cmake: Fix and improve Code Signing on Windows

It was sometimes impossible to sign the binaries on Windows, depending on how CMake was being run. By explicitly converting to the intended native format, we avoid this problem for most situations. Additionally we now support per-project certificates, instead of global certificates only. This also allows multiple uses of cmake-codesign in the same overall project.
2024-12-28 02:21:25 +00:00 · 2021-11-26 02:46:38 +01:00 · 2021-11-26 02:46:38 +01:00 · 1f78de676d
commit 1f78de676d
parent 5b3aed3aff
2 changed files with 50 additions and 4 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -356,6 +356,26 @@ endif()
 if(${PREFIX}ENABLE_CODESIGN AND (EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/cmake/codesign/CodeSign.cmake"))
 	include("cmake/codesign/CodeSign.cmake")
 	set(HAVE_CODESIGN ON)
+
+	set(${PREFIX}CODESIGN_FILE "" CACHE FILEPATH "Path to Code-Signing certificate.")
+	if(WIN32)
+		set(${PREFIX}CODESIGN_NAME "" CACHE STRING "Name of Code-Signing certificate in Windows's certificate storage.")
+	endif()
+	set(${PREFIX}CODESIGN_PASS "" CACHE STRING "Password for Code-Signing certificate.")
+	set(${PREFIX}CODESIGN_TIMESTAMPS ON CACHE BOOL "Should the resulting binary be timestamped?")
+
+	set(_CODESIGN_FILE "$ENV{${PREFIX}CODESIGN_FILE}")
+	if(${PREFIX}CODESIGN_FILE)
+		set(_CODESIGN_FILE "${${PREFIX}CODESIGN_FILE}")
+	endif()
+	set(_CODESIGN_NAME "$ENV{${PREFIX}CODESIGN_NAME}")
+	if(${PREFIX}CODESIGN_NAME)
+		set(_CODESIGN_NAME "${${PREFIX}CODESIGN_NAME}")
+	endif()
+	set(_CODESIGN_PASS "$ENV{${PREFIX}CODESIGN_PASS}")
+	if(${PREFIX}CODESIGN_PASS)
+		set(_CODESIGN_PASS "${${PREFIX}CODESIGN_PASS}")
+	endif()
 endif()

 ################################################################################
@ -1930,7 +1950,17 @@ endif()

 # Code Sign
 if(HAVE_CODESIGN)
-	codesign(TARGETS ${PROJECT_NAME})
+	set(_CODESIGN_TIMESTAMP "")
+	if(${PREFIX}CODESIGN_TIMESTAMPS)
+		set(_CODESIGN_TIMESTAMP "TIMESTAMPS")
+	endif()
+	codesign(
+		TARGETS ${PROJECT_NAME}
+		CERTIFICATE_FILE "${_CODESIGN_FILE}"
+		CERTIFICATE_NAME "${_CODESIGN_NAME}"
+		CERTIFICATE_PASS "${_CODESIGN_PASS}"
+		${_CODESIGN_TIMESTAMP}
+	)
 endif()

 ################################################################################
@ -2129,8 +2159,24 @@ if(NOT ${PREFIX}OBS_NATIVE)
 			file(TO_NATIVE_PATH "${ISS_MSVCHELPER_PATH}" ISS_MSVCHELPER_PATH)

 			if(HAVE_CODESIGN)
-				codesign_command_win32(SHA1 RETURN_BIN ISS_CODESIGN_BIN_SHA1 RETURN_ARGS ISS_CODESIGN_CMD_SHA1)
-				codesign_command_win32(SHA2 APPEND RETURN_BIN ISS_CODESIGN_BIN_SHA2 RETURN_ARGS ISS_CODESIGN_CMD_SHA2)
+				codesign_command_win32(
+					SHA1
+					RETURN_BIN ISS_CODESIGN_BIN_SHA1
+					RETURN_ARGS ISS_CODESIGN_CMD_SHA1
+					CERTIFICATE_FILE "${_CODESIGN_FILE}"
+					CERTIFICATE_NAME "${_CODESIGN_NAME}"
+					CERTIFICATE_PASS "${_CODESIGN_PASS}"
+					${_CODESIGN_TIMESTAMP}
+				)
+				codesign_command_win32(
+					SHA2 APPEND
+					RETURN_BIN ISS_CODESIGN_BIN_SHA2
+					RETURN_ARGS ISS_CODESIGN_CMD_SHA2
+					CERTIFICATE_FILE "${_CODESIGN_FILE}"
+					CERTIFICATE_NAME "${_CODESIGN_NAME}"
+					CERTIFICATE_PASS "${_CODESIGN_PASS}"
+					${_CODESIGN_TIMESTAMP}
+				)
 				list(JOIN ISS_CODESIGN_CMD_SHA1 " " ISS_CODESIGN_CMD_SHA1)
 				list(JOIN ISS_CODESIGN_CMD_SHA2 " " ISS_CODESIGN_CMD_SHA2)

--- a/cmake/codesign
+++ b/cmake/codesign
@ -1 +1 @@
-Subproject commit fe22c23c22244e4647e430812b8ceb0322772c81
+Subproject commit db839ac6093ecebd760d692e3f108e9a35982693