From a34879ebd2c6c02f77a2df080c4696f0039ebffa Mon Sep 17 00:00:00 2001
From: unknown <iggy@amd64.(none)>
Date: Wed, 25 Jul 2007 13:18:12 -0400
Subject: [PATCH] Bug#24732 Executables do not include Vista manifests - Sign
 executables with MySQL AB security certificate.

BitKeeper/etc/ignore:
  Bug#24732 Executables do not include Vista manifests
  - Ignore security catalog descriptions
CMakeLists.txt:
  Bug#24732 Executables do not include Vista manifests
  - Search for additional tools necessary to embed, catalog and sign
  targets.
win/README:
  Bug#24732 Executables do not include Vista manifests
  - Add internal only note to EMBED_MANIFESTS option.
win/create_manifest.js:
  Bug#24732 Executables do not include Vista manifests
  - Added publicKeyToken attribute to manifest.
win/mysql_manifest.cmake:
  Bug#24732 Executables do not include Vista manifests
  - Add additional commands to create security catalog and sign
  targets.
  - Add parameters to add appropiate hash attribute to manifest
  and create security content description of the security catalog.
---
 .bzrignore               |  1 +
 CMakeLists.txt           | 38 ++++++++++++++++++++++++++++++++------
 win/README               |  3 ++-
 win/create_manifest.js   |  2 +-
 win/mysql_manifest.cmake |  7 ++++---
 5 files changed, 40 insertions(+), 11 deletions(-)

diff --git a/.bzrignore b/.bzrignore
index e7a7a1c27dc..759ca4a20bf 100644
--- a/.bzrignore
+++ b/.bzrignore
@@ -6,6 +6,7 @@
 *.bin
 *.vcproj.cmake
 cmake_install.cmake
+*.cdf
 *.core
 *.d
 *.da
diff --git a/CMakeLists.txt b/CMakeLists.txt
index cdd0cde8b8d..3703548ebc3 100755
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -139,21 +139,47 @@ ENDIF(CMAKE_GENERATOR MATCHES "Visual Studio 7" OR
 ADD_DEFINITIONS("-D_WINDOWS -D__WIN__ -D _CRT_SECURE_NO_DEPRECATE")
 
 IF(EMBED_MANIFESTS)
-    # Search for the Manifest tool.  CMake will first search it's defaults
-    # (CMAKE_FRAMEWORK_PATH, CMAKE_APPBUNDLE_PATH, CMAKE_PROGRAM_PATH and
-    # the system PATH) followed by the listed paths which are the current
-    # possible defaults and should be updated when necessary.  The custom
-    # manifests are designed to be compatible with all mt versions.
+    # Search for the tools (mt, makecat, signtool) necessary for embedding
+    # manifests and signing executables with the MySQL AB authenticode cert.
+    #
+    # CMake will first search it's defaults (CMAKE_FRAMEWORK_PATH, 
+    # CMAKE_APPBUNDLE_PATH, CMAKE_PROGRAM_PATH and the system PATH) followed 
+    # by the listed paths which are the current possible defaults and should be
+    # updated when necessary.  
+    # 
+    # The custom manifests are designed to be compatible with all mt versions.
+    # The MySQL AB Authenticode certificate is available only internally.  
+    # Others should store a single signing certificate in a local cryptographic
+    # service provider and alter the signtool command as necessary.
     FIND_PROGRAM(HAVE_MANIFEST_TOOL NAMES mt
                  PATHS
                  "$ENV{PROGRAMFILES}/Microsoft Visual Studio 8/VC/bin"
                  "$ENV{PROGRAMFILES}/Microsoft Visual Studio 8/Common7/Tools/Bin"
                  "$ENV{PROGRAMFILES}/Microsoft Visual Studio 8/SDK/v2.0/Bin")
+    FIND_PROGRAM(HAVE_CATALOG_TOOL NAMES makecat
+                 PATHS
+                 "$ENV{PROGRAMFILES}/Microsoft Visual Studio 8/Common7/Tools/Bin")
+    FIND_PROGRAM(HAVE_SIGN_TOOL NAMES signtool
+                 PATHS
+                 "$ENV{PROGRAMFILES}/Microsoft Visual Studio 8/Common7/Tools/Bin"
+                 "$ENV{PROGRAMFILES}/Microsoft Visual Studio 8/SDK/v2.0/Bin")
+
     IF(HAVE_MANIFEST_TOOL)
-        MESSAGE(STATUS "Found Mainfest Tool. Embedding custom manifests.")
+        MESSAGE(STATUS "Found Mainfest Tool.")
     ELSE(HAVE_MANIFEST_TOOL)
         MESSAGE(FATAL_ERROR "Manifest tool, mt.exe, can't be found.")
     ENDIF(HAVE_MANIFEST_TOOL)
+    IF(HAVE_CATALOG_TOOL)
+        MESSAGE(STATUS "Found Catalog Tool.")
+    ELSE(HAVE_CATALOG_TOOL)
+        MESSAGE(FATAL_ERROR "Catalog tool, makecat.exe, can't be found.")
+    ENDIF(HAVE_CATALOG_TOOL)
+    IF(HAVE_SIGN_TOOL)
+        MESSAGE(STATUS "Found Sign Tool. Embedding custom manifests and signing executables.")
+    ELSE(HAVE_SIGN_TOOL)
+        MESSAGE(FATAL_ERROR "Sign tool, signtool.exe, can't be found.")
+    ENDIF(HAVE_SIGN_TOOL)
+
     # Disable automatic manifest generation.
     STRING(REPLACE "/MANIFEST" "/MANIFEST:NO" CMAKE_EXE_LINKER_FLAGS 
     	   ${CMAKE_EXE_LINKER_FLAGS})
diff --git a/win/README b/win/README
index 118d619226a..d13f37965c1 100644
--- a/win/README
+++ b/win/README
@@ -51,7 +51,8 @@ The options right now are
     DISABLE_GRANT_OPTIONS                Disables the use of --init-file and --skip-grant-tables
                                          options of mysqld.exe
     EMBED_MANIFESTS                      Embed custom manifests into final exes, otherwise VS
-                                         default will be used.
+                                         default will be used. (Note - This option should only be
+                                         used by MySQL AB.)
                                 
 
 So the command line could look like:
diff --git a/win/create_manifest.js b/win/create_manifest.js
index 8569bd508ff..dec8f6e62e2 100755
--- a/win/create_manifest.js
+++ b/win/create_manifest.js
@@ -56,7 +56,7 @@ try
   manifest_xml+= "\t<assemblyIdentity name=\'" + app_name + "\'";
   manifest_xml+= " version=\'" + app_version + "\'"; 
   manifest_xml+= " processorArchitecture=\'" + app_arch + "\'";
-  // TOADD - Add publicKeyToken attribute once we have Authenticode key.
+  manifest_xml+= " publicKeyToken=\'02ad33b422233ae3\'";
   manifest_xml+= " type=\'win32\' />\r\n";
   // Identify the application security requirements.
   manifest_xml+= "\t<trustInfo xmlns=\'urn:schemas-microsoft-com:asm.v2\'>\r\n"; 
diff --git a/win/mysql_manifest.cmake b/win/mysql_manifest.cmake
index 4c88be1d800..0d429e438d6 100755
--- a/win/mysql_manifest.cmake
+++ b/win/mysql_manifest.cmake
@@ -14,7 +14,8 @@ MACRO(MYSQL_EMBED_MANIFEST _target_name _required_privs)
   ADD_CUSTOM_COMMAND(
     TARGET ${_target_name}
     POST_BUILD
-    COMMAND mt.exe 
-    ARGS -nologo -manifest $(IntDir)\\$(TargetFileName).intermediate.manifest -outputresource:$(TargetPath) 
-    COMMENT "Embeds the manifest contents.")
+    COMMAND mt.exe       ARGS -nologo -hashupdate -makecdfs -manifest $(IntDir)\\$(TargetFileName).intermediate.manifest -outputresource:$(TargetPath) 
+    COMMAND makecat.exe  ARGS $(IntDir)\\$(TargetFileName).intermediate.manifest.cdf
+    COMMAND signtool.exe ARGS sign /a /t http://timestamp.verisign.com/scripts/timstamp.dll $(TargetPath)
+    COMMENT "Embeds the manifest contents, creates a cryptographic catalog, signs the target with Authenticode certificate.")
 ENDMACRO(MYSQL_EMBED_MANIFEST)