[CMake] Signing individual binary and problem with PackageMaker CPack generator

Elvis Stansvik elvis.stansvik at orexplore.com
Tue Oct 23 12:26:13 EDT 2018 

Just going to jump in here and show how we did it (on the bus with just my
phone so will be a bit terse):

packaging/InstallWindowsDeps.cmake:

include(BundleUtilities)

# Dependant executables/libraries
set(INSIGHT_ARTIFACTS
    "${CMAKE_INSTALL_PREFIX}/orexplore-insight.exe"
    "${CMAKE_INSTALL_PREFIX}/insightmodel.dll"
    "${CMAKE_INSTALL_PREFIX}/insightview.dll"
)

# Install the HDF5 Blosc compression plugin
find_path(H5ZBLOSC_DLL_PATH NAMES H5Zblosc.dll)
file(INSTALL
    DESTINATION "${CMAKE_INSTALL_PREFIX}"
    TYPE SHARED_LIBRARY
    OPTIONAL
    FILES "${H5ZBLOSC_DLL_PATH}/H5Zblosc.dll")

# Install fontconfig configuration
#
# Note: This assumes the layout used by [1], where the fonts
#       directory is two levels up from the bin/x64 directory
#       where the DLL is.
#
# [1] https://github.com/ShiftMediaProject/fontconfig
find_path(FONTCONFIG_DLL_PATH NAMES fontconfig.dll)
set(FONTCONFIG_FONTS_DIR "${FONTCONFIG_DLL_PATH}/../../fonts")
file(INSTALL "${FONTCONFIG_FONTS_DIR}" DESTINATION "${CMAKE_INSTALL_PREFIX}")

# Run windeployqt to install Qt libraries, plugins et.c.
execute_process(COMMAND windeployqt --no-translations
--no-compiler-runtime --no-opengl-sw ${INSIGHT_ARTIFACTS})

# Run fixup_bundle(..) to bring in everything else.
fixup_bundle(
    "${CMAKE_INSTALL_PREFIX}/orexplore-insight.exe"
    "${CMAKE_INSTALL_PREFIX}/H5Zblosc.dll"
    ""
)

set(CODE_SIGNING_COMMAND "@INSIGHT_CODE_SIGNING_COMMAND@")

if(NOT "${CODE_SIGNING_COMMAND}" STREQUAL "")
    # Sign all executables/libraries
    file(GLOB_RECURSE FILES_TO_SIGN
        "${CMAKE_INSTALL_PREFIX}/*.exe"
        "${CMAKE_INSTALL_PREFIX}/*.dll"
    )

    separate_arguments(CODE_SIGNING_COMMAND WINDOWS_COMMAND
"${CODE_SIGNING_COMMAND}")

    foreach(FILE_TO_SIGN ${FILES_TO_SIGN})
        execute_process(COMMAND ${CODE_SIGNING_COMMAND} "${FILE_TO_SIGN}")
    endforeach()
endif()


packaging/Installmacosdeps.cmake:


include(BundleUtilities)

# Install the HDF5 Blosc compression plugin
find_path(H5ZBLOSC_DYLIB_PATH NAMES libH5Zblosc.dylib)
file(INSTALL
    DESTINATION
"${CMAKE_INSTALL_PREFIX}/@INSIGHT_MACOSX_BUNDLE_BUNDLE_NAME at .app/Contents/MacOS"
    TYPE SHARED_LIBRARY
    OPTIONAL
    FILES "${H5ZBLOSC_DYLIB_PATH}/libH5Zblosc.dylib")

# We use PATH as the list of extra search dirs for macdeployqt/fixup_bundle
string(REPLACE ":" ";" INSIGHT_LIBRARY_SEARCH_DIRS "$ENV{PATH}")

# Run macdeployqt to install Qt libraries, plugins et.c.
string(REGEX REPLACE "([^;]+)" "-libpath=\\1" _macdeployqt_flags
"${INSIGHT_LIBRARY_SEARCH_DIRS}")
execute_process(COMMAND macdeployqt
${CMAKE_INSTALL_PREFIX}/@INSIGHT_MACOSX_BUNDLE_BUNDLE_NAME at .app
${_macdeployqt_flags} -verbose=3)

# Gather list of Qt plugins
file(GLOB_RECURSE _qtplugins
"${CMAKE_INSTALL_PREFIX}/@INSIGHT_MACOSX_BUNDLE_BUNDLE_NAME at .app/Contents/PlugIns/*.dylib")

# Run fixup_bundle(..)
fixup_bundle(
    "${CMAKE_INSTALL_PREFIX}/@INSIGHT_MACOSX_BUNDLE_BUNDLE_NAME at .app"
    "${_qtplugins};${CMAKE_INSTALL_PREFIX}/@INSIGHT_MACOSX_BUNDLE_BUNDLE_NAME at .app/Contents/MacOS/libH5Zblosc.dylib"
    "${INSIGHT_LIBRARY_SEARCH_DIRS}"
)

# Despite what the documentation for macdeployqt says, it _does_ install
# non-Qt dependencies. It installs plain dylibs into Contents/Frameworks.
# This is a problem, because fixup_bundle(..), which we used above, will
# install the same libraries, but into Contents/MacOS. We thus remove the
# dylibs installed by macdeployqt, to avoid duplication.
file(GLOB _macdeployqt_dylibs
"${CMAKE_INSTALL_PREFIX}/@INSIGHT_MACOSX_BUNDLE_BUNDLE_NAME at .app/Contents/Frameworks/*.dylib")
file(REMOVE ${_macdeployqt_dylibs})

set(CODE_SIGNING_COMMAND "@INSIGHT_CODE_SIGNING_COMMAND@")

if(NOT "${CODE_SIGNING_COMMAND}" STREQUAL "")
    separate_arguments(CODE_SIGNING_COMMAND UNIX_COMMAND
"${CODE_SIGNING_COMMAND}")

    # Sign the entire application bundle.
    #
    # Note that we assume here that the code signing command in
    # ${CODE_SIGNING_COMMAND} is capable of recursive signing of
    # an macOS application bundle (e.g. `codesign --deep ..`).
    execute_process(COMMAND ${CODE_SIGNING_COMMAND}
"${CMAKE_INSTALL_PREFIX}/@INSIGHT_MACOSX_BUNDLE_BUNDLE_NAME at .app")
endif()


And then:


configure_file(CPackOptions.cmake.in
"${INSIGHT_CPACK_PROJECT_CONFIG_FILE}" @ONLY)

if(WIN32)
    configure_file(InstallWindowsDeps.cmake.in
        "${CMAKE_CURRENT_BINARY_DIR}/InstallWindowsDeps.cmake" @ONLY)
    install(SCRIPT "${CMAKE_CURRENT_BINARY_DIR}/InstallWindowsDeps.cmake")
    set(CPACK_GENERATOR "ZIP;WIX")
elseif(APPLE)
    configure_file(InstallMacOSDeps.cmake.in
        "${CMAKE_CURRENT_BINARY_DIR}/InstallMacOSDeps.cmake" @ONLY)
    install(SCRIPT "${CMAKE_CURRENT_BINARY_DIR}/InstallMacOSDeps.cmake")
    set(CPACK_GENERATOR "DragNDrop")
else()
    set(CPACK_GENERATOR "TGZ")
endif()

# General CPack options
set(CPACK_PACKAGE_NAME "${INSIGHT_CPACK_PACKAGE_NAME}")
set(CPACK_PACKAGE_VENDOR "${INSIGHT_CPACK_PACKAGE_VENDOR}")
set(CPACK_PACKAGE_VERSION_MAJOR "${INSIGHT_CPACK_PACKAGE_VERSION_MAJOR}")
set(CPACK_PACKAGE_VERSION_MINOR "${INSIGHT_CPACK_PACKAGE_VERSION_MINOR}")
set(CPACK_PACKAGE_VERSION_PATCH "${INSIGHT_CPACK_PACKAGE_VERSION_PATCH}")
set(CPACK_PACKAGE_VERSION "${INSIGHT_CPACK_PACKAGE_VERSION}")
set(CPACK_PACKAGE_INSTALL_DIRECTORY
"${INSIGHT_CPACK_PACKAGE_INSTALL_DIRECTORY}")
set(CPACK_PACKAGE_EXECUTABLES "${INSIGHT_CPACK_PACKAGE_EXECUTABLES}")
set(CPACK_CREATE_DESKTOP_LINKS "${INSIGHT_CPACK_CREATE_DESKTOP_LINKS}")
set(CPACK_WIX_UPGRADE_GUID "${INSIGHT_CPACK_WIX_UPGRADE_GUID}")
set(CPACK_WIX_UI_BANNER "${INSIGHT_CPACK_WIX_UI_BANNER}")
set(CPACK_WIX_UI_DIALOG "${INSIGHT_CPACK_WIX_UI_DIALOG}")
set(CPACK_WIX_LICENSE_RTF "${INSIGHT_CPACK_WIX_LICENSE_RTF}")
set(CPACK_WIX_PRODUCT_ICON "${INSIGHT_CPACK_WIX_PRODUCT_ICON}")
set(CPACK_WIX_PATCH_FILE "${INSIGHT_CPACK_WIX_PATCH_FILE}")
set(CPACK_DMG_BACKGROUND_IMAGE "${INSIGHT_CPACK_DMG_BACKGROUND_IMAGE}")
set(CPACK_DMG_DS_STORE_SETUP_SCRIPT
"${INSIGHT_CPACK_DMG_DS_STORE_SETUP_SCRIPT}")
set(CPACK_PROJECT_CONFIG_FILE "${INSIGHT_CPACK_PROJECT_CONFIG_FILE}")

include(CPack)


Sorry for giving you the full paste, but as you can see we're using
the install(SCRIPT) approach. The scrips are generated using
configure_file so we can use generator expressions.


Might not be the prettiest but has worked for us.


PS sorry for the formatting DS

Cheers,

Elvis


Den tis 23 okt. 2018 07:43Eric Noulard <eric.noulard at gmail.com> skrev:

> Le lun. 22 oct. 2018 à 23:05, Craig Scott <craig.scott at crascit.com> a
> écrit :
>
>>
>>> Yes I agree that having build rpath is useful.
>>> I am not aware of any mechanism that enable calling some tool during
>>> CPack's install step.
>>> Moreover I don't use MacOS at all so I don't have any experience with
>>> PackageMaker.
>>>
>>> May be some Mac user may shed some more light on this.
>>>
>>
>> You should be able to do this using install(SCRIPT) or install(CODE),
>> invoking the code signing through execute_process() as part of that
>> script/code.
>>
>
> I wasn't sure of that.
>
> So just to be clear  do we know for sure that install(SCRIPT)
> install(CODE) will run after the CMake builtin-generated install scripts?
> The builtin generated install script for target includes stripping, so for
> signing to work as expect we should be sure of the execution order?
> Or may be you suggest not to install(TARGET) for the concerned target and
> write install(SCRIPT) replacement for those?
>
>
> Taking a step back though, I don't know what your package contains, but if
>> you're creating an app bundle, then you don't need CPack at all. An app
>> bundle is already self contained and you should be able to get it to build
>> with install RPATH, at which point it should find everything it needs. An
>> advantage of building with install RPATH is that you can also make use of
>> the XCODE_ATTRIBUTE target property support to set up the code signing and
>> have Xcode/xcodebuild drive the whole code signing process for you. It's
>> likely to be easier that way and is more compatible with tools like
>> Fastlane <https://fastlane.tools>, if you end up heading in that
>> direction. But if you have embedded frameworks, then yeah, you probably end
>> up having to do things manually yourself (CMake doesn't yet handle those
>> well and has no direct support for it).
>>
>> --
>> Craig Scott
>> Melbourne, Australia
>> https://crascit.com
>>
>> New book released: Professional CMake: A Practical Guide
>> <https://crascit.com/professional-cmake/>
>>
>
> --
> Eric
> --
>
> Powered by www.kitware.com
>
> Please keep messages on-topic and check the CMake FAQ at:
> http://www.cmake.org/Wiki/CMake_FAQ
>
> Kitware offers various services to support the CMake community. For more
> information on each offering, please visit:
>
> CMake Support: http://cmake.org/cmake/help/support.html
> CMake Consulting: http://cmake.org/cmake/help/consulting.html
> CMake Training Courses: http://cmake.org/cmake/help/training.html
>
> Visit other Kitware open-source projects at
> http://www.kitware.com/opensource/opensource.html
>
> Follow this link to subscribe/unsubscribe:
> https://cmake.org/mailman/listinfo/cmake
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://cmake.org/pipermail/cmake/attachments/20181023/c650288b/attachment.html>

More information about the CMake mailing list