# The signtool.  Default to PATH.
set(CMake_INSTALL_SIGNTOOL "@CMake_INSTALL_SIGNTOOL@")
if(NOT CMake_INSTALL_SIGNTOOL)
  set(CMake_INSTALL_SIGNTOOL signtool)
endif()

# Select a certificate by Subject Name.  Default to automatic selection.
set(CMake_INSTALL_SIGNTOOL_SUBJECT_NAME "@CMake_INSTALL_SIGNTOOL_SUBJECT_NAME@")
if(CMake_INSTALL_SIGNTOOL_SUBJECT_NAME)
  set(select_cert -n "${CMake_INSTALL_SIGNTOOL_SUBJECT_NAME}")
else()
  set(select_cert -a)
endif()

# Timestamp URL.  Default to a common provider.
set(CMake_INSTALL_SIGNTOOL_TIMESTAMP_URL "@CMake_INSTALL_SIGNTOOL_TIMESTAMP_URL@")
if(NOT CMake_INSTALL_SIGNTOOL_TIMESTAMP_URL)
  set(CMake_INSTALL_SIGNTOOL_TIMESTAMP_URL "http://timestamp.digicert.com")
endif()

# Glob files that need a signature.
file(GLOB files "$ENV{DESTDIR}${CMAKE_INSTALL_PREFIX}/bin/*.exe")

# Sign all files at once.
if(files)
  # Run the signtool through 'cmd /c' to enable password prompt popup.
  # Some providers have trouble when signtool is invoked with SW_HIDE.
  set(cmd cmd /c "${CMake_INSTALL_SIGNTOOL}" sign -v ${select_cert})

  # Sign with SHA-1 for Windows 7 and below.
  execute_process(
    COMMAND ${cmd} -t  "${CMake_INSTALL_SIGNTOOL_TIMESTAMP_URL}" ${files}
    RESULT_VARIABLE result
    ERROR_VARIABLE stderr
    )
  if(NOT result EQUAL 0)
    string(REPLACE "\n" "\n  " stderr "  ${stderr}")
    message(WARNING "signtool failed:\n${stderr}")
  endif()

  # Sign with SHA-256 for Windows 8 and above.
  execute_process(
    COMMAND ${cmd} -tr "${CMake_INSTALL_SIGNTOOL_TIMESTAMP_URL}" -fd sha256 -td sha256 -as ${files}
    RESULT_VARIABLE result
    ERROR_VARIABLE stderr
    )
  if(NOT result EQUAL 0)
    string(REPLACE "\n" "\n  " stderr "  ${stderr}")
    message(WARNING "signtool failed:\n${stderr}")
  endif()
endif()