[CMake] Signing individual binary and problem with PackageMaker CPack generator

Tue Oct 23 07:04:49 EDT 2018

I tried example like this

set(test_SRC main.cpp)
install(CODE "MESSAGE(\"CODE1\")")
add_executable(test ${test_SRC})
install(TARGETS test DESTINATION ${CMAKE_INSTALL_BINDIR})
install(CODE "MESSAGE(\"CODE2\")")

Then i checked cmake_install.cmake and "CODE1" cmd will be executed 
before strip command and "CODE2" will be executed after strip command.  
So I think that this is the good place to invoke signing tool for 
release builds. Probably you should have two places with signing if you 
want to have signed binary in build tree and install tree. One in 
add_custom_command and one in install(CODE ... ). But it's not a big 
problem.

----------------------------------------
Best regards, Anatoly Belyaev

On 23.10.2018 13:33, Eric Noulard wrote:
>
>
> Le mar. 23 oct. 2018 à 12:06, Craig Scott <craig.scott at crascit.com 
> <mailto:craig.scott at crascit.com>> a écrit :
>
>
>
>     On Tue, Oct 23, 2018 at 4:43 PM Eric Noulard
>     <eric.noulard at gmail.com <mailto:eric.noulard at gmail.com>> wrote:
>
>         Le lun. 22 oct. 2018 à 23:05, Craig Scott
>         <craig.scott at crascit.com <mailto:craig.scott at crascit.com>> a
>         écrit :
>
>
>                 Yes I agree that having build rpath is useful.
>                 I am not aware of any mechanism that enable calling
>                 some tool during CPack's install step.
>                 Moreover I don't use MacOS at all so I don't have any
>                 experience with PackageMaker.
>
>                 May be some Mac user may shed some more light on this.
>
>
>             You should be able to do this using install(SCRIPT) or
>             install(CODE), invoking the code signing through
>             execute_process() as part of that script/code.
>
>
>         I wasn't sure of that.
>
>         So just to be clear  do we know for sure that install(SCRIPT)
>         install(CODE) will run after the CMake builtin-generated
>         install scripts?
>         The builtin generated install script for target includes
>         stripping, so for signing to work as expect we should be sure
>         of the execution order?
>         Or may be you suggest not to install(TARGET) for the concerned
>         target and write install(SCRIPT) replacement for those?
>
>
>     My understanding is that install() commands are generally
>     processed in the order in which they appear in the directory
>     scope. It is unspecified how the order between directory scopes
>     behaves, although this merge request
>     <https://gitlab.kitware.com/cmake/cmake/merge_requests/2434> (now
>     merged to master) makes things much more predictable.
>
>     I missed the earlier detail about when stripping occurred in
>     relation to installing. From what I can see, I think the stripping
>     happens right after the executable is copied/installed. Have a
>     look at the generated cmake_install.cmake file for one of your
>     builds and search for CMAKE_INSTALL_DO_STRIP to see how things get
>     processed. If you add your own install(CODE) or install(SCRIPT)
>     calls after you've done the install(TARGETS) calls, I would expect
>     them to come after the stripping, but I haven't tested this.
>
>
> I'll have a look, not that I need it but I'd like to know.
> Thank you Craig.
>
> -- 
> Eric

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://cmake.org/pipermail/cmake/attachments/20181023/ed482ae2/attachment.html>