[Windows] Add support for code signing the final binaries.

The option is controlled with the WITH_WINDOWS_CODESIGN option and needs:

- Signtool must be found on the system, the standard windows sdk folders will be searched for it.
- The path to the pfx file (WINDOWS_CODESIGN_PFX)
- The password for the pfx , this can either be set by the WINDOWS_CODESIGN_PFX_PASSWORD variable but given that ends up in CMakeCache.txt (which might be undesirable) there is a backup option of setting the PFXPASSWORD environment variable on the system.

Reviewers: sergey, juicyfruit

Reviewed By: juicyfruit

Tags: #bf_blender, #platform:_windows

Differential Revision: https://developer.blender.org/D2182

CMakeLists.txt

@@ -512,6 +512,15 @@ mark_as_advanced(WITH_LEGACY_DEPSGRAPH)
 option(WITH_WINDOWS_FIND_MODULES "Use find_package to locate libraries" OFF)
 mark_as_advanced(WITH_WINDOWS_FIND_MODULES)
 
+option(WITH_WINDOWS_CODESIGN "Use signtool to sign the final binary." OFF)
+mark_as_advanced(WITH_WINDOWS_CODESIGN)
+
+set(WINDOWS_CODESIGN_PFX CACHE FILEPATH  "Path to pfx file to use for codesigning.")
+mark_as_advanced(WINDOWS_CODESIGN_PFX)
+
+set(WINDOWS_CODESIGN_PFX_PASSWORD CACHE STRING  "password for pfx file used for codesigning.")
+mark_as_advanced(WINDOWS_CODESIGN_PFX_PASSWORD)
+
 # avoid using again
 option_defaults_clear()
 

build_files/cmake/macros.cmake

@@ -1578,3 +1578,26 @@ macro(openmp_delayload
 			endif(WITH_OPENMP)
 		endif(MSVC)
 endmacro()
+
+MACRO(WINDOWS_SIGN_TARGET target)
+	if (WITH_WINDOWS_CODESIGN)
+		if (!SIGNTOOL_EXE)
+			error("Codesigning is enabled, but signtool is not found")
+		else()
+			if (WINDOWS_CODESIGN_PFX_PASSWORD)
+				set(CODESIGNPASSWORD /p ${WINDOWS_CODESIGN_PFX_PASSWORD})
+			else()
+				if ($ENV{PFXPASSWORD})
+					set(CODESIGNPASSWORD /p $ENV{PFXPASSWORD})
+				else()
+					message( FATAL_ERROR "WITH_WINDOWS_CODESIGN is on but WINDOWS_CODESIGN_PFX_PASSWORD not set, and environment variable PFXPASSWORD not found, unable to sign code.")
+				endif()
+			endif()
+			add_custom_command(TARGET ${target}
+						POST_BUILD
+						COMMAND ${SIGNTOOL_EXE} sign /f ${WINDOWS_CODESIGN_PFX} ${CODESIGNPASSWORD} $<TARGET_FILE:${target}>
+						VERBATIM
+				)
+		endif()
+	endif()
+ENDMACRO()

build_files/cmake/platform/platform_win32_msvc.cmake

@@ -471,3 +471,15 @@ endif()
 
 # used in many places so include globally, like OpenGL
 blender_include_dirs_sys("${PTHREADS_INCLUDE_DIRS}")
+
+#find signtool  
+SET(ProgramFilesX86_NAME "ProgramFiles(x86)") #env dislikes the ( ) 
+find_program(SIGNTOOL_EXE signtool
+HINTS
+  "$ENV{${ProgramFilesX86_NAME}}/Windows Kits/10/bin/x86/"
+  "$ENV{ProgramFiles}/Windows Kits/10/bin/x86/"
+  "$ENV{${ProgramFilesX86_NAME}}/Windows Kits/8.1/bin/x86/"
+  "$ENV{ProgramFiles}/Windows Kits/8.1/bin/x86/"
+  "$ENV{${ProgramFilesX86_NAME}}/Windows Kits/8.0/bin/x86/"
+  "$ENV{ProgramFiles}/Windows Kits/8.0/bin/x86/"
+)

source/blenderplayer/CMakeLists.txt

@@ -58,7 +58,7 @@ if(WIN32 AND NOT UNIX)
 			blenderplayer ${EXETYPE}
 			bad_level_call_stubs/stubs.c
 			${CMAKE_SOURCE_DIR}/release/windows/icons/winblender.rc)
-
+	WINDOWS_SIGN_TARGET(blenderplayer)
 	install(TARGETS blenderplayer
 			COMPONENT Blenderplayer
 			DESTINATION ".")

source/creator/CMakeLists.txt

@@ -263,6 +263,7 @@ if(WITH_PYTHON_MODULE)
 
 else()
 	add_executable(blender ${EXETYPE} ${SRC})
+	WINDOWS_SIGN_TARGET(blender)
 endif()
 
 if(WITH_BUILDINFO)