user = skiko.signUser ?: error("signUser is null")
@@ -445,12 +460,16 @@ val maybeSign by project.tasks.registering {
     outputs.files(output)
 
     doLast {
+        if (targetOs == OS.Linux) {
+            // Linux requires additional sealing to run on wider set of platforms.
+            val sealer = "$projectDir/tools/sealer"
+            sealBinary(sealer, lib)
+        }
         if (skiko.signHost != null) {
             remoteSign(skiko.signHost!!, lib, output)
         } else {
             lib.copyTo(output, overwrite = true)
         }
-
     }
 }
 
diff --git a/skiko/tools/sealer b/skiko/tools/sealer
new file mode 100755
index 0000000000000000000000000000000000000000..9c9605c449086d44bb99b025e1f5a36dbba25261
GIT binary patch
literal 13328
zcmeHOe{dYteSdc+$wId8WE+A2gSP|)LF_{&#>gfycaqMmJd&*#i8NF2`lLHa2lqpB
zw?|}RgHzdror@h!5*W{rOq9~jxJf!ur&Ay{;4^k@=rGNtLsCymC#nZJ5)!UR2wc*}
z>gW4@oc30_nNDW<pWe;x_kDl9@B6+VyKmpSr$U`O-7XhX$<1~!!X|10oFwjyjcw$p
zq_wbXSb*KaZelf{RO1S84ndJquqaI{SS#f`fK|9!+=9^J4)BbE>jjx9s5~S{<t?Ou
z%nJC{8i6Xvn8pdDN4_@P!coBeJfq-#>BoqKN{>*|Ym$0RQcuBxbWA~2KdKvDJ<?u}
zI{=LE00Gv{?+cJ*DRsYRMkwFz<0xQ&XB0dr$V@?{_eJQDpa0iXF9r9?@+!q;O4d(7
ziL$%mvA(Ta?uth?#be3r$fl8&t(&%P@n=&0yLr9IKFL0?yO)=w;@AL;e7+VJ^#S7l
z>ic!;e(0Ip*VFn!DB-StZlozzOY*C5kquriUePK}1Bw0JUwpEbV5LONr35}*flkf4
zl>GG-=<OBgcUGVqpli6C=^+r7D);^h^pzFpn=8;;KwradV28E+$T6n+Cqw)7Q*&))
z!_jm)m1e_PGsA|{v7|Y`5{d9I%b4kSG|3XtM1NwK4Mxq>u*q<R(}Muu7zP<JGN717
zA{-;izz9$inZZOVDOm=4ptGa3&A8itxBnja;I{qj82RVoKgLx5%-$HghGde&L@I9B
z&mr}R6+9<ys(v&#P`^>BLDrjORo^9^W~0j?%2k?dbPuP9TeFR>#vE~4Y;^m)6tL0l
z<5IWLOKkx=-8MQZTuOgxqt}(FjP1A4sZXe+kIvTWx$2v5)R=xWZ&pv821g$~UwckS
z%-^#Xtog=karbQqAV>HRF{dZzks9j=r%+87IPNB#LNuM{`0sB3?jd}F<G&`HLNYzh
z@%IU*P)v_;{4(Jbg6YE?|5w7PIi`m>{?CL{D5m#w{2vLY5KMP-d@t~UG2lFH{-DG9
z`99sctdG7s*WJ@`F+aXK!1Rk}n>o1n^;H2jH3-Fz27DVZNM9a7p!6@$-CXxFnV_&-
zbA|}>lLKSt26*!OHXPyhU*qy$yTXArr=PuYzkasp(OnnxpI<fClq{@}7M%Krzpxqp
zvh4M}y7k`FlW^oh^#)K}kDTNFIOS)Klb~)LD(blquI?rdU4=)^amMIuJu$89N1Se5
zoO%m3bG;wwXD`?2uELv2tQlgLtnAxXZ(;P%+sv#PJyc-XI_~iFDC(B$eH$h&S-;d_
zgqljXLUW+t3TS$+7jRe0DGGxA$%j^GHWw<~7n)7qlItzxLT_6a&Rjx-xw)xN{xCn!
zb2FQSf$jz}4R>I(2nF3L=&n5BXD2<n^*XpkyR-H>`Cba_7&w~Gt`HX2Q{5mg{48FD
zpE+*6%z%d4PFdM^t=`F8@4Jwn67t^_^(yM4hl)&@T%8L|>iq?$6T`4^Qn#|>y48CE
z%yAhAKzktaV4Wl<eJ>#pc?5!aRUoeX54jf_&jp&S(0O5lJ9|>Z;tl;`XwnaHz^Qu#
zocp|h#US9t&?^-2=}WlfLa&gQi$nK@Fh&(9<k-=?@5o<KD*^Mp7^oVZ^gR<gEqK=J
zxh`_!r1ekK%0Hv%S!kGC=mg;#$X#lUE~@V(T}X9+iZRhmCQ#2BG={m8BQFN3kL0uW
z9X@p0W!B*C&fevF5oJNU=N~48i3?{sP!G{Be)Zox9EA&kYR^p7*o<pzH1vuK_1YH7
z`@X&&Z8J7j-eD1bsuo-keeo1cB(Fs%Lh$z|um@*+XJQ~seG%C7MN#uPIJ$OVw7A3k
z4AeR1dntcv2e@dUk&;JUr1R|sozFuG0^=otjS#pPnuP?L*_Z2`C2OK99pb^FF^MjX
zFc(*vt4euymU@0shpjhCwkCg1)kp8ob&=MbjPEgwmeJ6xi%4*rT-X+xJ@_pdiLcG(
z$v^8=o%h|p4-m*5CG0htb`b~>-Lo)n9eo(|(O2ot4*1UeI|`qA8H{O?(T_b#b83zY
z>DDh1!nZJ!AI(GZGD#jM$>StR-Q7A$GcL*^kb9PF27d}B3tEMr(i7m6heWBzBTaqy
zI|y4xhe&7iRRZ(bRcEHi?pD~H*{0{7<xF9a^yW&jIZw*DXJzHMm<aO~L}#H-Scl%>
zUE*SBj>^QaDXzgA@XYO_hh_)NTHJ?C-^>kquKL_M4X%aeX3!|rFAAhMhR|b>zH{n&
zC?Wg^z>iQcW;1BcXHTJZWXoJQqd`Ojwu$?uIDCHW!^q*xH_r`}o(=T841OtS%?BUq
zus#m<c38g%_H-U=EYxePS3kCi;Deoaytnz^^s|5P(35y7QAD+meqi3Bo-du&`<>Ru
z?XWR_?K}GDIhVd|Ci^};p#SWV;KRX3g8PC7o)M)of8!`$w|;G1J;NW*KY(pK+VQ+!
zc)a5sN4(8Ecp%Z2ifbLoNOVL?Wlb$LpzRGO2cue3V`O_{_71;zo5&nUnBhKcFlB0u
z5iOcD)3In~yM}kaSaL9<#gbYk+Hb~ENwDkK?mazU?hdg%t-C^PJ#1(1?l$%yavghi
zGd&iGYJ>4qUpTI%`W}Un)(At5nL73q)|hNJN(d)4%2Mh`_NUTml1ha8hhoVn>~GW(
z*^H_6QC_|4bf!{|Wwdzgu_$SeY~4Z@w6Da>A@W!HhB7iyl#9wJlGZp}C*D#A_zNk2
zqeZ!-9m{Bq@pwe*J77jLC^S4g9F1sZitFqOKOQ#N!1m$o+|RC5B!Worx=<OE569zL
zA3}O-W5&4i);i|8$#dTbq`kO){PFz!dBFH5^Yh;U+<``#1^g1=Dm2@ZfExini$2#0
z7zd04P5^!b@Gi_pKL*@}+2<|5HVlthz*)dmXxfL-F=<U12aE&KI*O9(iM`A<Qt!HH
z)r#6N*NS?gug6t@KX;OVOiRl%b{qI4Kl$7F`3aKs*6;K-?DDPrO6_5G|Bd(E`MKL}
zB{Iph<JyJ#-9Ut(xBh8&+v=Jg6bzL35nOHH-ws&f_bu>`fK2*-W9Pe1askr+OI-f~
ze$dW8xS)R?^dk7}cK%Zf{C7cLk2pVtxRuKHJmDe<vR?)IR}t^JGJbW5e;epg%xIPP
z?cnc0J3VhN-~AkSfP9L8e+m33@msz1-*kt(4aYqpuXd~|<Zb#!weD?xx<>c5jIQYN
z2IAh9ptm{bZEE#ut=<O6w|Z-NyHY=3=m%)#Qlj=d4|);y<tKs?Z#lCZf#nD+M_@Su
z%Mn<Pz;XnZBd{ES<p?ZC;E##G;S~X{)-53|MJOq_N}#Mz9pJgu63^o!F(tk>1XTO0
zH*xC1{?m;T*W`XGt;;B>J(1sDolg;d!W|$`+Vd@X1g`c}@@|2v?*&gVk<^|@gT$|s
zPyza~#S``cD5*6T|Lg=@t&?e^f)ecmQktv^aH!}L5?6jVb1uXFxJaseEZ2E`#-uzx
zo^f2ob57!E$(QQ???CNiI}56*32@S<B>aqoTP55n;X@J*NcgyfPfPfmgiiYpw6$&5
zntJ=PNi(Z$^MB6YylM01EJvH4+`Pr#yyXr-W@VCF{4M@1o9-5Zn}whsqMYt5!-;#)
zdt2NACmH+D?$W-zo#_F`TvEQO)Gy2Bt66?Y`5LDBZMpmkwp4q2FbY&ZDVM*7ss2_@
zuPgP-a{9{B_$;TdVsmobmeW_W@g>^JgD+d^JV?2`kE!uqPOoPLIS-W6*ObmPl+)L;
zJif*{lZUM<%^!B22cuKX8|C!ta86^toy7AV_9>?JjqOYijcPgm%jpelXi56QK6<&l
zn#~rdG_I@Ihw}>*k)wIjjd)Hv;!NKTiC!<~Tc!6WlCI`qMZXsr7iQUKq@QXY*~#gP
z<CBnf)V!|j9N_Yc<9q`2rTni{uODzbYuOuX0?3u8rR@BKi>zDJj(N~sY;iljDdpAk
zgrm5<!!wKf)qjERTB3ccQGvCHGwm8vQuF?Gplh5`e!I-+i~GZ7Zl_$9ur^Njve#uh
z@^74=?*YA@H89#&wkIE#Up$T;s$l=o3iN{&=wqDjWtqAFFP4APMDBa2_^ob?YZ(Wh
zbn3em?3}JZ|CzM^QLV7gzq!KJB<NIM=Q#QR^rg<DxZsZ_eXxUi(AT&d*svpRHxnHt
zsClMJDs2Rv+V^=G|Jx;<&Y2ONjtNkT@;i2zB>m5&yn1h;Z|qB*%Q+3bdW^d<hd=)*
z<KUbpAB7!~ceeZEvRpc^K#6}#2K=g|r(`^XoQqw}3jRD#^d;Kyg$nX7N&AOZ2DoL_
zA6}^-Uy$+>(w}ze&t=f5U7Yp00=gz;?4Xs~S>k!rpEfgQ7CT=3ED}ve2V)sCnl{XY
z(H~DGqZyneilhv&uVh5bR61jXvm>lOl^Bjk&1l4b@3wnemKHJwV#$~hPN%~M4BFT_
zzy{LcMAV366Nv**v0(-z%`#Ei>xrh}lws`L8|(@hq229<0jx|i!i@GW?+$i#w3T!C
zktmRGy3Gjb(t_T;ml+Rq?r9Bn8hdu`d@$5w^aNWwLu8d7r0UOPxzEh#=;<;RqS4dU
zMzQD#_r;_9m{uTQKTs8o4;VO|WnlM<8PQ1C49lZi<zlo0R!$Lzy~=4+ZzFOb$&ESB
zca@8ZgJI<~t`1#8?#!WT<d8TBCJ&F5YdB7dK|Yf*hQi4R>S}cCfhP9fjBF+vVN}rt
zyQPp(iwNFOG>oXBOmPa$Sx{dlBOT#~)wnqmeT~PJPP91{#MYrWA6L$!ddeel<qR?!
z$DU<&7)8+@D!f7asqRA!t2%jEvob%T22TLZw17h@ha-8>^f2=$Q)bj3Z0*=&h6g1!
zn9Tb7vN0UPj76BAu%U2fi1}p;a%iRn=kaJdgN@uW!~icHjfY84=7!@Y^YfVck@aI|
znEB1<2<|kVAe7==%pV<+BWNfBBMK9$Vkij>l}8ETM64ghr%bX8C#kFY(JIW3@tnXI
zwa*xTT%OjMn2Jl!b@jfl&Kaw9rm{}5_Vj5Ww6?=^#Z!+vARz~f<~H@*5nRUT9Hw1g
ztshKj@HQnVp;MpcS8Um)RQV^|0WNvMp<m6Z3+rWxvfaqg+E?l4-2q?>>k<xFi>z=B
zP|B)xYlC1jI*;nXrS#RhrAS01wZ0aZu%Yq<_u-<ot<qQPo3yN`dQ(>ZD>(%pgFda5
z6|UAnV^UuOpOVvmK^6XysM1&Kr3tC8*5|5xXZ?>rmqc5oLABnWl=|xX0O`{=0jK_P
z&?v6tA0_pDq#z4a^%q=GmdX>faM|_MI&DtsPuPW#ua~%j-*M=V*95r4xO7PQE7eN=
zEBt%N*vnV%GZRwZN1fZ2RJn@u0y1`ewLZ+t4@By_h?19KRVe#wsju2kz26n2zDdSy
z$yuMj1&>6OzB)Ir&eI>X=~C8NJ{@(k>#KEXUcMmH84P=Jmj5Q0w3d^@rL=xk=j)yF
zPW%_prJ|I+TIXu={|8QaC;lJMrKVE)YCWv}zo7o7p!%oMSM5maKB~XcSL^2D1`v^y
zyucQ4MSmX*yMAeXtqF}Gr6{4&Q}8#S+x6A@VMr4S%1^1j$e-VVLAI3thqe7&bVTEz
zG+qS8m?SHdT}6({Z!S?pM(K-xGb}JkmXd;NkXL1MhP*xVS&><x1SQ>payyPL#w81y
gP?(V8?`EJIajCee`J2YqQsp0R68g0crnCJ21zqP`-T(jq

literal 0
HcmV?d00001