Add signing and list of files to be signed for packaging (#757)

HDFGroup · Aug 29, 2024 · 7967cfe · 7967cfe
1 parent 17e4c98
commit 7967cfe
Show file tree

Hide file tree

Showing 13 changed files with 63 additions and 0 deletions.
diff --git a/.github/workflows/cmake-ctest.yml b/.github/workflows/cmake-ctest.yml
@@ -122,7 +122,26 @@ jobs:
         run: 7z x ${{ steps.set-file-base.outputs.FILE_BASE }}.zip
         shell: bash
 
+      - name: Install TrustedSigning (Windows)
+        run: |
+            Invoke-WebRequest -Uri https://dist.nuget.org/win-x86-commandline/latest/nuget.exe -OutFile .\nuget.exe
+            .\nuget.exe install Microsoft.Windows.SDK.BuildTools -Version 10.0.22621.3233 -x
+            .\nuget.exe install Microsoft.Trusted.Signing.Client -Version 1.0.53 -x
+        shell: pwsh
+        if: ${{ needs.check-secret.outputs.sign-state == 'exists' }}
+
+      - name: create-json
+        id: create-json
+        uses: jsdaniell/create-json@v1.2.3
+        with:
+            name: "credentials.json"
+            json: '{"Endpoint": "${{ secrets.AZURE_ENDPOINT }}","CodeSigningAccountName": "${{ secrets.AZURE_CODE_SIGNING_NAME }}","CertificateProfileName": "${{ secrets.AZURE_CERT_PROFILE_NAME }}"}'
+        if: ${{ needs.check-secret.outputs.sign-state == 'exists' }}
+
       - name: Run ctest (Windows)
+        env:
+          BINSIGN: ${{ needs.check-secret.outputs.sign-state }}
+          SIGNTOOLDIR: ${{ github.workspace }}/Microsoft.Windows.SDK.BuildTools/bin/10.0.22621.0/x64
         run: |
           cd "${{ runner.workspace }}/hdf4/${{ steps.set-file-base.outputs.SOURCE_BASE }}"
           cmake --workflow --preset=${{ inputs.preset_name }}-MSVC --fresh
@@ -392,6 +411,9 @@ jobs:
 
       - name: Run ctest (MacOS_latest)
         id: run-ctest
+        env:
+          BINSIGN: ${{ needs.check-secret.outputs.sign-state }}
+          SIGNER: ${{ vars.SIGNER }}
         run: |
           cd "${{ runner.workspace }}/hdf4/${{ steps.set-file-base.outputs.SOURCE_BASE }}"
           cmake --workflow --preset=${{ inputs.preset_name }}-macos-Clang --fresh

diff --git a/CMakeInstallation.cmake b/CMakeInstallation.cmake
@@ -287,6 +287,9 @@ if (NOT HDF4_EXTERNALLY_CONFIGURED AND NOT HDF4_NO_PACKAGES)
 
     if (WIX_EXECUTABLE)
       list (APPEND CPACK_GENERATOR "WIX")
+      if (ENV{BINSIGN} MATCHES "exists")
+        set (CPACK_PRE_BUILD_SCRIPTS ${CMAKE_SOURCE_DIR}/cmake/SignPackageFiles.cmake)
+      endif ()
     endif ()
 #WiX variables
     set (CPACK_WIX_UNINSTALL "1")
@@ -309,6 +312,9 @@ if (NOT HDF4_EXTERNALLY_CONFIGURED AND NOT HDF4_NO_PACKAGES)
     option (HDF4_PACK_MACOSX_DMG  "Package the HDF4 Library using DragNDrop" ON)
     if (HDF4_PACK_MACOSX_DMG)
       list (APPEND CPACK_GENERATOR "DragNDrop")
+      if (ENV{BINSIGN} MATCHES "exists")
+        set (CPACK_PRE_BUILD_SCRIPTS ${CMAKE_SOURCE_DIR}/cmake/SignPackageFiles.cmake)
+      endif ()
     endif ()
     set (CPACK_COMPONENTS_ALL_IN_ONE_PACKAGE ON)
     set (CPACK_PACKAGING_INSTALL_PREFIX "/${CPACK_PACKAGE_INSTALL_DIRECTORY}")

diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -376,6 +376,8 @@ endif ()
 #-----------------------------------------------------------------------------
 set_global_variable (HDF4_LIBRARIES_TO_EXPORT "")
 set_global_variable (HDF4_UTILS_TO_EXPORT "")
+# List of targets to be signed for packaging
+set_global_variable (HDF4_INSTALL_TARGETS "")
 
 set (EXTERNAL_HEADER_LIST "")
 set (EXTERNAL_LIBRARY_LIST "")

diff --git a/config/cmake/SignPackageFiles.cmake b/config/cmake/SignPackageFiles.cmake
@@ -0,0 +1,22 @@
+# This script signs the targets for the package
+foreach (target IN LISTS ${HDF4_INSTALL_TARGETS})
+    if (WIN32)
+        # Sign the targets
+        execute_process(COMMAND ENV{SIGNTOOLDIR}/signtool
+          sign /v /debug /fd SHA256 /tr http://timestamp.acs.microsoft.com /td SHA256
+          /dlib "Microsoft.Trusted.Signing.Client\bin\x64\Azure.CodeSigning.Dlib.dll" /dmdf ${CMAKE_CURRENT_SOURCE_DIR}\credentials.json
+          $<TARGET_FILE:${target}>
+          WORKING_DIRECTORY ${CPACK_TEMPORARY_INSTALL_DIRECTORY}/packages
+        )
+        message(STATUS "Signing the target ${target}")
+    elseif (APPLE)
+        # Sign the targets
+        execute_process(COMMAND codesign
+          --force --timestamp --options runtime --entitlements ${CMAKE_CURRENT_SOURCE_DIR}/config/cmake/distribution.entitlements 
+          --verbose=4 --strict --sign "ENV{SIGNER}"
+          $<TARGET_FILE:${target}>
+          WORKING_DIRECTORY ${CPACK_TEMPORARY_INSTALL_DIRECTORY}/packages
+        )
+        message(STATUS "Signing the target ${target}")
+    endif ()
+endforeach ()
diff --git a/hdf/fortran/CMakeLists.txt b/hdf/fortran/CMakeLists.txt
@@ -187,4 +187,5 @@ if (HDF4_EXPORTED_TARGETS)
       FRAMEWORK DESTINATION ${HDF4_INSTALL_FWRK_DIR} COMPONENT fortlibraries
       INCLUDES DESTINATION include
   )
+  set (HDF4_INSTALL_TARGETS ${HDF4_INSTALL_TARGETS} ${install_targets} PARENT_SCOPE)
 endif ()
diff --git a/hdf/src/CMakeLists.txt b/hdf/src/CMakeLists.txt
@@ -216,6 +216,7 @@ if (HDF4_EXPORTED_TARGETS)
       FRAMEWORK DESTINATION ${HDF4_INSTALL_FWRK_DIR} COMPONENT libraries
       INCLUDES DESTINATION include
   )
+  set (HDF4_INSTALL_TARGETS ${HDF4_INSTALL_TARGETS} ${install_targets} PARENT_SCOPE)
 endif ()
 
 #-----------------------------------------------------------------------------

diff --git a/hdf/util/CMakeLists.txt b/hdf/util/CMakeLists.txt
@@ -263,6 +263,7 @@ if (HDF4_BUILD_TOOLS)
       TARGETS ${H4_DEP_EXECUTABLES}
       RUNTIME DESTINATION ${HDF4_INSTALL_TOOLS_BIN_DIR} COMPONENT toolsapplications
   )
+  set (HDF4_INSTALL_TARGETS ${HDF4_INSTALL_TARGETS} ${H4_DEP_EXECUTABLES} PARENT_SCOPE)
 endif ()
 
 if (HDF4_BUILD_UTILS)
@@ -274,4 +275,5 @@ if (HDF4_BUILD_UTILS)
       TARGETS ${H4_DEP_UTILITIES}
       RUNTIME DESTINATION ${HDF4_INSTALL_UTILS_BIN_DIR} COMPONENT utilsapplications
   )
+  set (HDF4_INSTALL_TARGETS ${HDF4_INSTALL_TARGETS} ${H4_DEP_UTILITIES} PARENT_SCOPE)
 endif ()
diff --git a/mfhdf/fortran/CMakeLists.txt b/mfhdf/fortran/CMakeLists.txt
@@ -171,6 +171,7 @@ install (
     FRAMEWORK DESTINATION ${HDF4_INSTALL_FWRK_DIR} COMPONENT fortlibraries
     INCLUDES DESTINATION include
 )
+  set (HDF4_INSTALL_TARGETS ${HDF4_INSTALL_TARGETS} ${install_targets} PARENT_SCOPE)
 
 #-----------------------------------------------------------------------------
 # Create pkgconfig files

diff --git a/mfhdf/hdfimport/CMakeLists.txt b/mfhdf/hdfimport/CMakeLists.txt
@@ -48,3 +48,5 @@ install (
         ${HDF4_EXPORTED_TARGETS}
     RUNTIME DESTINATION ${HDF4_INSTALL_TOOLS_BIN_DIR} COMPONENT toolsapplications
 )
+set (HDF4_INSTALL_TARGETS ${HDF4_INSTALL_TARGETS} ${H4_DEP_EXECUTABLES} PARENT_SCOPE)
+
diff --git a/mfhdf/hdiff/CMakeLists.txt b/mfhdf/hdiff/CMakeLists.txt
@@ -59,3 +59,4 @@ install (
         ${HDF4_EXPORTED_TARGETS}
     RUNTIME DESTINATION ${HDF4_INSTALL_TOOLS_BIN_DIR} COMPONENT toolsapplications
 )
+set (HDF4_INSTALL_TARGETS ${HDF4_INSTALL_TARGETS} ${H4_DEP_EXECUTABLES} PARENT_SCOPE)
diff --git a/mfhdf/hdp/CMakeLists.txt b/mfhdf/hdp/CMakeLists.txt
@@ -53,3 +53,4 @@ install (
         ${HDF4_EXPORTED_TARGETS}
     RUNTIME DESTINATION ${HDF4_INSTALL_TOOLS_BIN_DIR} COMPONENT toolsapplications
 )
+set (HDF4_INSTALL_TARGETS ${HDF4_INSTALL_TARGETS} ${H4_DEP_EXECUTABLES} PARENT_SCOPE)
diff --git a/mfhdf/hrepack/CMakeLists.txt b/mfhdf/hrepack/CMakeLists.txt
@@ -69,3 +69,4 @@ install (
         ${HDF4_EXPORTED_TARGETS}
     RUNTIME DESTINATION ${HDF4_INSTALL_TOOLS_BIN_DIR} COMPONENT toolsapplications
 )
+set (HDF4_INSTALL_TARGETS ${HDF4_INSTALL_TARGETS} ${H4_DEP_EXECUTABLES} PARENT_SCOPE)
diff --git a/mfhdf/src/CMakeLists.txt b/mfhdf/src/CMakeLists.txt
@@ -141,6 +141,7 @@ install (
     FRAMEWORK DESTINATION ${HDF4_INSTALL_FWRK_DIR} COMPONENT libraries
     INCLUDES DESTINATION include
 )
+  set (HDF4_INSTALL_TARGETS ${HDF4_INSTALL_TARGETS} ${install_targets} PARENT_SCOPE)
 
 #-----------------------------------------------------------------------------
 # Create pkgconfig files