Teach CMake to code sign Mac executables

Perform an ad-hoc code signing with the hardened runtime. This ensures that these executables can pass notarization. The code signing ID is controlled by the MAC_CODESIGN_ID CMake cache variable.
2024-11-10 23:24:39 +00:00 · 2020-02-12 15:02:19 -08:00 · 2020-02-12 15:02:19 -08:00 · ba0c2d48d1
commit ba0c2d48d1
parent 952d9eecf7
3 changed files with 32 additions and 6 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -163,10 +163,26 @@ ADD_DEFINITIONS(-D_REENTRANT)
 # Set up PCRE2
 INCLUDE(cmake/PCRE2.cmake)

+# Code signing ID on Mac. A default '-' is ad-hoc codesign.
+SET(MAC_CODESIGN_ID "-" CACHE STRING "Mac code-signing identity")
+
+FUNCTION(CODESIGN_ON_MAC target)
+  IF(APPLE)
+    ADD_CUSTOM_COMMAND(
+      TARGET ${target}
+      POST_BUILD
+      COMMAND codesign --force --deep --options runtime --sign "${MAC_CODESIGN_ID}" $<TARGET_FILE:${target}>
+      VERBATIM
+    )
+  ENDIF()
+ENDFUNCTION(CODESIGN_ON_MAC target)
+
+
 # Define a function to link dependencies.
-FUNCTION(FISH_LINK_DEPS target)
+FUNCTION(FISH_LINK_DEPS_AND_SIGN target)
  TARGET_LINK_LIBRARIES(${target} fishlib)
-ENDFUNCTION(FISH_LINK_DEPS)
+  CODESIGN_ON_MAC(${target})
+ENDFUNCTION(FISH_LINK_DEPS_AND_SIGN)

 # Define libfish.a.
 ADD_LIBRARY(fishlib STATIC ${FISH_SRCS})
@ -177,17 +193,17 @@ TARGET_LINK_LIBRARIES(fishlib

 # Define fish.
 ADD_EXECUTABLE(fish src/fish.cpp)
-FISH_LINK_DEPS(fish)
+FISH_LINK_DEPS_AND_SIGN(fish)

 # Define fish_indent.
 ADD_EXECUTABLE(fish_indent
               src/fish_indent.cpp src/print_help.cpp)
-FISH_LINK_DEPS(fish_indent)
+FISH_LINK_DEPS_AND_SIGN(fish_indent)

 # Define fish_key_reader.
 ADD_EXECUTABLE(fish_key_reader
               src/fish_key_reader.cpp src/print_help.cpp)
-FISH_LINK_DEPS(fish_key_reader)
+FISH_LINK_DEPS_AND_SIGN(fish_key_reader)

 # Set up the docs.
 INCLUDE(cmake/Docs.cmake)
--- a/cmake/MacApp.cmake
+++ b/cmake/MacApp.cmake
@ -55,4 +55,14 @@ ADD_CUSTOM_COMMAND(TARGET fish_macapp POST_BUILD
            --build ${CMAKE_CURRENT_BINARY_DIR} --target install
    COMMAND ${CMAKE_COMMAND} -E copy_directory ${MACAPP_FISH_BUILDROOT}/..
            $<TARGET_BUNDLE_CONTENT_DIR:fish_macapp>/Resources/
+    VERBATIM
+)
+
+# Target to sign the macapp.
+# Note that a POST_BUILD step happens before resources are copied,
+# and therefore would be too early.
+ADD_CUSTOM_TARGET(signed_fish_macapp
+    DEPENDS fish_macapp
+    COMMAND codesign --force --deep --options runtime --sign "${MAC_CODESIGN_ID}" $<TARGET_BUNDLE_DIR:fish_macapp>
+    VERBATIM
 )
--- a/cmake/Tests.cmake
+++ b/cmake/Tests.cmake
@ -1,7 +1,7 @@
 # Define fish_tests.
 ADD_EXECUTABLE(fish_tests EXCLUDE_FROM_ALL
               src/fish_tests.cpp)
-FISH_LINK_DEPS(fish_tests)
+FISH_LINK_DEPS_AND_SIGN(fish_tests)

 # The "test" directory.
 SET(TEST_DIR ${CMAKE_CURRENT_BINARY_DIR}/test)