| # Distributed under the OSI-approved BSD 3-Clause License. See accompanying |
| # file LICENSE.rst or https://cmake.org/licensing for details. |
| |
| # Run this script on a Windows host in a CMake single-config build tree. |
| |
| param ( |
| [string]$signtool = 'signtool', |
| [string]$cpack = 'bin\cpack', |
| [string]$pass = $null |
| ) |
| |
| $ErrorActionPreference = 'Stop' |
| |
| # Cleanup temporary file(s) on exit. |
| $null = Register-EngineEvent PowerShell.Exiting -Action { |
| if ($certFile) { |
| Remove-Item $certFile -Force |
| } |
| } |
| |
| # If the passphrase was not provided on the command-line, |
| # check for a GitLab CI variable in the environment. |
| if (-not $pass) { |
| $pass = $env:SIGNTOOL_PASS |
| |
| # If the environment variable looks like a GitLab CI file-type variable, |
| # replace it with the content of the file. |
| if ($pass -and |
| $pass.EndsWith("SIGNTOOL_PASS") -and |
| (Test-Path -Path "$pass" -IsValid) -and |
| (Test-Path -Path "$pass" -PathType Leaf)) { |
| $pass = Get-Content -Path "$pass" |
| } |
| } |
| |
| # Collect signtool arguments to specify a certificate. |
| $cert = @() |
| |
| # Select a signing certificate to pass to signtool. |
| if ($certX509 = Get-ChildItem -Recurse -Path "Cert:" -CodeSigningCert | |
| Where-Object { $_.PublicKey.Oid.FriendlyName -eq "RSA" } | |
| Select-Object -First 1) { |
| # Identify the private key provider name and container name. |
| if ($certRSA = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($certX509)) { |
| # $certRSA -is [System.Security.Cryptography.RSACng] |
| # Cryptography Next Generation (CNG) implementation |
| $csp = $certRSA.Key.Provider |
| $kc = $certRSA.Key.KeyName |
| } elseif ($certRSA = $certX509.PrivateKey) { |
| # $certRSA -is [System.Security.Cryptography.RSACryptoServiceProvider] |
| $csp = $certRSA.CspKeyContainerInfo.ProviderName |
| $kc = $certRSA.CspKeyContainerInfo.KeyContainerName |
| } |
| |
| # Pass the selected certificate to signtool. |
| $certFile = New-TemporaryFile |
| $certBase64 = [System.Convert]::ToBase64String($certX509.RawData, [System.Base64FormattingOptions]::InsertLineBreaks) |
| $certPEM = "-----BEGIN CERTIFICATE-----", $certBase64, "-----END CERTIFICATE-----" -join "`n" |
| $certPEM | Out-File -FilePath "$certFile" -Encoding Ascii |
| $cert += "-f","$certFile" |
| |
| # Tell signtool how to find the certificate's private key. |
| if ($csp) { |
| $cert += "-csp","$csp" |
| } |
| if ($kc) { |
| if ($pass) { |
| # The provider offers a syntax to encode the token passphrase in the key container name. |
| # https://web.archive.org/web/20250315200813/https://stackoverflow.com/questions/17927895/automate-extended-validation-ev-code-signing-with-safenet-etoken |
| $cert += "-kc","[{{$pass}}]=$kc" |
| $pass = $null |
| } else { |
| $cert += "-kc","$kc" |
| } |
| } |
| } else { |
| $cert += @("-a") |
| } |
| |
| # Sign binaries with SHA-1 for Windows 7 and below. |
| & $signtool sign -v $cert -t http://timestamp.digicert.com -fd sha1 bin\*.exe |
| if (-not $?) { Exit $LastExitCode } |
| |
| # Sign binaries with SHA-256 for Windows 8 and above. |
| & $signtool sign -v $cert -tr http://timestamp.digicert.com -fd sha256 -td sha256 -as bin\*.exe |
| if (-not $?) { Exit $LastExitCode } |
| |
| # Create packages. |
| & $cpack -G "ZIP;WIX" |
| if (-not $?) { Exit $LastExitCode } |
| |
| # Sign installer with SHA-256. |
| & $signtool sign -v $cert -tr http://timestamp.digicert.com -fd sha256 -td sha256 -d "CMake Windows Installer" cmake-*-win*.msi |
| if (-not $?) { Exit $LastExitCode } |
