docker(install): SIGN_QEMU_BINARY env as workaround to replace existing signature

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>

__tests__/docker/install.test.itg.ts

@@ -15,7 +15,7 @@
  */
 
 import path from 'path';
-import {jest, describe, expect, test} from '@jest/globals';
+import {jest, describe, expect, test, beforeEach, afterEach} from '@jest/globals';
 
 import {Install} from '../../src/docker/install';
 import {Docker} from '../../src/docker/docker';
@@ -24,7 +24,17 @@ import {Docker} from '../../src/docker/docker';
 const tmpDir = path.join(process.env.TEMP || '/tmp', 'docker-install-jest');
 
 describe('install', () => {
-  jest.retryTimes(2, {logErrorsBeforeRetry: true});
+  const originalEnv = process.env;
+  beforeEach(() => {
+    jest.resetModules();
+    process.env = {
+      ...originalEnv,
+      SIGN_QEMU_BINARY: '1'
+    };
+  });
+  afterEach(() => {
+    process.env = originalEnv;
+  });
   // prettier-ignore
   test.each(['v24.0.5'])(
     'install docker %s', async (version) => {
@@ -40,5 +50,5 @@ describe('install', () => {
         await Docker.printInfo();
         await install.tearDown();
       })()).resolves.not.toThrow();
-    }, 100000);
+    }, 600000);
 });

src/docker/assets.ts

@@ -336,3 +336,14 @@ mounts: []
 # Default: {}
 env: {}
 `;
+
+export const qemuEntitlements = `
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.hypervisor</key>
+    <true/>
+</dict>
+</plist>
+`;

src/docker/install.ts

@@ -29,7 +29,7 @@ import * as tc from '@actions/tool-cache';
 import {Context} from '../context';
 import {Exec} from '../exec';
 import {Util} from '../util';
-import {colimaYamlData, dockerServiceLogsPs1, setupDockerLinuxSh, setupDockerWinPs1} from './assets';
+import {colimaYamlData, dockerServiceLogsPs1, qemuEntitlements, setupDockerLinuxSh, setupDockerWinPs1} from './assets';
 import {GitHubRelease} from '../types/github';
 
 export interface InstallOpts {
@@ -147,6 +147,21 @@ export class Install {
       core.info(colimaCfg);
     });
 
+    const qemuArch = await Install.qemuArch();
+    await core.group('QEMU version', async () => {
+      await Exec.exec(`qemu-system-${qemuArch} --version`);
+    });
+
+    // https://github.com/abiosoft/colima/issues/786#issuecomment-1693629650
+    if (process.env.SIGN_QEMU_BINARY === '1') {
+      await core.group('Signing QEMU binary with entitlements', async () => {
+        const qemuEntitlementsFile = path.join(Context.tmpDir(), 'qemu-entitlements.xml');
+        core.info(`Writing entitlements to ${qemuEntitlementsFile}`);
+        fs.writeFileSync(qemuEntitlementsFile, qemuEntitlements);
+        await Exec.exec(`codesign --sign - --entitlements ${qemuEntitlementsFile} --force /usr/local/bin/qemu-system-${qemuArch}`);
+      });
+    }
+
     // colima is already started on the runner so env var added in download
     // method is not expanded to the running process.
     const envs = Object.assign({}, process.env, {
@@ -154,6 +169,7 @@ export class Install {
     }) as {
       [key: string]: string;
     };
+
     await core.group('Starting colima', async () => {
       try {
         await Exec.exec('colima', ['start', '--very-verbose'], {env: envs});
@@ -377,6 +393,20 @@ export class Install {
       });
   }
 
+  private static async qemuArch(): Promise<string> {
+    switch (os.arch()) {
+      case 'x64': {
+        return 'x86_64';
+      }
+      case 'arm64': {
+        return 'aarch64';
+      }
+      default: {
+        return os.arch();
+      }
+    }
+  }
+
   public static async getRelease(version: string): Promise<GitHubRelease> {
     const url = `https://raw.githubusercontent.com/docker/actions-toolkit/main/.github/docker-releases.json`;
     const http: httpm.HttpClient = new httpm.HttpClient('docker-actions-toolkit');