From d0a67e372c492ffc7c50efa838a19f59077e1de0 Mon Sep 17 00:00:00 2001
From: ridiculousfish <corydoras@ridiculousfish.com>
Date: Wed, 12 Feb 2020 15:02:19 -0800
Subject: [PATCH] Teach CMake to code sign Mac executables

Perform an ad-hoc code signing with the hardened runtime.
This ensures that these executables can pass notarization.

The code signing ID is controlled by the MAC_CODESIGN_ID CMake
cache variable.
---
 CMakeLists.txt     | 26 +++++++++++++++++++++-----
 cmake/MacApp.cmake | 10 ++++++++++
 cmake/Tests.cmake  |  2 +-
 3 files changed, 32 insertions(+), 6 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 7fdfe9eaf..e0fa383ab 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -163,10 +163,26 @@ ADD_DEFINITIONS(-D_REENTRANT)
 # Set up PCRE2
 INCLUDE(cmake/PCRE2.cmake)
 
+# Code signing ID on Mac. A default '-' is ad-hoc codesign.
+SET(MAC_CODESIGN_ID "-" CACHE STRING "Mac code-signing identity")
+
+FUNCTION(CODESIGN_ON_MAC target)
+  IF(APPLE)
+    ADD_CUSTOM_COMMAND(
+      TARGET ${target}
+      POST_BUILD
+      COMMAND codesign --force --deep --options runtime --sign "${MAC_CODESIGN_ID}" $<TARGET_FILE:${target}>
+      VERBATIM
+    )
+  ENDIF()
+ENDFUNCTION(CODESIGN_ON_MAC target)
+
+
 # Define a function to link dependencies.
-FUNCTION(FISH_LINK_DEPS target)
+FUNCTION(FISH_LINK_DEPS_AND_SIGN target)
   TARGET_LINK_LIBRARIES(${target} fishlib)
-ENDFUNCTION(FISH_LINK_DEPS)
+  CODESIGN_ON_MAC(${target})
+ENDFUNCTION(FISH_LINK_DEPS_AND_SIGN)
 
 # Define libfish.a.
 ADD_LIBRARY(fishlib STATIC ${FISH_SRCS})
@@ -177,17 +193,17 @@ TARGET_LINK_LIBRARIES(fishlib
 
 # Define fish.
 ADD_EXECUTABLE(fish src/fish.cpp)
-FISH_LINK_DEPS(fish)
+FISH_LINK_DEPS_AND_SIGN(fish)
 
 # Define fish_indent.
 ADD_EXECUTABLE(fish_indent
                src/fish_indent.cpp src/print_help.cpp)
-FISH_LINK_DEPS(fish_indent)
+FISH_LINK_DEPS_AND_SIGN(fish_indent)
 
 # Define fish_key_reader.
 ADD_EXECUTABLE(fish_key_reader
                src/fish_key_reader.cpp src/print_help.cpp)
-FISH_LINK_DEPS(fish_key_reader)
+FISH_LINK_DEPS_AND_SIGN(fish_key_reader)
 
 # Set up the docs.
 INCLUDE(cmake/Docs.cmake)
diff --git a/cmake/MacApp.cmake b/cmake/MacApp.cmake
index 6ae1622e7..a94f96c34 100644
--- a/cmake/MacApp.cmake
+++ b/cmake/MacApp.cmake
@@ -55,4 +55,14 @@ ADD_CUSTOM_COMMAND(TARGET fish_macapp POST_BUILD
             --build ${CMAKE_CURRENT_BINARY_DIR} --target install
     COMMAND ${CMAKE_COMMAND} -E copy_directory ${MACAPP_FISH_BUILDROOT}/..
             $<TARGET_BUNDLE_CONTENT_DIR:fish_macapp>/Resources/
+    VERBATIM
+)
+
+# Target to sign the macapp.
+# Note that a POST_BUILD step happens before resources are copied,
+# and therefore would be too early.
+ADD_CUSTOM_TARGET(signed_fish_macapp
+    DEPENDS fish_macapp
+    COMMAND codesign --force --deep --options runtime --sign "${MAC_CODESIGN_ID}" $<TARGET_BUNDLE_DIR:fish_macapp>
+    VERBATIM
 )
diff --git a/cmake/Tests.cmake b/cmake/Tests.cmake
index cc61bc837..f12465133 100644
--- a/cmake/Tests.cmake
+++ b/cmake/Tests.cmake
@@ -1,7 +1,7 @@
 # Define fish_tests.
 ADD_EXECUTABLE(fish_tests EXCLUDE_FROM_ALL
                src/fish_tests.cpp)
-FISH_LINK_DEPS(fish_tests)
+FISH_LINK_DEPS_AND_SIGN(fish_tests)
 
 # The "test" directory.
 SET(TEST_DIR ${CMAKE_CURRENT_BINARY_DIR}/test)