Re: [CMake] Signing individual binary and problem with PackageMaker CPack generator
I tried example like this
set(test_SRC main.cpp)
install(CODE "MESSAGE(\"CODE1\")")
add_executable(test ${test_SRC})
install(TARGETS test DESTINATION ${CMAKE_INSTALL_BINDIR})
install(CODE "MESSAGE(\"CODE2\")")
Then i checked cmake_install.cmake and "CODE1" cmd will be executed
before strip command and "CODE2" will be executed after strip command.
So I think that this is the good place to invoke signing tool for
release builds. Probably you should have two places with signing if you
want to have signed binary in build tree and install tree. One in
add_custom_command and one in install(CODE ... ). But it's not a big
problem.
--------
Best regards, Anatoly Belyaev
On 23.10.2018 13:33, Eric Noulard wrote:
Le mar. 23 oct. 2018 à 12:06, Craig Scott <mailto:craig.sc...@crascit.com>> a écrit :
On Tue, Oct 23, 2018 at 4:43 PM Eric Noulard
mailto:eric.noul...@gmail.com>> wrote:
Le lun. 22 oct. 2018 à 23:05, Craig Scott
mailto:craig.sc...@crascit.com>> a
écrit :
Yes I agree that having build rpath is useful.
I am not aware of any mechanism that enable calling
some tool during CPack's install step.
Moreover I don't use MacOS at all so I don't have any
experience with PackageMaker.
May be some Mac user may shed some more light on this.
You should be able to do this using install(SCRIPT) or
install(CODE), invoking the code signing through
execute_process() as part of that script/code.
I wasn't sure of that.
So just to be clear do we know for sure that install(SCRIPT)
install(CODE) will run after the CMake builtin-generated
install scripts?
The builtin generated install script for target includes
stripping, so for signing to work as expect we should be sure
of the execution order?
Or may be you suggest not to install(TARGET) for the concerned
target and write install(SCRIPT) replacement for those?
My understanding is that install() commands are generally
processed in the order in which they appear in the directory
scope. It is unspecified how the order between directory scopes
behaves, although this merge request
<https://gitlab.kitware.com/cmake/cmake/merge_requests/2434> (now
merged to master) makes things much more predictable.
I missed the earlier detail about when stripping occurred in
relation to installing. From what I can see, I think the stripping
happens right after the executable is copied/installed. Have a
look at the generated cmake_install.cmake file for one of your
builds and search for CMAKE_INSTALL_DO_STRIP to see how things get
processed. If you add your own install(CODE) or install(SCRIPT)
calls after you've done the install(TARGETS) calls, I would expect
them to come after the stripping, but I haven't tested this.
I'll have a look, not that I need it but I'd like to know.
Thank you Craig.
--
Eric
--
Powered by www.kitware.com
Please keep messages on-topic and check the CMake FAQ at:
http://www.cmake.org/Wiki/CMake_FAQ
Kitware offers various services to support the CMake community. For more
information on each offering, please visit:
CMake Support: http://cmake.org/cmake/help/support.html
CMake Consulting: http://cmake.org/cmake/help/consulting.html
CMake Training Courses: http://cmake.org/cmake/help/training.html
Visit other Kitware open-source projects at
http://www.kitware.com/opensource/opensource.html
Follow this link to subscribe/unsubscribe:
https://cmake.org/mailman/listinfo/cmake
Re: [CMake] Signing individual binary and problem with PackageMaker CPack generator
We use "PackageMaker" generator on MacOS. But i don't think it is CPack specific tool does call strip command. The code for RPATH rewrite and strip cmd is located in cmake_install.cmake. As i understand CPack calls make install to tmp dir and then creates package. Having different RPATH for build tree is useful. May be there is a way to call sign tool in the install stage? But reading the doc to CMake install command, doesn't help me find solution for this. Best regards, Anatoly Belyaev On 22.10.2018 11:55, Eric Noulard wrote: Le lun. 22 oct. 2018 à 10:21, Anatoly Belyaev <mailto:cr...@cryptopro.ru>> a écrit : We use CMake |add_custom_command(TARGET POST_BUILD COMMAND codesign ...) | for signing executable files on build. It works fine, but when CPack generates package it rewrites rpath on executable files and call strip command on them. This changes the file and invalidates the signature. Is there any way in CMake to sign binary files after CPack finishes install and before actual packaging? As you discovered CPack runs at a different moment than CMake (see: https://github.com/dev-cafe/cmake-cookbook/blob/master/figures/cmake-times/cmake-times.jpg) RPATH is rewritten because you may have different build and install RPATH. https://gitlab.kitware.com/cmake/community/wikis/doc/cmake/RPATH-handling. Concerning the strip part I'm not sure CPack does that. May be the CPack generator specific tool does it? I bet there is no generic way to that without extending CPack or the particular generator ou are using. What CPack generator(s) do you use? -- Eric -- Powered by www.kitware.com Please keep messages on-topic and check the CMake FAQ at: http://www.cmake.org/Wiki/CMake_FAQ Kitware offers various services to support the CMake community. For more information on each offering, please visit: CMake Support: http://cmake.org/cmake/help/support.html CMake Consulting: http://cmake.org/cmake/help/consulting.html CMake Training Courses: http://cmake.org/cmake/help/training.html Visit other Kitware open-source projects at http://www.kitware.com/opensource/opensource.html Follow this link to subscribe/unsubscribe: https://cmake.org/mailman/listinfo/cmake
[CMake] Signing individual binary and problem with PackageMaker CPack generator
We use CMake |add_custom_command(TARGET POST_BUILD COMMAND codesign ...) | for signing executable files on build. It works fine, but when CPack generates package it rewrites rpath on executable files and call strip command on them. This changes the file and invalidates the signature. Is there any way in CMake to sign binary files after CPack finishes install and before actual packaging? -- Best regards, Anatoly Belyaev -- Powered by www.kitware.com Please keep messages on-topic and check the CMake FAQ at: http://www.cmake.org/Wiki/CMake_FAQ Kitware offers various services to support the CMake community. For more information on each offering, please visit: CMake Support: http://cmake.org/cmake/help/support.html CMake Consulting: http://cmake.org/cmake/help/consulting.html CMake Training Courses: http://cmake.org/cmake/help/training.html Visit other Kitware open-source projects at http://www.kitware.com/opensource/opensource.html Follow this link to subscribe/unsubscribe: https://cmake.org/mailman/listinfo/cmake
