GitLab

At the moment CMake users on Windows have a problem when CMake releases are being published. The software is not digitally signed using "authenticode".

Microsoft Edge browser, and others, initially block unseen, unsigned new software.

This is a common practice on Windows to sign the binaries. It ensures that the software comes from that specific vendor and that it hasn't been tampered with it. It also provides the date at which it has been signed.

This is more or less like the websites using SSL. cmake.org is using "Let's Encrypt" certificates, but kitware.com is using certificates from DigiCert, which unlinke "Let's Encrypt" it offers Authenticode certificates.

https://stackoverflow.com/questions/84847/how-do-i-create-a-self-signed-certificate-for-code-signing-on-windows offers the insights how to use self signed certificates.

This would be needed for developing this feature in CMake, not every developer has it's own authenticode.

CMake would need to have Authenticode support for:

• install command. Every binary and shared library needs to be signed
• CPack, for package signing.

One just needs to call signtool with the path to the certificate, which can be skipped if it's part of the computer's keystore (/a), and the timestamp url (/t):

signtool sign /v /f MyCertificate.pfx /t http://timestamp.url MyExecutable.exe
signtool sign /v /a /t http://timestamp.url MyExecutable.exe

One could have something like:

• CMAKE_AUTHENTICODE_CERTIFICATE_PATH
• CMAKE_AUTHENTICODE_CERTIFICATE_AUTO
• CMAKE_AUTHENTICODE_TIMESTAMP_URL

It would be just a add_custom_command call. But it helps all the Windows CMake users, which use CMake to develop software professionally.