pinentry_mac: use pregenerated nib files

5 files changed, 38 insertions, 13 deletions

diff --git a/pkgs/tools/security/pinentry/mac.nix b/pkgs/tools/security/pinentry/mac.nix
index fbd5a3a31f955..daf2d82d66b04 100644
--- a/pkgs/tools/security/pinentry/mac.nix
+++ b/pkgs/tools/security/pinentry/mac.nix
@@ -6,11 +6,16 @@
 , libgpg-error
 , libiconv
 , texinfo
+, common-updater-scripts
+, writers
 , Cocoa
 }:
 
 stdenv.mkDerivation rec {
   pname = "pinentry-mac";
+
+  # NOTE: Don't update manually. Use passthru.updateScript on a Mac with XCode
+  # installed.
   version = "1.1.1.1";
 
   src = fetchFromGitHub {
@@ -20,8 +25,11 @@ stdenv.mkDerivation rec {
     sha256 = "sha256-QnDuqFrI/U7aZ5WcOCp5vLE+w59LVvDGOFNQy9fSy70=";
   };
 
+  # use pregenerated nib files because generating them requires XCode
   postPatch = ''
-    substituteInPlace macosx/Makefile.am --replace ibtool /usr/bin/ibtool
+    cp -r ${./mac/Main.nib} macosx/Main.nib
+    cp -r ${./mac/Pinentry.nib} macosx/Pinentry.nib
+    chmod -R u+w macosx/*.nib
   '';
 
   nativeBuildInputs = [ autoreconfHook texinfo ];
@@ -29,25 +37,42 @@ stdenv.mkDerivation rec {
 
   configureFlags = [ "--enable-maintainer-mode" "--disable-ncurses" ];
 
-  # This is required to let ibtool run.
-  sandboxProfile = ''
-    (allow process-exec
-      (literal "/usr/bin/ibtool")
-      (regex "/Xcode.app/Contents/Developer/usr/bin/ibtool")
-      (regex "/Xcode.app/Contents/Developer/usr/bin/xcodebuild")
-      (literal "/usr/libexec/PlistBuddy"))
-    (allow file-read*)
-    (deny file-read* (subpath "/usr/local") (with no-log))
-    (allow file-write* (subpath "/private/var/folders"))
-  '';
-
   installPhase = ''
     mkdir -p $out/Applications
     mv macosx/pinentry-mac.app $out/Applications
   '';
 
+  enableParallelBuilding = true;
+
   passthru = {
     binaryPath = "Applications/pinentry-mac.app/Contents/MacOS/pinentry-mac";
+    updateScript = writers.writeBash "update-pinentry-mac" ''
+      set -euxo pipefail
+
+      main() {
+        tag="$(queryLatestTag)"
+        ver="$(expr "$tag" : 'v\(.*\)')"
+
+        ${common-updater-scripts}/bin/update-source-version pinentry_mac "$ver"
+
+        cd ${lib.escapeShellArg ./.}
+        rm -rf mac
+        mkdir mac
+
+        srcDir="$(nix-build ../../../.. --no-out-link -A pinentry_mac.src)"
+        for path in "$srcDir"/macosx/*.xib; do
+          filename="''${path##*/}"
+          /usr/bin/ibtool --compile "mac/''${filename%.*}.nib" "$path"
+        done
+      }
+
+      queryLatestTag() {
+        curl -sS https://api.github.com/repos/GPGTools/pinentry/tags \
+          | jq -r '.[] | .name' | sort --version-sort | tail -1
+      }
+
+      main
+    '';
   };
 
   meta = {
diff --git a/pkgs/tools/security/pinentry/mac/Main.nib/keyedobjects-101300.nib b/pkgs/tools/security/pinentry/mac/Main.nib/keyedobjects-101300.nib
new file mode 100644
index 0000000000000..18cc1c8b46f55
--- /dev/null
+++ b/pkgs/tools/security/pinentry/mac/Main.nib/keyedobjects-101300.nib
Binary files differdiff --git a/pkgs/tools/security/pinentry/mac/Main.nib/keyedobjects.nib b/pkgs/tools/security/pinentry/mac/Main.nib/keyedobjects.nib
new file mode 100644
index 0000000000000..90635122ffdc6
--- /dev/null
+++ b/pkgs/tools/security/pinentry/mac/Main.nib/keyedobjects.nib
Binary files differdiff --git a/pkgs/tools/security/pinentry/mac/Pinentry.nib/keyedobjects-101300.nib b/pkgs/tools/security/pinentry/mac/Pinentry.nib/keyedobjects-101300.nib
new file mode 100644
index 0000000000000..6df3d5f462270
--- /dev/null
+++ b/pkgs/tools/security/pinentry/mac/Pinentry.nib/keyedobjects-101300.nib
Binary files differdiff --git a/pkgs/tools/security/pinentry/mac/Pinentry.nib/keyedobjects.nib b/pkgs/tools/security/pinentry/mac/Pinentry.nib/keyedobjects.nib
new file mode 100644
index 0000000000000..aa8bca0d085e2
--- /dev/null
+++ b/pkgs/tools/security/pinentry/mac/Pinentry.nib/keyedobjects.nib
Binary files differ