pass the signtool executable to nsis

cmake/macros/OptionalWinExecutableSigning.cmake

@@ -13,13 +13,6 @@ macro(optional_win_executable_signing)
   if (WIN32 AND (PRODUCTION_BUILD OR PR_BUILD))
     if (DEFINED ENV{HF_PFX_FILE})
       if (DEFINED ENV{HF_PFX_PASSPHRASE})
-        # find signtool
-        find_program(SIGNTOOL_EXEC signtool PATHS "C:/Program Files (x86)/Windows Kits/8.1" PATH_SUFFIXES "bin/x64")
-
-        if (NOT SIGNTOOL_EXEC)
-          message(FATAL_ERROR "Code signing of executables was requested but signtool.exe could not be found.")
-        endif ()
-
         message(STATUS "Executable for ${TARGET_NAME} will be signed with SignTool.")
 
         if (NOT EXECUTABLE_PATH)
@@ -29,7 +22,7 @@ macro(optional_win_executable_signing)
         # setup a post build command to sign the executable
         add_custom_command(
           TARGET ${TARGET_NAME} POST_BUILD
-          COMMAND ${SIGNTOOL_EXEC} sign /f %HF_PFX_FILE% /p %HF_PFX_PASSPHRASE% /tr http://tsa.starfieldtech.com /td SHA256 ${EXECUTABLE_PATH}
+          COMMAND ${SIGNTOOL_EXECUTABLE} sign /f %HF_PFX_FILE% /p %HF_PFX_PASSPHRASE% /tr http://tsa.starfieldtech.com /td SHA256 ${EXECUTABLE_PATH}
         )
       else ()
         message(FATAL_ERROR "HF_PFX_PASSPHRASE must be set for executables to be signed.")

cmake/macros/SetPackagingParameters.cmake

@@ -60,6 +60,15 @@ macro(SET_PACKAGING_PARAMETERS)
     # start menu shortcuts
     set(INTERFACE_SM_SHORTCUT_NAME "High Fidelity")
     set(CONSOLE_SM_SHORTCUT_NAME "Server Console")
+
+    # check if we need to find signtool
+    if (PRODUCTION_BUILD OR PR_BUILD)
+      find_program(SIGNTOOL_EXECUTABLE signtool PATHS "C:/Program Files (x86)/Windows Kits/8.1" PATH_SUFFIXES "bin/x64")
+
+      if (NOT SIGNTOOL_EXECUTABLE)
+        message(FATAL_ERROR "Code signing of executables was requested but signtool.exe could not be found.")
+      endif ()
+    endif ()
   endif ()
 
   if (APPLE)

cmake/templates/CPackProperties.cmake.in

@@ -18,3 +18,4 @@ set(PRODUCTION_BUILD "@PRODUCTION_BUILD@")
 set(POST_INSTALL_OPTIONS_PATH "@POST_INSTALL_OPTIONS_PATH@")
 set(CLIENT_COMPONENT_NAME "@CLIENT_COMPONENT@")
 set(SERVER_COMPONENT_NAME "@SERVER_COMPONENT@")
+set(SIGNTOOL_EXECUTABLE "@SIGNTOOL_EXECUTABLE@")

cmake/templates/NSIS.template.in

@@ -674,7 +674,6 @@ Section "-Core installation"
     SetOutPath $INSTDIR
 
     ; this packages the signed uninstaller
-
     File $%TEMP%\uninstaller.exe
   !endif
 
@@ -1101,15 +1100,15 @@ Function .onInit
 
     ; just bail out quickly when running the "inner" installer
     Quit
+  !else
+    ; The Inner invocation has written an uninstaller binary for us.
+    ; We need to sign it if it's a production build.
+
+    ${If} "@PRODUCTION_BUILD@" == "1"
+      !system "@SIGNTOOL_EXECUTABLE@ sign /f %HF_PFX_FILE% /p %HF_PFX_PASSPHRASE% /tr http://tsa.starfieldtech.com /td SHA256 $%TEMP%\uninstaller.exe" = 0
+    ${EndIf}
   !endif
 
-  ; The Inner invocation has written an uninstaller binary for us.
-  ; We need to sign it if it's a production build.
-
-  ${If} "@PRODUCTION_BUILD@" == "1"
-    !system "signcode <signing options> $%TEMP%\uninstaller.exe" = 0
-  ${EndIf}
-
   StrCmp "@CPACK_NSIS_ENABLE_UNINSTALL_BEFORE_INSTALL@" "ON" 0 inst
 
   ReadRegStr $0 HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\@CPACK_PACKAGE_INSTALL_REGISTRY_KEY@" "UninstallString"