Add undocumented option to sign CMake's own binaries on Windows

29f4f70b · Brad King · 1069a3f0 · 29f4f70b · 29f4f70b
Commit 29f4f70b authored 5 years ago by Brad King
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -822,4 +822,10 @@ if(NOT CMake_TEST_EXTERNAL_CMAKE)

  # Install auxiliary files integrating with other tools.
  add_subdirectory(Auxiliary)
+
+  # Optionally sign installed binaries.
+  if(CMake_INSTALL_SIGNTOOL)
+    configure_file(Source/CMakeInstallSignTool.cmake.in Source/CMakeInstallSignTool.cmake @ONLY)
+    install(SCRIPT ${CMAKE_CURRENT_BINARY_DIR}/Source/CMakeInstallSignTool.cmake)
+  endif()
 endif()
--- a/Source/CMakeInstallSignTool.cmake.in
+++ b/Source/CMakeInstallSignTool.cmake.in
+# The signtool.  Default to PATH.
+set(CMake_INSTALL_SIGNTOOL "@CMake_INSTALL_SIGNTOOL@")
+if(NOT CMake_INSTALL_SIGNTOOL)
+  set(CMake_INSTALL_SIGNTOOL signtool)
+endif()
+
+# Select a certificate by Subject Name.  Default to automatic selection.
+set(CMake_INSTALL_SIGNTOOL_SUBJECT_NAME "@CMake_INSTALL_SIGNTOOL_SUBJECT_NAME@")
+if(CMake_INSTALL_SIGNTOOL_SUBJECT_NAME)
+  set(select_cert -n "${CMake_INSTALL_SIGNTOOL_SUBJECT_NAME}")
+else()
+  set(select_cert -a)
+endif()
+
+# Timestamp URL.  Default to a common provider.
+set(CMake_INSTALL_SIGNTOOL_TIMESTAMP_URL "@CMake_INSTALL_SIGNTOOL_TIMESTAMP_URL@")
+if(NOT CMake_INSTALL_SIGNTOOL_TIMESTAMP_URL)
+  set(CMake_INSTALL_SIGNTOOL_TIMESTAMP_URL "http://timestamp.digicert.com")
+endif()
+
+# Glob files that need a signature.
+file(GLOB files "$ENV{DESTDIR}${CMAKE_INSTALL_PREFIX}/bin/*.exe")
+
+# Sign all files at once.
+if(files)
+  # Run the signtool through 'cmd /c' to enable password prompt popup.
+  # Some providers have trouble when signtool is invoked with SW_HIDE.
+  set(cmd cmd /c "${CMake_INSTALL_SIGNTOOL}" sign -v ${select_cert})
+
+  # Sign with SHA-1 for Windows 7 and below.
+  execute_process(
+    COMMAND ${cmd} -t  "${CMake_INSTALL_SIGNTOOL_TIMESTAMP_URL}" ${files}
+    RESULT_VARIABLE result
+    ERROR_VARIABLE stderr
+    )
+  if(NOT result EQUAL 0)
+    string(REPLACE "\n" "\n  " stderr "  ${stderr}")
+    message(WARNING "signtool failed:\n${stderr}")
+  endif()
+
+  # Sign with SHA-256 for Windows 8 and above.
+  execute_process(
+    COMMAND ${cmd} -tr "${CMake_INSTALL_SIGNTOOL_TIMESTAMP_URL}" -fd sha256 -td sha256 -as ${files}
+    RESULT_VARIABLE result
+    ERROR_VARIABLE stderr
+    )
+  if(NOT result EQUAL 0)
+    string(REPLACE "\n" "\n  " stderr "  ${stderr}")
+    message(WARNING "signtool failed:\n${stderr}")
+  endif()
+endif()