Code signing with CMAKE on macOS
-
I have a self-signed code signing cert on a Mac system (in the login key chain).
It has CN=David Partridge; O=DeepSkyStacker, OU=DeepSkyStackerI think I need to configure my top level CMakeLists.txt to contain:
if (APPLE) set(CMAKE_XCODE_ATTRIBUTE_DEVELOPMENT_TEAM "DeepSkyStacker" CACHE STRING "") set(CMAKE_XCODE_ATTRIBUTE_CODE_SIGN_IDENTITY "David Partridge" CACHE STRING "") endif()Is that correct?
The deploy section of the lower level CMakeLists.txt looks like:
if(NOT LINUX) set (deploy_tool_options_arg "") if(APPLE) set(deploy_tool_options_arg "${deploy_tool_options_arg} -hardened-runtime") elseif(WIN32) set(deploy_tool_options_arg "${deploy_tool_options_arg} --pdb") endif() # Generate a deployment script to be executed at install time # App bundles on macOS have an .app suffix if(APPLE) set(executable_path "${CMAKE_CURRENT_BINARY_DIR}/$<TARGET_FILE_NAME:DeepSkyStacker>.app") else() message ("Target filename:" $<TARGET_FILE_NAME:DeepSkyStacker>) set(executable_path "${CMAKE_CURRENT_BINARY_DIR}/$<TARGET_FILE_NAME:DeepSkyStacker>") endif() message ("executable_path: " ${executable_path}) message ("deploy tools options arg: " ${deploy_tool_options_arg}) qt_generate_deploy_script( TARGET DeepSkyStacker OUTPUT_SCRIPT deploy_script CONTENT " qt_deploy_runtime_dependencies( EXECUTABLE \"${executable_path}\" DEPLOY_TOOL_OPTIONS ${deploy_tool_options_arg} )" ) else() qt_generate_deploy_app_script( TARGET ${PROJECT_NAME} OUTPUT_SCRIPT deploy_script DEPLOY_TOOL_OPTIONS ${deploy_tool_options_arg} ) endif() install (SCRIPT ${deploy_script}) install(TARGETS ${PROJECT_NAME} BUNDLE DESTINATION .)What do I need to change to get the output bundle signed?
-
I changed the if(APPLE) bit to read:if(APPLE) set(deploy_tool_options_arg "${deploy_tool_options_arg} -hardened-runtime -no-strip") set(deploy_tool_options_arg "${deploy_tool_options_arg} -codesign=\"David Partridge\"")unfortunately that got me lots of:
ERROR: Codesign signing error: ERROR: "error: The specified item could not be found in the keychain.\n"So what have I got wrong there please?
-
I was able to locate the signing keys/certificate using
-codesign=David, so it looks like I need to change the way I specify the CN in the line:set(deploy_tool_options_arg "${deploy_tool_options_arg} -codesign=\"David Partridge\"")That didn't solve the problem for me though as the CMake code is run in an SSH session and I get errSecInternalComponent when trying to sign each item :(
I exported my Private Keys to Keys.p12 file and deleted them.
I then re-imported them:
% security import Keys.p12 -T /usr/bin/codesign -P <P12_PASSWORD>I then issued:
security set-key-partition-list -S "apple:" -l "David Partridge"but, when logged in via SSH, I still get:
amonra@Saturn ~ % codesign -s "David" -f "MyTrue" MyTrue: replacing existing signature MyTrue: errSecInternalComponentGuidance greatly appreciated.
Problem with errSecInternalComponent solved by doing:
sudo security import keys.p12 -P <P12_PASSWORD> -k /Library/Keychains/System.keychain -T /usr/bin/codesign
