Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
CMake
CMake
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 3,193
    • Issues 3,193
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 16
    • Merge Requests 16
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • External Wiki
    • External Wiki
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • CMake
  • CMakeCMake
  • Issues
  • #19077

Closed
Open
Opened Mar 22, 2019 by Cristian Adam@cristianadamDeveloper

Authenticode support in CMake

At the moment CMake users on Windows have a problem when CMake releases are being published. The software is not digitally signed using "authenticode".

Microsoft Edge browser, and others, initially block unseen, unsigned new software.

This is a common practice on Windows to sign the binaries. It ensures that the software comes from that specific vendor and that it hasn't been tampered with it. It also provides the date at which it has been signed.

This is more or less like the websites using SSL. cmake.org is using "Let's Encrypt" certificates, but kitware.com is using certificates from DigiCert, which unlinke "Let's Encrypt" it offers Authenticode certificates.

https://stackoverflow.com/questions/84847/how-do-i-create-a-self-signed-certificate-for-code-signing-on-windows offers the insights how to use self signed certificates.

This would be needed for developing this feature in CMake, not every developer has it's own authenticode.

CMake would need to have Authenticode support for:

  • install command. Every binary and shared library needs to be signed
  • CPack, for package signing.

One just needs to call signtool with the path to the certificate, which can be skipped if it's part of the computer's keystore (/a), and the timestamp url (/t):

signtool sign /v /f MyCertificate.pfx /t http://timestamp.url MyExecutable.exe
signtool sign /v /a /t http://timestamp.url MyExecutable.exe

One could have something like:

  • CMAKE_AUTHENTICODE_CERTIFICATE_PATH
  • CMAKE_AUTHENTICODE_CERTIFICATE_AUTO
  • CMAKE_AUTHENTICODE_TIMESTAMP_URL

It would be just a add_custom_command call. But it helps all the Windows CMake users, which use CMake to develop software professionally.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None
Reference: cmake/cmake#19077