Teach CMake to code sign Mac executables

Perform an ad-hoc code signing with the hardened runtime.
This ensures that these executables can pass notarization.

The code signing ID is controlled by the MAC_CODESIGN_ID CMake
cache variable.
This commit is contained in:
ridiculousfish 2020-02-12 15:02:19 -08:00
parent 952d9eecf7
commit ba0c2d48d1
3 changed files with 32 additions and 6 deletions

View File

@ -163,10 +163,26 @@ ADD_DEFINITIONS(-D_REENTRANT)
# Set up PCRE2
INCLUDE(cmake/PCRE2.cmake)
# Code signing ID on Mac. A default '-' is ad-hoc codesign.
SET(MAC_CODESIGN_ID "-" CACHE STRING "Mac code-signing identity")
FUNCTION(CODESIGN_ON_MAC target)
IF(APPLE)
ADD_CUSTOM_COMMAND(
TARGET ${target}
POST_BUILD
COMMAND codesign --force --deep --options runtime --sign "${MAC_CODESIGN_ID}" $<TARGET_FILE:${target}>
VERBATIM
)
ENDIF()
ENDFUNCTION(CODESIGN_ON_MAC target)
# Define a function to link dependencies.
FUNCTION(FISH_LINK_DEPS target)
FUNCTION(FISH_LINK_DEPS_AND_SIGN target)
TARGET_LINK_LIBRARIES(${target} fishlib)
ENDFUNCTION(FISH_LINK_DEPS)
CODESIGN_ON_MAC(${target})
ENDFUNCTION(FISH_LINK_DEPS_AND_SIGN)
# Define libfish.a.
ADD_LIBRARY(fishlib STATIC ${FISH_SRCS})
@ -177,17 +193,17 @@ TARGET_LINK_LIBRARIES(fishlib
# Define fish.
ADD_EXECUTABLE(fish src/fish.cpp)
FISH_LINK_DEPS(fish)
FISH_LINK_DEPS_AND_SIGN(fish)
# Define fish_indent.
ADD_EXECUTABLE(fish_indent
src/fish_indent.cpp src/print_help.cpp)
FISH_LINK_DEPS(fish_indent)
FISH_LINK_DEPS_AND_SIGN(fish_indent)
# Define fish_key_reader.
ADD_EXECUTABLE(fish_key_reader
src/fish_key_reader.cpp src/print_help.cpp)
FISH_LINK_DEPS(fish_key_reader)
FISH_LINK_DEPS_AND_SIGN(fish_key_reader)
# Set up the docs.
INCLUDE(cmake/Docs.cmake)

View File

@ -55,4 +55,14 @@ ADD_CUSTOM_COMMAND(TARGET fish_macapp POST_BUILD
--build ${CMAKE_CURRENT_BINARY_DIR} --target install
COMMAND ${CMAKE_COMMAND} -E copy_directory ${MACAPP_FISH_BUILDROOT}/..
$<TARGET_BUNDLE_CONTENT_DIR:fish_macapp>/Resources/
VERBATIM
)
# Target to sign the macapp.
# Note that a POST_BUILD step happens before resources are copied,
# and therefore would be too early.
ADD_CUSTOM_TARGET(signed_fish_macapp
DEPENDS fish_macapp
COMMAND codesign --force --deep --options runtime --sign "${MAC_CODESIGN_ID}" $<TARGET_BUNDLE_DIR:fish_macapp>
VERBATIM
)

View File

@ -1,7 +1,7 @@
# Define fish_tests.
ADD_EXECUTABLE(fish_tests EXCLUDE_FROM_ALL
src/fish_tests.cpp)
FISH_LINK_DEPS(fish_tests)
FISH_LINK_DEPS_AND_SIGN(fish_tests)
# The "test" directory.
SET(TEST_DIR ${CMAKE_CURRENT_BINARY_DIR}/test)