Home Explore Help
Register Sign In
Apq
/
CMake
mirror of https://github.com/Kitware/CMake.git
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

Add undocumented option to sign CMake's own binaries on Windows

Brad King 6 years ago
parent
1069a3f02b
commit
29f4f70b41
2 changed files with 57 additions and 0 deletions
Split View Show Diff Stats
  1. 6 0
      CMakeLists.txt
  2. 51 0
      Source/CMakeInstallSignTool.cmake.in

+ 6 - 0
CMakeLists.txt
View File 

@@ -822,4 +822,10 @@ if(NOT CMake_TEST_EXTERNAL_CMAKE)
 
 
   # Install auxiliary files integrating with other tools.
 
   add_subdirectory(Auxiliary)
 
+
 
+  # Optionally sign installed binaries.
 
+  if(CMake_INSTALL_SIGNTOOL)
 
+    configure_file(Source/CMakeInstallSignTool.cmake.in Source/CMakeInstallSignTool.cmake @ONLY)
 
+    install(SCRIPT ${CMAKE_CURRENT_BINARY_DIR}/Source/CMakeInstallSignTool.cmake)
 
+  endif()
 
 endif()

+ 51 - 0
Source/CMakeInstallSignTool.cmake.in
View File 

@@ -0,0 +1,51 @@
 
+# The signtool.  Default to PATH.
 
+set(CMake_INSTALL_SIGNTOOL "@CMake_INSTALL_SIGNTOOL@")
 
+if(NOT CMake_INSTALL_SIGNTOOL)
 
+  set(CMake_INSTALL_SIGNTOOL signtool)
 
+endif()
 
+
 
+# Select a certificate by Subject Name.  Default to automatic selection.
 
+set(CMake_INSTALL_SIGNTOOL_SUBJECT_NAME "@CMake_INSTALL_SIGNTOOL_SUBJECT_NAME@")
 
+if(CMake_INSTALL_SIGNTOOL_SUBJECT_NAME)
 
+  set(select_cert -n "${CMake_INSTALL_SIGNTOOL_SUBJECT_NAME}")
 
+else()
 
+  set(select_cert -a)
 
+endif()
 
+
 
+# Timestamp URL.  Default to a common provider.
 
+set(CMake_INSTALL_SIGNTOOL_TIMESTAMP_URL "@CMake_INSTALL_SIGNTOOL_TIMESTAMP_URL@")
 
+if(NOT CMake_INSTALL_SIGNTOOL_TIMESTAMP_URL)
 
+  set(CMake_INSTALL_SIGNTOOL_TIMESTAMP_URL "http://timestamp.digicert.com")
 
+endif()
 
+
 
+# Glob files that need a signature.
 
+file(GLOB files "$ENV{DESTDIR}${CMAKE_INSTALL_PREFIX}/bin/*.exe")
 
+
 
+# Sign all files at once.
 
+if(files)
 
+  # Run the signtool through 'cmd /c' to enable password prompt popup.
 
+  # Some providers have trouble when signtool is invoked with SW_HIDE.
 
+  set(cmd cmd /c "${CMake_INSTALL_SIGNTOOL}" sign -v ${select_cert})
 
+
 
+  # Sign with SHA-1 for Windows 7 and below.
 
+  execute_process(
 
+    COMMAND ${cmd} -t  "${CMake_INSTALL_SIGNTOOL_TIMESTAMP_URL}" ${files}
 
+    RESULT_VARIABLE result
 
+    ERROR_VARIABLE stderr
 
+    )
 
+  if(NOT result EQUAL 0)
 
+    string(REPLACE "\n" "\n  " stderr "  ${stderr}")
 
+    message(WARNING "signtool failed:\n${stderr}")
 
+  endif()
 
+
 
+  # Sign with SHA-256 for Windows 8 and above.
 
+  execute_process(
 
+    COMMAND ${cmd} -tr "${CMake_INSTALL_SIGNTOOL_TIMESTAMP_URL}" -fd sha256 -td sha256 -as ${files}
 
+    RESULT_VARIABLE result
 
+    ERROR_VARIABLE stderr
 
+    )
 
+  if(NOT result EQUAL 0)
 
+    string(REPLACE "\n" "\n  " stderr "  ${stderr}")
 
+    message(WARNING "signtool failed:\n${stderr}")
 
+  endif()
 
+endif()