Teach CMake to code sign Mac executables

Perform an ad-hoc code signing with the hardened runtime.
This ensures that these executables can pass notarization.

The code signing ID is controlled by the MAC_CODESIGN_ID CMake
cache variable.
This commit is contained in:
ridiculousfish 2020-02-12 15:02:19 -08:00
parent 952d9eecf7
commit ba0c2d48d1
3 changed files with 32 additions and 6 deletions

View file

@ -163,10 +163,26 @@ ADD_DEFINITIONS(-D_REENTRANT)
# Set up PCRE2 # Set up PCRE2
INCLUDE(cmake/PCRE2.cmake) INCLUDE(cmake/PCRE2.cmake)
# Code signing ID on Mac. A default '-' is ad-hoc codesign.
SET(MAC_CODESIGN_ID "-" CACHE STRING "Mac code-signing identity")
FUNCTION(CODESIGN_ON_MAC target)
IF(APPLE)
ADD_CUSTOM_COMMAND(
TARGET ${target}
POST_BUILD
COMMAND codesign --force --deep --options runtime --sign "${MAC_CODESIGN_ID}" $<TARGET_FILE:${target}>
VERBATIM
)
ENDIF()
ENDFUNCTION(CODESIGN_ON_MAC target)
# Define a function to link dependencies. # Define a function to link dependencies.
FUNCTION(FISH_LINK_DEPS target) FUNCTION(FISH_LINK_DEPS_AND_SIGN target)
TARGET_LINK_LIBRARIES(${target} fishlib) TARGET_LINK_LIBRARIES(${target} fishlib)
ENDFUNCTION(FISH_LINK_DEPS) CODESIGN_ON_MAC(${target})
ENDFUNCTION(FISH_LINK_DEPS_AND_SIGN)
# Define libfish.a. # Define libfish.a.
ADD_LIBRARY(fishlib STATIC ${FISH_SRCS}) ADD_LIBRARY(fishlib STATIC ${FISH_SRCS})
@ -177,17 +193,17 @@ TARGET_LINK_LIBRARIES(fishlib
# Define fish. # Define fish.
ADD_EXECUTABLE(fish src/fish.cpp) ADD_EXECUTABLE(fish src/fish.cpp)
FISH_LINK_DEPS(fish) FISH_LINK_DEPS_AND_SIGN(fish)
# Define fish_indent. # Define fish_indent.
ADD_EXECUTABLE(fish_indent ADD_EXECUTABLE(fish_indent
src/fish_indent.cpp src/print_help.cpp) src/fish_indent.cpp src/print_help.cpp)
FISH_LINK_DEPS(fish_indent) FISH_LINK_DEPS_AND_SIGN(fish_indent)
# Define fish_key_reader. # Define fish_key_reader.
ADD_EXECUTABLE(fish_key_reader ADD_EXECUTABLE(fish_key_reader
src/fish_key_reader.cpp src/print_help.cpp) src/fish_key_reader.cpp src/print_help.cpp)
FISH_LINK_DEPS(fish_key_reader) FISH_LINK_DEPS_AND_SIGN(fish_key_reader)
# Set up the docs. # Set up the docs.
INCLUDE(cmake/Docs.cmake) INCLUDE(cmake/Docs.cmake)

View file

@ -55,4 +55,14 @@ ADD_CUSTOM_COMMAND(TARGET fish_macapp POST_BUILD
--build ${CMAKE_CURRENT_BINARY_DIR} --target install --build ${CMAKE_CURRENT_BINARY_DIR} --target install
COMMAND ${CMAKE_COMMAND} -E copy_directory ${MACAPP_FISH_BUILDROOT}/.. COMMAND ${CMAKE_COMMAND} -E copy_directory ${MACAPP_FISH_BUILDROOT}/..
$<TARGET_BUNDLE_CONTENT_DIR:fish_macapp>/Resources/ $<TARGET_BUNDLE_CONTENT_DIR:fish_macapp>/Resources/
VERBATIM
)
# Target to sign the macapp.
# Note that a POST_BUILD step happens before resources are copied,
# and therefore would be too early.
ADD_CUSTOM_TARGET(signed_fish_macapp
DEPENDS fish_macapp
COMMAND codesign --force --deep --options runtime --sign "${MAC_CODESIGN_ID}" $<TARGET_BUNDLE_DIR:fish_macapp>
VERBATIM
) )

View file

@ -1,7 +1,7 @@
# Define fish_tests. # Define fish_tests.
ADD_EXECUTABLE(fish_tests EXCLUDE_FROM_ALL ADD_EXECUTABLE(fish_tests EXCLUDE_FROM_ALL
src/fish_tests.cpp) src/fish_tests.cpp)
FISH_LINK_DEPS(fish_tests) FISH_LINK_DEPS_AND_SIGN(fish_tests)
# The "test" directory. # The "test" directory.
SET(TEST_DIR ${CMAKE_CURRENT_BINARY_DIR}/test) SET(TEST_DIR ${CMAKE_CURRENT_BINARY_DIR}/test)