diff options
| -rw-r--r-- | CMakeLists.txt | 6 | ||||
| -rw-r--r-- | Source/CMakeInstallSignTool.cmake.in | 51 |
2 files changed, 57 insertions, 0 deletions
diff --git a/CMakeLists.txt b/CMakeLists.txt index 9274a8a..51a1d8b 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -822,4 +822,10 @@ if(NOT CMake_TEST_EXTERNAL_CMAKE) # Install auxiliary files integrating with other tools. add_subdirectory(Auxiliary) + + # Optionally sign installed binaries. + if(CMake_INSTALL_SIGNTOOL) + configure_file(Source/CMakeInstallSignTool.cmake.in Source/CMakeInstallSignTool.cmake @ONLY) + install(SCRIPT ${CMAKE_CURRENT_BINARY_DIR}/Source/CMakeInstallSignTool.cmake) + endif() endif() diff --git a/Source/CMakeInstallSignTool.cmake.in b/Source/CMakeInstallSignTool.cmake.in new file mode 100644 index 0000000..fca629c --- /dev/null +++ b/Source/CMakeInstallSignTool.cmake.in @@ -0,0 +1,51 @@ +# The signtool. Default to PATH. +set(CMake_INSTALL_SIGNTOOL "@CMake_INSTALL_SIGNTOOL@") +if(NOT CMake_INSTALL_SIGNTOOL) + set(CMake_INSTALL_SIGNTOOL signtool) +endif() + +# Select a certificate by Subject Name. Default to automatic selection. +set(CMake_INSTALL_SIGNTOOL_SUBJECT_NAME "@CMake_INSTALL_SIGNTOOL_SUBJECT_NAME@") +if(CMake_INSTALL_SIGNTOOL_SUBJECT_NAME) + set(select_cert -n "${CMake_INSTALL_SIGNTOOL_SUBJECT_NAME}") +else() + set(select_cert -a) +endif() + +# Timestamp URL. Default to a common provider. +set(CMake_INSTALL_SIGNTOOL_TIMESTAMP_URL "@CMake_INSTALL_SIGNTOOL_TIMESTAMP_URL@") +if(NOT CMake_INSTALL_SIGNTOOL_TIMESTAMP_URL) + set(CMake_INSTALL_SIGNTOOL_TIMESTAMP_URL "http://timestamp.digicert.com") +endif() + +# Glob files that need a signature. +file(GLOB files "$ENV{DESTDIR}${CMAKE_INSTALL_PREFIX}/bin/*.exe") + +# Sign all files at once. +if(files) + # Run the signtool through 'cmd /c' to enable password prompt popup. + # Some providers have trouble when signtool is invoked with SW_HIDE. + set(cmd cmd /c "${CMake_INSTALL_SIGNTOOL}" sign -v ${select_cert}) + + # Sign with SHA-1 for Windows 7 and below. + execute_process( + COMMAND ${cmd} -t "${CMake_INSTALL_SIGNTOOL_TIMESTAMP_URL}" ${files} + RESULT_VARIABLE result + ERROR_VARIABLE stderr + ) + if(NOT result EQUAL 0) + string(REPLACE "\n" "\n " stderr " ${stderr}") + message(WARNING "signtool failed:\n${stderr}") + endif() + + # Sign with SHA-256 for Windows 8 and above. + execute_process( + COMMAND ${cmd} -tr "${CMake_INSTALL_SIGNTOOL_TIMESTAMP_URL}" -fd sha256 -td sha256 -as ${files} + RESULT_VARIABLE result + ERROR_VARIABLE stderr + ) + if(NOT result EQUAL 0) + string(REPLACE "\n" "\n " stderr " ${stderr}") + message(WARNING "signtool failed:\n${stderr}") + endif() +endif() |