Re: [CMake] Signing individual binary and problem with PackageMaker CPack generator
I tried example like this set(test_SRC main.cpp) install(CODE "MESSAGE(\"CODE1\")") add_executable(test ${test_SRC}) install(TARGETS test DESTINATION ${CMAKE_INSTALL_BINDIR}) install(CODE "MESSAGE(\"CODE2\")") Then i checked cmake_install.cmake and "CODE1" cmd will be executed before strip command and "CODE2" will be executed after strip command. So I think that this is the good place to invoke signing tool for release builds. Probably you should have two places with signing if you want to have signed binary in build tree and install tree. One in add_custom_command and one in install(CODE ... ). But it's not a big problem. -------- Best regards, Anatoly Belyaev On 23.10.2018 13:33, Eric Noulard wrote: Le mar. 23 oct. 2018 à 12:06, Craig Scott <mailto:craig.sc...@crascit.com>> a écrit : On Tue, Oct 23, 2018 at 4:43 PM Eric Noulard mailto:eric.noul...@gmail.com>> wrote: Le lun. 22 oct. 2018 à 23:05, Craig Scott mailto:craig.sc...@crascit.com>> a écrit : Yes I agree that having build rpath is useful. I am not aware of any mechanism that enable calling some tool during CPack's install step. Moreover I don't use MacOS at all so I don't have any experience with PackageMaker. May be some Mac user may shed some more light on this. You should be able to do this using install(SCRIPT) or install(CODE), invoking the code signing through execute_process() as part of that script/code. I wasn't sure of that. So just to be clear do we know for sure that install(SCRIPT) install(CODE) will run after the CMake builtin-generated install scripts? The builtin generated install script for target includes stripping, so for signing to work as expect we should be sure of the execution order? Or may be you suggest not to install(TARGET) for the concerned target and write install(SCRIPT) replacement for those? My understanding is that install() commands are generally processed in the order in which they appear in the directory scope. It is unspecified how the order between directory scopes behaves, although this merge request <https://gitlab.kitware.com/cmake/cmake/merge_requests/2434> (now merged to master) makes things much more predictable. I missed the earlier detail about when stripping occurred in relation to installing. From what I can see, I think the stripping happens right after the executable is copied/installed. Have a look at the generated cmake_install.cmake file for one of your builds and search for CMAKE_INSTALL_DO_STRIP to see how things get processed. If you add your own install(CODE) or install(SCRIPT) calls after you've done the install(TARGETS) calls, I would expect them to come after the stripping, but I haven't tested this. I'll have a look, not that I need it but I'd like to know. Thank you Craig. -- Eric -- Powered by www.kitware.com Please keep messages on-topic and check the CMake FAQ at: http://www.cmake.org/Wiki/CMake_FAQ Kitware offers various services to support the CMake community. For more information on each offering, please visit: CMake Support: http://cmake.org/cmake/help/support.html CMake Consulting: http://cmake.org/cmake/help/consulting.html CMake Training Courses: http://cmake.org/cmake/help/training.html Visit other Kitware open-source projects at http://www.kitware.com/opensource/opensource.html Follow this link to subscribe/unsubscribe: https://cmake.org/mailman/listinfo/cmake
Re: [CMake] Signing individual binary and problem with PackageMaker CPack generator
We use "PackageMaker" generator on MacOS. But i don't think it is CPack specific tool does call strip command. The code for RPATH rewrite and strip cmd is located in cmake_install.cmake. As i understand CPack calls make install to tmp dir and then creates package. Having different RPATH for build tree is useful. May be there is a way to call sign tool in the install stage? But reading the doc to CMake install command, doesn't help me find solution for this. Best regards, Anatoly Belyaev On 22.10.2018 11:55, Eric Noulard wrote: Le lun. 22 oct. 2018 à 10:21, Anatoly Belyaev <mailto:cr...@cryptopro.ru>> a écrit : We use CMake |add_custom_command(TARGET POST_BUILD COMMAND codesign ...) | for signing executable files on build. It works fine, but when CPack generates package it rewrites rpath on executable files and call strip command on them. This changes the file and invalidates the signature. Is there any way in CMake to sign binary files after CPack finishes install and before actual packaging? As you discovered CPack runs at a different moment than CMake (see: https://github.com/dev-cafe/cmake-cookbook/blob/master/figures/cmake-times/cmake-times.jpg) RPATH is rewritten because you may have different build and install RPATH. https://gitlab.kitware.com/cmake/community/wikis/doc/cmake/RPATH-handling. Concerning the strip part I'm not sure CPack does that. May be the CPack generator specific tool does it? I bet there is no generic way to that without extending CPack or the particular generator ou are using. What CPack generator(s) do you use? -- Eric -- Powered by www.kitware.com Please keep messages on-topic and check the CMake FAQ at: http://www.cmake.org/Wiki/CMake_FAQ Kitware offers various services to support the CMake community. For more information on each offering, please visit: CMake Support: http://cmake.org/cmake/help/support.html CMake Consulting: http://cmake.org/cmake/help/consulting.html CMake Training Courses: http://cmake.org/cmake/help/training.html Visit other Kitware open-source projects at http://www.kitware.com/opensource/opensource.html Follow this link to subscribe/unsubscribe: https://cmake.org/mailman/listinfo/cmake
[CMake] Signing individual binary and problem with PackageMaker CPack generator
We use CMake |add_custom_command(TARGET POST_BUILD COMMAND codesign ...) | for signing executable files on build. It works fine, but when CPack generates package it rewrites rpath on executable files and call strip command on them. This changes the file and invalidates the signature. Is there any way in CMake to sign binary files after CPack finishes install and before actual packaging? -- Best regards, Anatoly Belyaev -- Powered by www.kitware.com Please keep messages on-topic and check the CMake FAQ at: http://www.cmake.org/Wiki/CMake_FAQ Kitware offers various services to support the CMake community. For more information on each offering, please visit: CMake Support: http://cmake.org/cmake/help/support.html CMake Consulting: http://cmake.org/cmake/help/consulting.html CMake Training Courses: http://cmake.org/cmake/help/training.html Visit other Kitware open-source projects at http://www.kitware.com/opensource/opensource.html Follow this link to subscribe/unsubscribe: https://cmake.org/mailman/listinfo/cmake