Simple example of building and signing binaries and installing them to a user-defined location in CMake as a post-build action. The signature certifies that the worker created the signed binaries. As with any signing method, this does not certify you or the worker isn't corrupted in some way. This method works on every platform we've tried where GPG is available e.g. MacOS, Linux, Windows, ....
You must have previously setup GnuPG and have a GPG keypair for this example to work. Generating or importing a GPG keypair if one doesn't already exist is necessary For the key to be useful in general, you will need to publish/exchange your public key with the recipients in a trusted manner. GPG can be installed by:
- macOS Homebrew:
brew install gnupg - Linux:
apt install gnupgordnf install gnupg2 - Windows: Git:
%PROGRAMFILES%/Git/usr/bin/gpg.exe
cmake -B build -DCMAKE_INSTALL_PREFIX=~/demo
cmake --build build
cmake --install buildcreates:
- "~/demo/bin/hello" binary executable
- "~/demo/bin/hello.asc" plain-text GPG binary signature
Optionally, CPack can be used to package the GPG signature files alongside the source and/or binary package files. After building, do:
cpack --config build/CPackConfig.cmake # binary package
cpack --config build/CPackSourceConfig.cmake # source packageObserve the files are created:
build/package/PGPdemo-<version>-Source.tar.zst
build/package/PGPdemo-<version>-Source.tar.zst.asc
build/package/PGPdemo-<version>-<platform>.tar.zst
build/package/PGPdemo-<version>-<platform>.tar.zst.asc
gpg --verify build/hello.asc build/helloresults in:
gpg: Signature made <when you signed>
gpg: using RSA key <your key>
gpg: Good signature from "your PGP info" [ultimate]
...
If the signature isn't matched to an imported public key, the return code is non-zero and a message includes:
gpg: Can't check signature: No public key
This is done as a self-test by:
ctest --test-dir build