Add initial template windows signing flow (#2443)

Adds workflow signing Windows installers with EV certificate from Azure Key Vault via AzureSignTool Adds CMake to sign Windows binaries as they're processed Installs dotnet 8 as required by AST Signed-off-by: John Parent <john.parent@kitware.com>
2025-09-05 18:40:50 +00:00 · 2024-07-01 17:40:02 -04:00
parent 576e167146
commit c0d311bc66
4 changed files with 82 additions and 4 deletions
--- a/gpt4all-chat/CMakeLists.txt
+++ b/gpt4all-chat/CMakeLists.txt
@@ -22,6 +22,8 @@ set(APP_VERSION_PATCH 0)
 set(APP_VERSION_BASE "${APP_VERSION_MAJOR}.${APP_VERSION_MINOR}.${APP_VERSION_PATCH}")
 set(APP_VERSION "${APP_VERSION_BASE}")

+list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_LIST_DIR}/cmake/Modules")
+
 # Include the binary directory for the generated header file
 include_directories("${CMAKE_CURRENT_BINARY_DIR}")

@@ -286,10 +288,6 @@ target_link_libraries(chat

 # -- install --

-function(install_sign_osx tgt)
-    install(CODE "execute_process(COMMAND codesign --options runtime --timestamp -s \"${MAC_SIGNING_IDENTITY}\" $<TARGET_FILE:${tgt}>)")
-endfunction()
-
 set(COMPONENT_NAME_MAIN ${PROJECT_NAME})

 if(CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
@@ -333,6 +331,7 @@ install(
 )

 if(APPLE AND GPT4ALL_SIGN_INSTALL)
+    include(SignMacOSBinaries)
    install_sign_osx(chat)
    install_sign_osx(llmodel)
    foreach(tgt ${MODEL_IMPL_TARGETS})
@@ -340,6 +339,15 @@ if(APPLE AND GPT4ALL_SIGN_INSTALL)
    endforeach()
 endif()

+if(WIN32 AND GPT4ALL_SIGN_INSTALL)
+    include(SignWindowsBinaries)
+    sign_target_windows(chat)
+    sign_target_windows(llmodel)
+    foreach(tgt ${MODEL_IMPL_TARGETS})
+        sign_target_windows(${tgt})
+    endforeach()
+endif()
+
 if (LLMODEL_CUDA)
    set_property(TARGET llamamodel-mainline-cuda llamamodel-mainline-cuda-avxonly
                 APPEND PROPERTY INSTALL_RPATH "$ORIGIN")
--- a/gpt4all-chat/cmake/Modules/SignMacOSBinaries.cmake
+++ b/gpt4all-chat/cmake/Modules/SignMacOSBinaries.cmake
@@ -0,0 +1,3 @@
+function(install_sign_osx tgt)
+    install(CODE "execute_process(COMMAND codesign --options runtime --timestamp -s \"${MAC_SIGNING_IDENTITY}\" $<TARGET_FILE:${tgt}>)")
+endfunction()
--- a/gpt4all-chat/cmake/Modules/SignWindowsBinaries.cmake
+++ b/gpt4all-chat/cmake/Modules/SignWindowsBinaries.cmake
@@ -0,0 +1,17 @@
+function(sign_target_windows tgt)
+    if(WIN32 AND GPT4ALL_SIGN_INSTALL)
+        add_custom_command(TARGET ${tgt}
+            POST_BUILD
+            COMMAND AzureSignTool.exe sign
+                -du "https://gpt4all.io/index.html"
+                -kvu https://gpt4all.vault.azure.net
+                -kvi "$Env{AZSignGUID}"
+                -kvs "$Env{AZSignPWD}"
+                -kvc "$Env{AZSignCertName}"
+                -kvt "$Env{AZSignTID}"
+                -tr http://timestamp.digicert.com
+                -v
+                $<TARGET_FILE:${tgt}>
+        )
+    endif()
+endfunction()