Utilities/Release: Add script to sign and package Windows binaries

Windows binaries for official releases on `cmake.org` are signed manually by a maintainer with a suitable signing certificate. Add a script to sign the binaries, run CPack, and sign the installer.
2026-01-05 21:31:08 -06:00 · 2022-05-19 12:32:25 -04:00
parent db48074d58
commit 1eab922d92
1 changed files with 29 additions and 0 deletions
--- a/Utilities/Release/win/sign-package.ps1
+++ b/Utilities/Release/win/sign-package.ps1
@@ -0,0 +1,29 @@
+# Distributed under the OSI-approved BSD 3-Clause License.  See accompanying
+# file Copyright.txt or https://cmake.org/licensing for details.
+
+# Run this script on a Windows host in a CMake single-config build tree.
+
+param (
+  [string]$signtool = 'signtool',
+  [string]$cpack = 'bin\cpack',
+  [switch]$trace
+)
+
+if ($trace -eq $true) {
+  Set-PSDebug -Trace 1
+}
+
+$ErrorActionPreference = 'Stop'
+
+# Sign binaries with SHA-1 for Windows 7 and below.
+& $signtool sign -v -a -t http://timestamp.digicert.com bin\*.exe
+
+# Sign binaries with SHA-256 for Windows 8 and above.
+& $signtool sign -v -a -tr http://timestamp.digicert.com -fd sha256 -td sha256 -as bin\*.exe
+
+# Create packages.
+& $cpack -G ZIP
+& $cpack -G WIX
+
+# Sign installer with SHA-256.
+& $signtool sign -v -a -tr http://timestamp.digicert.com -fd sha256 -td sha256 -d "CMake Windows Installer" cmake-*-win*.msi