Merge topic 'windows-signing'

9a34031081 Utilities/Release: Enable signing of Windows release binaries
29f4f70b41 Add undocumented option to sign CMake's own binaries on Windows
1069a3f02b Configure CMake itself with policies through CMake 3.14

Acked-by: Kitware Robot <kwrobot@kitware.com>
Merge-request: !3296

CMakeLists.txt

@@ -1,7 +1,7 @@
 # Distributed under the OSI-approved BSD 3-Clause License.  See accompanying
 # file Copyright.txt or https://cmake.org/licensing for details.
 
-cmake_minimum_required(VERSION 3.1...3.12 FATAL_ERROR)
+cmake_minimum_required(VERSION 3.1...3.14 FATAL_ERROR)
 set(CMAKE_USER_MAKE_RULES_OVERRIDE_C ${CMAKE_CURRENT_SOURCE_DIR}/Source/Modules/OverrideC.cmake)
 set(CMAKE_USER_MAKE_RULES_OVERRIDE_CXX ${CMAKE_CURRENT_SOURCE_DIR}/Source/Modules/OverrideCXX.cmake)
 project(CMake)
@@ -822,4 +822,10 @@ if(NOT CMake_TEST_EXTERNAL_CMAKE)
 
   # Install auxiliary files integrating with other tools.
   add_subdirectory(Auxiliary)
+
+  # Optionally sign installed binaries.
+  if(CMake_INSTALL_SIGNTOOL)
+    configure_file(Source/CMakeInstallSignTool.cmake.in Source/CMakeInstallSignTool.cmake @ONLY)
+    install(SCRIPT ${CMAKE_CURRENT_BINARY_DIR}/Source/CMakeInstallSignTool.cmake)
+  endif()
 endif()

Source/CMakeInstallSignTool.cmake.in

@@ -0,0 +1,51 @@
+# The signtool.  Default to PATH.
+set(CMake_INSTALL_SIGNTOOL "@CMake_INSTALL_SIGNTOOL@")
+if(NOT CMake_INSTALL_SIGNTOOL)
+  set(CMake_INSTALL_SIGNTOOL signtool)
+endif()
+
+# Select a certificate by Subject Name.  Default to automatic selection.
+set(CMake_INSTALL_SIGNTOOL_SUBJECT_NAME "@CMake_INSTALL_SIGNTOOL_SUBJECT_NAME@")
+if(CMake_INSTALL_SIGNTOOL_SUBJECT_NAME)
+  set(select_cert -n "${CMake_INSTALL_SIGNTOOL_SUBJECT_NAME}")
+else()
+  set(select_cert -a)
+endif()
+
+# Timestamp URL.  Default to a common provider.
+set(CMake_INSTALL_SIGNTOOL_TIMESTAMP_URL "@CMake_INSTALL_SIGNTOOL_TIMESTAMP_URL@")
+if(NOT CMake_INSTALL_SIGNTOOL_TIMESTAMP_URL)
+  set(CMake_INSTALL_SIGNTOOL_TIMESTAMP_URL "http://timestamp.digicert.com")
+endif()
+
+# Glob files that need a signature.
+file(GLOB files "$ENV{DESTDIR}${CMAKE_INSTALL_PREFIX}/bin/*.exe")
+
+# Sign all files at once.
+if(files)
+  # Run the signtool through 'cmd /c' to enable password prompt popup.
+  # Some providers have trouble when signtool is invoked with SW_HIDE.
+  set(cmd cmd /c "${CMake_INSTALL_SIGNTOOL}" sign -v ${select_cert})
+
+  # Sign with SHA-1 for Windows 7 and below.
+  execute_process(
+    COMMAND ${cmd} -t  "${CMake_INSTALL_SIGNTOOL_TIMESTAMP_URL}" ${files}
+    RESULT_VARIABLE result
+    ERROR_VARIABLE stderr
+    )
+  if(NOT result EQUAL 0)
+    string(REPLACE "\n" "\n  " stderr "  ${stderr}")
+    message(WARNING "signtool failed:\n${stderr}")
+  endif()
+
+  # Sign with SHA-256 for Windows 8 and above.
+  execute_process(
+    COMMAND ${cmd} -tr "${CMake_INSTALL_SIGNTOOL_TIMESTAMP_URL}" -fd sha256 -td sha256 -as ${files}
+    RESULT_VARIABLE result
+    ERROR_VARIABLE stderr
+    )
+  if(NOT result EQUAL 0)
+    string(REPLACE "\n" "\n  " stderr "  ${stderr}")
+    message(WARNING "signtool failed:\n${stderr}")
+  endif()
+endif()

Utilities/Doxygen/CMakeLists.txt

@@ -3,7 +3,7 @@
 
 if(NOT CMake_SOURCE_DIR)
   set(CMakeDeveloperReference_STANDALONE 1)
-  cmake_minimum_required(VERSION 3.1...3.12 FATAL_ERROR)
+  cmake_minimum_required(VERSION 3.1...3.14 FATAL_ERROR)
   get_filename_component(tmp "${CMAKE_CURRENT_SOURCE_DIR}" PATH)
   get_filename_component(CMake_SOURCE_DIR "${tmp}" PATH)
   include(${CMake_SOURCE_DIR}/Modules/CTestUseLaunchers.cmake)

Utilities/Release/linux64_release.cmake

@@ -44,6 +44,7 @@ CMake_QT_STATIC_QXcbIntegrationPlugin_LIBRARIES:STRING=${qt_xcb_libs}
 set(ENV [[
 export CMAKE_PREFIX_PATH=/opt/binutils-2.31
 ]])
+set(SIGN "")
 
 # Exclude Qt5 tests because our Qt5 is static.
 set(EXTRA_CTEST_ARGS "-E Qt5")

Utilities/Release/osx_release.cmake

@@ -29,5 +29,6 @@ CMake_TEST_NO_FindPackageModeMakefileTest:BOOL=TRUE
 set(ENV [[
 export CMAKE_PREFIX_PATH='/Users/kitware/SDKs/qt-5.6.2-clang-x64'
 ]])
+set(SIGN "")
 get_filename_component(path "${CMAKE_CURRENT_LIST_FILE}" PATH)
 include(${path}/release_cmake.cmake)

Utilities/Release/release_cmake.sh.in

@@ -150,7 +150,7 @@ for GEN in $generators; do
     check_exit_value $? "Create $GEN package" || exit 1
 done
 
-
+@SIGN@
 
 echo "End release"
 date

Utilities/Release/win32_release.cmake

@@ -45,5 +45,9 @@ set(GIT_EXTRA "git config core.autocrlf true")
 if(CMAKE_CREATE_VERSION STREQUAL "nightly")
   # Some tests fail spuriously too often.
   set(EXTRA_CTEST_ARGS "-E 'ConsoleBuf|Module.ExternalData'")
+  set(SIGN "")
+else()
+  string(APPEND INITIAL_CACHE "CMake_INSTALL_SIGNTOOL:STRING=signtool\n")
+  set(SIGN [[signtool sign -v -a -tr http://timestamp.digicert.com -fd sha256 -td sha256 -d "CMake Windows Installer" cmake-*.msi]])
 endif()
 include(${path}/release_cmake.cmake)

Utilities/Release/win64_release.cmake

@@ -45,5 +45,9 @@ set(GIT_EXTRA "git config core.autocrlf true")
 if(CMAKE_CREATE_VERSION STREQUAL "nightly")
   # Some tests fail spuriously too often.
   set(EXTRA_CTEST_ARGS "-E 'ConsoleBuf|Module.ExternalData'")
+  set(SIGN "")
+else()
+  string(APPEND INITIAL_CACHE "CMake_INSTALL_SIGNTOOL:STRING=signtool\n")
+  set(SIGN [[signtool sign -v -a -tr http://timestamp.digicert.com -fd sha256 -td sha256 -d "CMake Windows Installer" cmake-*.msi]])
 endif()
 include(${path}/release_cmake.cmake)

Utilities/Sphinx/CMakeLists.txt

@@ -3,7 +3,7 @@
 
 if(NOT CMake_SOURCE_DIR)
   set(CMakeHelp_STANDALONE 1)
-  cmake_minimum_required(VERSION 3.1...3.12 FATAL_ERROR)
+  cmake_minimum_required(VERSION 3.1...3.14 FATAL_ERROR)
   get_filename_component(tmp "${CMAKE_CURRENT_SOURCE_DIR}" PATH)
   get_filename_component(CMake_SOURCE_DIR "${tmp}" PATH)
   include(${CMake_SOURCE_DIR}/Modules/CTestUseLaunchers.cmake)