linuxkit: Sign binary with entitlements on Darwin

{ lib, stdenv, buildGoModule, fetchFromGitHub, git, Cocoa, Virtualization, testers, linuxkit }:

{ lib, stdenv, buildGoModule, fetchFromGitHub, git, Cocoa, Virtualization, sigtool, testers, linuxkit }:

buildGoModule rec {

  pname = "linuxkit";

  modRoot = "./src/cmd/linuxkit";

  patches = [ ./darwin-os-version.patch ./support-apple-11-sdk.patch ];

  patches = [

    ./darwin-os-version.patch

    ./support-apple-11-sdk.patch

  ];

  # - On macOS, an executable must be signed with the right entitlement(s) to be

  #   able to use the Virtualization framework at runtime.

  # - sigtool is allows us to validly sign such executables with a dummy

  #   authority.

  nativeBuildInputs = lib.optionals stdenv.isDarwin [ sigtool ];

  buildInputs = lib.optionals stdenv.isDarwin [ Cocoa Virtualization ];

  ldflags = [

  nativeCheckInputs = [ git ];

  # - Because this package definition doesn't build using the source's Makefile,

  #   we must manually call the sign target.

  # - The binary stripping that nixpkgs does by default in the

  #   fixup phase removes such signing and entitlements, so we have to sign

  #   after stripping.

  # - Finally, at the start of the fixup phase, the working directory is

  #   $sourceRoot/src/cmd/linuxkit, so it's simpler to use the sign target from

  #   the Makefile in that directory rather than $sourceRoot/Makefile.

  postFixup = lib.optionalString stdenv.isDarwin ''

    make sign LOCAL_TARGET=$out/bin/linuxkit

  '';

  passthru.tests.version = testers.testVersion {

    package = linuxkit;

    command = "linuxkit version";

  linuxkit = callPackage ../development/tools/misc/linuxkit {

    inherit (darwin.apple_sdk_11_0.frameworks) Cocoa Virtualization;

    inherit (darwin) sigtool;

  };

  listenbrainz-mpd = callPackage ../applications/audio/listenbrainz-mpd  {