Merge pull request #13369 from SimonWalton-HiFi/check-pfx-file

Don't sign a production Windows installer if there's no key file

cmake/macros/SetPackagingParameters.cmake

@@ -51,6 +51,10 @@ macro(SET_PACKAGING_PARAMETERS)
       set(USE_STABLE_GLOBAL_SERVICES 1)
     endif ()
 
+    if (NOT BYPASS_SIGNING)
+      set(BYPASS_SIGNING 0)
+    endif ()      
+
   elseif (RELEASE_TYPE STREQUAL "PR")
     set(DEPLOY_PACKAGE TRUE)
     set(PR_BUILD 1)

cmake/templates/CPackProperties.cmake.in

@@ -50,3 +50,4 @@ set(SERVER_COMPONENT_CONDITIONAL "@SERVER_COMPONENT_CONDITIONAL@")
 set(CLIENT_COMPONENT_CONDITIONAL "@CLIENT_COMPONENT_CONDITIONAL@")
 set(INSTALLER_TYPE "@INSTALLER_TYPE@")
 set(APP_USER_MODEL_ID "@APP_USER_MODEL_ID@")
+set(BYPASS_SIGNING "@BYPASS_SIGNING@")

cmake/templates/NSIS.template.in

@@ -130,7 +130,11 @@
     ; The Inner invocation has written an uninstaller binary for us.
     ; We need to sign it if it's a production or PR build.
     !if @PRODUCTION_BUILD@ == 1
-      !system '"@SIGNTOOL_EXECUTABLE@" sign /fd sha256 /f %HF_PFX_FILE% /p %HF_PFX_PASSPHRASE% /tr http://sha256timestamp.ws.symantec.com/sha256/timestamp /td SHA256 $%TEMP%\@UNINSTALLER_NAME@' = 0
+      !if @BYPASS_SIGNING@ == 1
+        !warning "BYPASS_SIGNING set - installer will not be signed"
+      !else
+        !system '"@SIGNTOOL_EXECUTABLE@" sign /fd sha256 /f %HF_PFX_FILE% /p %HF_PFX_PASSPHRASE% /tr http://sha256timestamp.ws.symantec.com/sha256/timestamp /td SHA256 $%TEMP%\@UNINSTALLER_NAME@' = 0
+      !endif
     !endif
 
     ; Good.  Now we can carry on writing the real installer.