MantisBT - CMake
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0013532CMakeCMakepublic2012-09-12 11:332016-06-10 14:31
ReporterSean McBride 
Assigned ToKitware Robot 
PrioritynormalSeverityminorReproducibilityhave not tried
StatusclosedResolutionmoved 
PlatformOSOS Version
Product VersionCMake 2.8.9 
Target VersionCMake 2.8.12Fixed in Version 
Summary0013532: kitware-provided CMake installer/executables should be codesigned with 'Developer ID' for GateKeeper on OS X
DescriptionAs of Mac OS X 10.8, Apple & the OS now expect that all installers and apps be code signed. Summary:

http://arstechnica.com/apple/2012/07/os-x-10-8/14/ [^]
http://arstechnica.com/apple/2012/07/os-x-10-8/15/ [^]

If not, they warn and installation is more complicated, see attached.

Instructions on accomplishing what is needed:

https://developer.apple.com/resources/developer-id/ [^]
Steps To Reproduce
Additional Information
TagsNo tags attached.
Relationships
related to 0015515closed Kitware Robot Please digitally sign your installer files and/or add hashes 
related to 0015507closed Brad King CMake.App bundle is malformed which prevents code signing it 
Attached Filespng CMake-not-signed.png (62,055) 2012-09-12 11:33
https://public.kitware.com/Bug/file/4480/CMake-not-signed.png
png
Issue History
Date ModifiedUsernameFieldChange
2012-09-12 11:33Sean McBrideNew Issue
2012-09-12 11:33Sean McBrideFile Added: CMake-not-signed.png
2012-09-12 12:30David ColeNote Added: 0031017
2012-09-12 12:31David ColeNote Edited: 0031017bug_revision_view_page.php?bugnote_id=31017#r835
2012-09-12 12:31David ColeTarget Version => CMake 2.8.10
2012-10-18 11:16David ColeTarget VersionCMake 2.8.10 => CMake 2.8.11
2012-10-18 11:17David ColeNote Added: 0031270
2013-02-15 10:29Jean-Christophe Fillion-RobinNote Added: 0032288
2013-05-17 09:33Robert MaynardTarget VersionCMake 2.8.11 => CMake 2.8.12
2015-04-09 10:20Brad KingRelationship addedrelated to 0015507
2015-04-20 12:29Eric WingNote Added: 0038556
2015-04-20 12:30Eric WingNote Edited: 0038556bug_revision_view_page.php?bugnote_id=38556#r1769
2015-04-20 12:38Brad KingNote Added: 0038557
2015-04-20 12:39Brad KingRelationship addedrelated to 0015515
2016-02-12 21:36Eric WingNote Added: 0040482
2016-03-09 12:46Sean McBrideNote Added: 0040656
2016-06-10 14:28Kitware RobotNote Added: 0042121
2016-06-10 14:28Kitware RobotStatusnew => resolved
2016-06-10 14:28Kitware RobotResolutionopen => moved
2016-06-10 14:28Kitware RobotAssigned To => Kitware Robot
2016-06-10 14:31Kitware RobotStatusresolved => closed

Notes
(0031017)
David Cole   
2012-09-12 12:30   
(edited on: 2012-09-12 12:31)
This one is probably not going to happen in time for 2.8.10, but thanks for the report. We'll discuss it.

I'll put it on the roadmap anyway, but it's likely we don't have enough time to address this before we do rc1 for 2.8.10...
(0031270)
David Cole   
2012-10-18 11:17   
These bugs were deferred from target version 2.8.10 to 2.8.11 based on the responses to this email thread on the CMake developer's mailing list:

  http://public.kitware.com/pipermail/cmake-developers/2012-October/005434.html [^]
(0032288)
Jean-Christophe Fillion-Robin   
2013-02-15 10:28   
Cross-referencing - See also Slicer issue http://www.na-mic.org/Bug/view.php?id=2708 [^]
(0038556)
Eric Wing   
2015-04-20 12:29   
(edited on: 2015-04-20 12:30)
After fixes discussed in http://www.cmake.org/Bug/view.php?id=15507, [^] this is my remaining script needed to code sign CMake.

#!/bin/zsh

# gets the script path
# script_path=${0:a}
# gets the directory in which the script resides
SCRIPT_DIR=${0:a:h}


CODE_SIGN_IDENTITY="Developer ID"

if [ -z $1 ]; then
    echo "Usage: codesign_cmake /path/CMake.app"
    exit 1
fi

CMAKE_DIR=$1

codesign --force --verbose --sign "$CODE_SIGN_IDENTITY" "$CMAKE_DIR"/Contents/Frameworks/QtCore.framework/Versions/4/QtCore
codesign --force --verbose --sign "$CODE_SIGN_IDENTITY" "$CMAKE_DIR"/Contents/Frameworks/QtGui.framework/Versions/4/QtGui
find "$CMAKE_DIR"/Contents/bin -type f -exec codesign --force --verbose --sign "$CODE_SIGN_IDENTITY" {} \;
find "$CMAKE_DIR"/Contents/MacOS -type f -exec codesign --force --verbose --sign "$CODE_SIGN_IDENTITY" {} \;

codesign --force --verbose --sign "$CODE_SIGN_IDENTITY" "$CMAKE_DIR"
(0038557)
Brad King   
2015-04-20 12:38   
For reference, since CMake 3.1 the OS X binaries are packaged with the CPack DragNDrop installer instead of PackageMaker:

 OS X: Package with DragNDrop instead of PackageMaker
 http://cmake.org/gitweb?p=cmake.git;a=commitdiff;h=dc3c2102 [^]

IIUC now one may drag CMake.app -> /Applications without this prompt. Then one can run the command-line tools immediately. It is only when running the cmake-gui that code signing is enforced by OS X.
(0040482)
Eric Wing   
2016-02-12 21:36   
I am trying to sign CMake again to distribute to other users.

The situation has gotten worse.
Somewhere in the 10.9 timeframe, Apple tightened up the codesigning process. Among the changes are that improperly formed .framework bundles will cause an app to fail to be codesigned.

The Qt frameworks are malformed. The workaround I posted no longer works.
Qt 5.4 had the same problem. Various scripts around the net couldn't solve my Qt 5.4 problems and I had to upgrade to 5.5.1.

CMake is in a worse position since it is 4 based.

I'm not sure yet how to fix this.

I am using CMake 3.4.1. I would be happy to learn CMake has since fixed the issue.
(0040656)
Sean McBride   
2016-03-09 12:46   
0015507 is now fixed, allowing CMake.app to actually be signed.

After 4 years now, any chance of the next release actually being signed? :)
(0042121)
Kitware Robot   
2016-06-10 14:28   
Resolving issue as `moved`.

This issue tracker is no longer used. Further discussion of this issue may take place in the current CMake Issues page linked in the banner at the top of this page.