It seems to be not too hard to implement, at least the documentation to it seems not as complex as it is for macOS.
I hope with this to get rid of the Windows OS wrong banner, saying that "Windows protected your PC", and defaults to abort executing Contour's MSI installer file.
set(SIGNTOOL_EXECUTABLE "signtool" CACHE STRING "Path to signtool.exe")
set(SIGNTOOL_CERTFILE_PATH "/path/to/certificate.pfx" CACHE PATH "Path to your certificate.pfx")
set(SIGNTOOL_CERTFILE_PASSWORD "" CACHE STRING "Password for the given certificate")
add_custom_command(
TARGET contour POST_BUILD
COMMAND ${SIGNTOOL_EXECUTABLE} sign /f "${SIGNTOOL_CERTIFICATE_PATH}" /p "${SIGNTOOL_CERTFILE_PASSWORD)" /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 $<TARGET_FILE:contour>
)
Not sure how much we'd need to digitally sign, i.e., what about the DLLs?
Also, the .msi file at the end should be digitally signed as well as its content.
This requires
signtool.exe
(part of Windows SDK).It seems to be not too hard to implement, at least the documentation to it seems not as complex as it is for macOS.
I hope with this to get rid of the Windows OS wrong banner, saying that "Windows protected your PC", and defaults to abort executing Contour's MSI installer file.