Bug#24732 Executables do not include Vista manifests

- Sign executables with MySQL AB security certificate.


BitKeeper/etc/ignore:
  Bug#24732 Executables do not include Vista manifests
  - Ignore security catalog descriptions
CMakeLists.txt:
  Bug#24732 Executables do not include Vista manifests
  - Search for additional tools necessary to embed, catalog and sign
  targets.
win/README:
  Bug#24732 Executables do not include Vista manifests
  - Add internal only note to EMBED_MANIFESTS option.
win/create_manifest.js:
  Bug#24732 Executables do not include Vista manifests
  - Added publicKeyToken attribute to manifest.
win/mysql_manifest.cmake:
  Bug#24732 Executables do not include Vista manifests
  - Add additional commands to create security catalog and sign 
  targets.
  - Add parameters to add appropiate hash attribute to manifest
  and create security content description of the security catalog.

.bzrignore

@@ -6,6 +6,7 @@
 *.bin
 *.vcproj.cmake
 cmake_install.cmake
+*.cdf
 *.core
 *.d
 *.da

CMakeLists.txt

@@ -139,21 +139,47 @@ ENDIF(CMAKE_GENERATOR MATCHES "Visual Studio 7" OR
 ADD_DEFINITIONS("-D_WINDOWS -D__WIN__ -D _CRT_SECURE_NO_DEPRECATE")
 
 IF(EMBED_MANIFESTS)
-    # Search for the Manifest tool.  CMake will first search it's defaults
+    # Search for the tools (mt, makecat, signtool) necessary for embedding
-    # (CMAKE_FRAMEWORK_PATH, CMAKE_APPBUNDLE_PATH, CMAKE_PROGRAM_PATH and
+    # manifests and signing executables with the MySQL AB authenticode cert.
-    # the system PATH) followed by the listed paths which are the current
+    #
-    # possible defaults and should be updated when necessary.  The custom
+    # CMake will first search it's defaults (CMAKE_FRAMEWORK_PATH, 
-    # manifests are designed to be compatible with all mt versions.
+    # CMAKE_APPBUNDLE_PATH, CMAKE_PROGRAM_PATH and the system PATH) followed 
+    # by the listed paths which are the current possible defaults and should be
+    # updated when necessary.  
+    # 
+    # The custom manifests are designed to be compatible with all mt versions.
+    # The MySQL AB Authenticode certificate is available only internally.  
+    # Others should store a single signing certificate in a local cryptographic
+    # service provider and alter the signtool command as necessary.
     FIND_PROGRAM(HAVE_MANIFEST_TOOL NAMES mt
                  PATHS
                  "$ENV{PROGRAMFILES}/Microsoft Visual Studio 8/VC/bin"
                  "$ENV{PROGRAMFILES}/Microsoft Visual Studio 8/Common7/Tools/Bin"
                  "$ENV{PROGRAMFILES}/Microsoft Visual Studio 8/SDK/v2.0/Bin")
+    FIND_PROGRAM(HAVE_CATALOG_TOOL NAMES makecat
+                 PATHS
+                 "$ENV{PROGRAMFILES}/Microsoft Visual Studio 8/Common7/Tools/Bin")
+    FIND_PROGRAM(HAVE_SIGN_TOOL NAMES signtool
+                 PATHS
+                 "$ENV{PROGRAMFILES}/Microsoft Visual Studio 8/Common7/Tools/Bin"
+                 "$ENV{PROGRAMFILES}/Microsoft Visual Studio 8/SDK/v2.0/Bin")
+
     IF(HAVE_MANIFEST_TOOL)
-        MESSAGE(STATUS "Found Mainfest Tool. Embedding custom manifests.")
+        MESSAGE(STATUS "Found Mainfest Tool.")
     ELSE(HAVE_MANIFEST_TOOL)
         MESSAGE(FATAL_ERROR "Manifest tool, mt.exe, can't be found.")
     ENDIF(HAVE_MANIFEST_TOOL)
+    IF(HAVE_CATALOG_TOOL)
+        MESSAGE(STATUS "Found Catalog Tool.")
+    ELSE(HAVE_CATALOG_TOOL)
+        MESSAGE(FATAL_ERROR "Catalog tool, makecat.exe, can't be found.")
+    ENDIF(HAVE_CATALOG_TOOL)
+    IF(HAVE_SIGN_TOOL)
+        MESSAGE(STATUS "Found Sign Tool. Embedding custom manifests and signing executables.")
+    ELSE(HAVE_SIGN_TOOL)
+        MESSAGE(FATAL_ERROR "Sign tool, signtool.exe, can't be found.")
+    ENDIF(HAVE_SIGN_TOOL)
+
     # Disable automatic manifest generation.
     STRING(REPLACE "/MANIFEST" "/MANIFEST:NO" CMAKE_EXE_LINKER_FLAGS 
     	   ${CMAKE_EXE_LINKER_FLAGS})

win/README

@@ -51,7 +51,8 @@ The options right now are
     DISABLE_GRANT_OPTIONS                Disables the use of --init-file and --skip-grant-tables
                                          options of mysqld.exe
     EMBED_MANIFESTS                      Embed custom manifests into final exes, otherwise VS
-                                         default will be used.
+                                         default will be used. (Note - This option should only be
+                                         used by MySQL AB.)
                                 
 
 So the command line could look like:

win/create_manifest.js

@@ -56,7 +56,7 @@ try
   manifest_xml+= "\t<assemblyIdentity name=\'" + app_name + "\'";
   manifest_xml+= " version=\'" + app_version + "\'"; 
   manifest_xml+= " processorArchitecture=\'" + app_arch + "\'";
-  // TOADD - Add publicKeyToken attribute once we have Authenticode key.
+  manifest_xml+= " publicKeyToken=\'02ad33b422233ae3\'";
   manifest_xml+= " type=\'win32\' />\r\n";
   // Identify the application security requirements.
   manifest_xml+= "\t<trustInfo xmlns=\'urn:schemas-microsoft-com:asm.v2\'>\r\n"; 

win/mysql_manifest.cmake

@@ -14,7 +14,8 @@ MACRO(MYSQL_EMBED_MANIFEST _target_name _required_privs)
   ADD_CUSTOM_COMMAND(
     TARGET ${_target_name}
     POST_BUILD
-    COMMAND mt.exe 
+    COMMAND mt.exe       ARGS -nologo -hashupdate -makecdfs -manifest $(IntDir)\\$(TargetFileName).intermediate.manifest -outputresource:$(TargetPath) 
-    ARGS -nologo -manifest $(IntDir)\\$(TargetFileName).intermediate.manifest -outputresource:$(TargetPath) 
+    COMMAND makecat.exe  ARGS $(IntDir)\\$(TargetFileName).intermediate.manifest.cdf
-    COMMENT "Embeds the manifest contents.")
+    COMMAND signtool.exe ARGS sign /a /t http://timestamp.verisign.com/scripts/timstamp.dll $(TargetPath)
+    COMMENT "Embeds the manifest contents, creates a cryptographic catalog, signs the target with Authenticode certificate.")
 ENDMACRO(MYSQL_EMBED_MANIFEST)