[Bf-blender-cvs] [8fb9f2d] master: [Windows] Add support for code signing the final binaries.

Wed Aug 31 14:26:31 CEST 2016

Commit: 8fb9f2dbe9cb69476bf1f98c8503e5acd446c5b0
Author: lazydodo
Date:   Wed Aug 31 06:26:05 2016 -0600
Branches: master
https://developer.blender.org/rB8fb9f2dbe9cb69476bf1f98c8503e5acd446c5b0

[Windows] Add support for code signing the final binaries.

The option is controlled with the WITH_WINDOWS_CODESIGN option and needs:

- Signtool must be found on the system, the standard windows sdk folders will be searched for it.
- The path to the pfx file (WINDOWS_CODESIGN_PFX)
- The password for the pfx , this can either be set by the WINDOWS_CODESIGN_PFX_PASSWORD variable but given that ends up in CMakeCache.txt (which might be undesirable) there is a backup option of setting the PFXPASSWORD environment variable on the system.

Reviewers: sergey, juicyfruit

Reviewed By: juicyfruit

Tags: #bf_blender, #platform:_windows

Differential Revision: https://developer.blender.org/D2182

===================================================================

M	CMakeLists.txt
M	build_files/cmake/macros.cmake
M	build_files/cmake/platform/platform_win32_msvc.cmake
M	source/blenderplayer/CMakeLists.txt
M	source/creator/CMakeLists.txt

===================================================================

diff --git a/CMakeLists.txt b/CMakeLists.txt
index d7276f4..709f824 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -512,6 +512,15 @@ mark_as_advanced(WITH_LEGACY_DEPSGRAPH)
 option(WITH_WINDOWS_FIND_MODULES "Use find_package to locate libraries" OFF)
 mark_as_advanced(WITH_WINDOWS_FIND_MODULES)
 
+option(WITH_WINDOWS_CODESIGN "Use signtool to sign the final binary." OFF)
+mark_as_advanced(WITH_WINDOWS_CODESIGN)
+
+set(WINDOWS_CODESIGN_PFX CACHE FILEPATH  "Path to pfx file to use for codesigning.")
+mark_as_advanced(WINDOWS_CODESIGN_PFX)
+
+set(WINDOWS_CODESIGN_PFX_PASSWORD CACHE STRING  "password for pfx file used for codesigning.")
+mark_as_advanced(WINDOWS_CODESIGN_PFX_PASSWORD)
+
 # avoid using again
 option_defaults_clear()
 
diff --git a/build_files/cmake/macros.cmake b/build_files/cmake/macros.cmake
index dc8b158..fabb35c 100644
--- a/build_files/cmake/macros.cmake
+++ b/build_files/cmake/macros.cmake
@@ -1578,3 +1578,26 @@ macro(openmp_delayload
 			endif(WITH_OPENMP)
 		endif(MSVC)
 endmacro()
+
+MACRO(WINDOWS_SIGN_TARGET target)
+	if (WITH_WINDOWS_CODESIGN)
+		if (!SIGNTOOL_EXE)
+			error("Codesigning is enabled, but signtool is not found")
+		else()
+			if (WINDOWS_CODESIGN_PFX_PASSWORD)
+				set(CODESIGNPASSWORD /p ${WINDOWS_CODESIGN_PFX_PASSWORD})
+			else()
+				if ($ENV{PFXPASSWORD})
+					set(CODESIGNPASSWORD /p $ENV{PFXPASSWORD})
+				else()
+					message( FATAL_ERROR "WITH_WINDOWS_CODESIGN is on but WINDOWS_CODESIGN_PFX_PASSWORD not set, and environment variable PFXPASSWORD not found, unable to sign code.")
+				endif()
+			endif()
+			add_custom_command(TARGET ${target}
+						POST_BUILD
+						COMMAND ${SIGNTOOL_EXE} sign /f ${WINDOWS_CODESIGN_PFX} ${CODESIGNPASSWORD} $<TARGET_FILE:${target}>
+						VERBATIM
+				)
+		endif()
+	endif()
+ENDMACRO()
\ No newline at end of file
diff --git a/build_files/cmake/platform/platform_win32_msvc.cmake b/build_files/cmake/platform/platform_win32_msvc.cmake
index eaa6e41..2772944 100644
--- a/build_files/cmake/platform/platform_win32_msvc.cmake
+++ b/build_files/cmake/platform/platform_win32_msvc.cmake
@@ -471,3 +471,15 @@ endif()
 
 # used in many places so include globally, like OpenGL
 blender_include_dirs_sys("${PTHREADS_INCLUDE_DIRS}")
+
+#find signtool  
+SET(ProgramFilesX86_NAME "ProgramFiles(x86)") #env dislikes the ( ) 
+find_program(SIGNTOOL_EXE signtool
+HINTS
+  "$ENV{${ProgramFilesX86_NAME}}/Windows Kits/10/bin/x86/"
+  "$ENV{ProgramFiles}/Windows Kits/10/bin/x86/"
+  "$ENV{${ProgramFilesX86_NAME}}/Windows Kits/8.1/bin/x86/"
+  "$ENV{ProgramFiles}/Windows Kits/8.1/bin/x86/"
+  "$ENV{${ProgramFilesX86_NAME}}/Windows Kits/8.0/bin/x86/"
+  "$ENV{ProgramFiles}/Windows Kits/8.0/bin/x86/"
+)
diff --git a/source/blenderplayer/CMakeLists.txt b/source/blenderplayer/CMakeLists.txt
index 2748de0..58bebc6 100644
--- a/source/blenderplayer/CMakeLists.txt
+++ b/source/blenderplayer/CMakeLists.txt
@@ -58,7 +58,7 @@ if(WIN32 AND NOT UNIX)
 			blenderplayer ${EXETYPE}
 			bad_level_call_stubs/stubs.c
 			${CMAKE_SOURCE_DIR}/release/windows/icons/winblender.rc)
-
+	WINDOWS_SIGN_TARGET(blenderplayer)
 	install(TARGETS blenderplayer
 			COMPONENT Blenderplayer
 			DESTINATION ".")
diff --git a/source/creator/CMakeLists.txt b/source/creator/CMakeLists.txt
index 7acea43..fc02dfd 100644
--- a/source/creator/CMakeLists.txt
+++ b/source/creator/CMakeLists.txt
@@ -263,6 +263,7 @@ if(WITH_PYTHON_MODULE)
 
 else()
 	add_executable(blender ${EXETYPE} ${SRC})
+	WINDOWS_SIGN_TARGET(blender)
 endif()
 
 if(WITH_BUILDINFO)


