* Fixes #12536 - use friendly description when signing msi file

* Move pre-build installer signing to cmake to streamline the operation and avoid signing hundreds of unnecessary files.
* Enable building both amd64 and arm64 builds with visual studio

Author: droidmonkey

cmake/MakePortableZip.cmake

@@ -0,0 +1,71 @@
+#  Copyright (C) 2025 KeePassXC Team <team@keepassxc.org>
+#
+#  This program is free software: you can redistribute it and/or modify
+#  it under the terms of the GNU General Public License as published by
+#  the Free Software Foundation, either version 2 or (at your option)
+#  version 3 of the License.
+#
+#  This program is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#  GNU General Public License for more details.
+#
+#  You should have received a copy of the GNU General Public License
+#  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+set(_installdir ${CPACK_TEMPORARY_INSTALL_DIRECTORY})
+set(_sign @WITH_XC_SIGNINSTALL@)
+set(_cert_thumbprint @WITH_XC_SIGNINSTALL_CERT@)
+set(_timestamp_url @WITH_XC_SIGNINSTALL_TIMESTAMP_URL@)
+
+# Setup portable zip file if building one
+if(_installdir MATCHES "/ZIP/")
+  file(TOUCH "${_installdir}/.portable")
+  message(STATUS "Injected portable zip file.")
+endif()
+
+# Find all dll and exe files in the install directory
+file(GLOB_RECURSE _sign_files
+      RELATIVE "${_installdir}"
+      "${_installdir}/*.dll"
+      "${_installdir}/*.exe"
+)
+
+# Sign relevant binaries if requested
+if(_sign AND _sign_files)
+  # Find signtool in PATH or error out
+  find_program(_signtool signtool.exe QUIET)
+  if(NOT _signtool)
+    message(FATAL_ERROR "signtool.exe not found in PATH, correct or unset WITH_XC_SIGNINSTALL")
+  endif()
+
+  # Set a default timestamp URL if none was provided
+  if (NOT _timestamp_url)
+    set(_timestamp_url "http://timestamp.sectigo.com")
+  endif()
+
+  # Check that a certificate thumbprint was provided or error out
+  if (NOT _cert_thumbprint)
+    message(STATUS "Signing using best available certificate.")
+    set(_certopt /a)
+  else()
+    message(STATUS "Signing using certificate with thumbprint ${_cert_thumbprint}.")
+    set(_certopt /sha1 ${_cert_thumbprint})
+  endif()
+
+  message(STATUS "Signing binary files with signtool, this may take a while...")
+  # Use cmd /c to enable pop-up for pin entry if needed
+  execute_process(
+      COMMAND cmd /c ${_signtool} sign /fd SHA256 ${_certopt} /tr ${_timestamp_url} /td SHA256 ${_sign_files}
+      WORKING_DIRECTORY "${_installdir}"
+      RESULT_VARIABLE sign_result
+      OUTPUT_VARIABLE sign_output
+      ERROR_VARIABLE sign_error
+      OUTPUT_STRIP_TRAILING_WHITESPACE
+      ERROR_STRIP_TRAILING_WHITESPACE
+      ECHO_OUTPUT_VARIABLE
+  )
+  if (NOT sign_result EQUAL 0)
+    message(FATAL_ERROR "signtool failed: ${sign_error}")
+  endif()
+endif()

cmake/WindowsPostInstall.cmake.in

@@ -261,6 +261,56 @@ def _split_version(version):
     return version.split('.')
 
 
+def _find_vs_dev_cmd():
+    # Try vswhere first, fall back to common install locations
+    try:
+        vswhere = shutil.which('vswhere')
+        if vswhere:
+            inst = subprocess.check_output([vswhere, '-latest', '-products', '*',
+                                           '-requires', 'Microsoft.Component.MSBuild',
+                                           '-property', 'installationPath'], text=True).strip()
+            if inst:
+                cand = Path(inst) / 'Common7' / 'Tools' / 'VsDevCmd.bat'
+                if cand.exists():
+                    return str(cand)
+    except subprocess.CalledProcessError:
+        pass
+
+    # Fallback common paths
+    program_files = [os.environ.get('ProgramFiles(x86)'), os.environ.get('ProgramFiles')]
+    for pfdir in program_files:
+        for vs in sorted(Path(pfdir).glob('Microsoft Visual Studio/*/*'), reverse=True):
+            cand = vs / 'Common7' / 'Tools' / 'VsDevCmd.bat'
+            if cand.exists():
+                return str(cand)
+
+    raise Error('Visual Studio developer command script not found. Install VS or add vswhere to PATH.')
+
+
+def _capture_vs_env(vs_cmd, arch='amd64'):
+    """
+    Run the VS developer batch script in a cmd shell and capture the environment it sets.
+    Returns a dict suitable for passing as subprocess env or for updating os.environ.
+    """
+    # Use cmd.exe to run the batch file and then dump the environment with `set`
+    try:
+        out = subprocess.run(f'cmd /c "{vs_cmd}" -arch={arch} -no_logo && set', capture_output=True, text=True)
+    except subprocess.CalledProcessError as e:
+        raise Error('Failed to run Visual Studio dev script: %s', e.output or str(e))
+    
+    env = {}
+    for line in out.stdout.splitlines():
+        k, v = line.split('=', 1)
+        if v is not None:
+            env[k] = v
+
+    # VS has plenty of environment variables, so this is a basic sanity check
+    if len(env) < 10:
+        raise Error('Failed to capture environment from Visual Studio dev script.')
+    
+    return env
+
+
 ###########################################################################################
 #                                      CLI Commands
 ###########################################################################################
@@ -285,7 +335,7 @@ class Check(Command):
 
     @classmethod
     def setup_arg_parser(cls, parser: argparse.ArgumentParser):
-        parser.add_argument('-v', '--version', help='Release version number or name.')
+        parser.add_argument('version', help='Release version number or name.')
         parser.add_argument('-s', '--src-dir', help='Source directory.', default='.')
         parser.add_argument('-b', '--release-branch', help='Release source branch (default: inferred from --version).')
 
@@ -507,6 +557,12 @@ def setup_arg_parser(cls, parser: argparse.ArgumentParser):
             parser.add_argument('-p', '--platform-target', help='Build target platform (default: %(default)s).',
                                 choices=['x86_64', 'aarch64'], default=platform.uname().machine)
             parser.add_argument('-a', '--appimage', help='Build an AppImage.', action='store_true')
+        elif sys.platform == 'win32':
+            parser.add_argument('-p', '--platform-target', help='Build target platform (default: %(default)s).',
+                                choices=['amd64', 'arm64'], default='amd64')
+            parser.add_argument('--sign', help='Sign binaries prior to packaging.', action='store_true')
+            parser.add_argument('--sign-cert', help='SHA1 fingerprint of the signing certificate (optional).')
+            parser.set_defaults(cmake_generator='Ninja', no_source_tarball=True)
 
         parser.add_argument('-c', '--cmake-opts', nargs=argparse.REMAINDER,
                             help='Additional CMake options (no other arguments can be specified after this).')
@@ -530,6 +586,7 @@ def run(self, version, src_dir, output_dir, tag_name, snapshot, no_source_tarbal
             '-DCMAKE_INSTALL_PREFIX=' + kwargs['install_prefix'],
             '-DWITH_TESTS=OFF',
             '-DWITH_GUI_TESTS=OFF',
+            '-DX_VCPKG_APPLOCAL_DEPS_INSTALL=ON',
         ]
         if not kwargs['use_system_deps'] and not kwargs.get('docker_image'):
             cmake_opts.append(f'-DCMAKE_TOOLCHAIN_FILE={self._get_vcpkg_toolchain_file()}')
@@ -567,7 +624,11 @@ def run(self, version, src_dir, output_dir, tag_name, snapshot, no_source_tarbal
     def _get_vcpkg_toolchain_file(path=None):
         vcpkg = shutil.which('vcpkg', path=path)
         if not vcpkg:
-            raise Error('vcpkg not found in PATH (use --use-system-deps to build with system dependencies instead).')
+            # Check the VCPKG_ROOT environment variable
+            if 'VCPKG_ROOT' in os.environ:
+                vcpkg = Path(os.environ['VCPKG_ROOT']) / 'vcpkg'
+            else:
+                raise Error('vcpkg not found in PATH (use --use-system-deps to build with system dependencies instead).')
         toolchain = Path(vcpkg).parent / 'scripts' / 'buildsystems' / 'vcpkg.cmake'
         if not toolchain.is_file():
             raise Error('Toolchain file not found in vcpkg installation directory.')
@@ -605,11 +666,38 @@ def build_source_tarball(self, version, tag_name, src_dir, output_dir):
         _run([comp, '-6', '--force', str(output_file.absolute())], cwd=src_dir)
 
     # noinspection PyMethodMayBeStatic
-    def build_windows(self, version, src_dir, output_dir, *, parallelism, cmake_opts, **_):
-        pass
+    def build_windows(self, version, src_dir, output_dir, *, parallelism, cmake_opts, platform_target, sign, sign_cert, **_):
+        # Check for required tools
+        if not _cmd_exists('candle.exe') or not _cmd_exists('light.exe') or not _cmd_exists('heat.exe'):
+            raise Error('WiX Toolset not found on the PATH (candle.exe, light.exe, heat.exe).')
+        
+        # Setup build signing if requested
+        if sign:
+            cmake_opts.append('-DWITH_XC_SIGNINSTALL=ON')
+            cmake_opts.append(f'-DWITH_XC_SIGNINSTALL_CERT={sign_cert}')
+        
+        # Find Visual Studio and capture build environment
+        vs_cmd = _find_vs_dev_cmd()
+        vs_env = _capture_vs_env(vs_cmd, arch=platform_target)
+        
+        # Start the build
+        with tempfile.TemporaryDirectory() as build_dir:
+            # NOTE: Shell must be True on Windows to run the command in the provided vs_env
+            logger.info('Configuring build...')
+            _run(['cmake', *cmake_opts, str(src_dir)], cwd=build_dir, env=vs_env, shell=True, capture_output=False)
+
+            logger.info('Compiling sources...')
+            _run(['cmake', '--build', '.', f'--parallel', str(parallelism)], cwd=build_dir, env=vs_env, shell=True, capture_output=False)
+
+            logger.info('Packaging application...')
+            _run(['cpack', '-G', 'ZIP;WIX'], cwd=build_dir, env=vs_env, shell=True, capture_output=False)
+            
+            output_files = list(Path(build_dir).glob("*.zip")) + list(Path(build_dir).glob("*.msi"))
+            for output_file in output_files:
+                output_file.rename(output_dir / output_file.name)
 
     # noinspection PyMethodMayBeStatic
-    def build_macos(self, version, src_dir, output_dir, *,  use_system_deps, parallelism, cmake_opts,
+    def build_macos(self, version, src_dir, output_dir, *, use_system_deps, parallelism, cmake_opts,
                     macos_target, platform_target, **_):
         if not use_system_deps:
             cmake_opts.append(f'-DVCPKG_TARGET_TRIPLET={platform_target.replace("86_", "")}-osx-dynamic-release')
@@ -763,7 +851,18 @@ def run(self, file, identity, src_dir, **kwargs):
         logger.info('All done.')
 
     def sign_windows(self, file, identity, src_dir):
-        pass
+        # Check for signtool
+        if not _cmd_exists('signtool.exe'):
+            raise Error('signtool was not found on the PATH.')
+        
+        signtool_args = ['signtool', 'sign', '/fd', 'sha256', '/tr', 'http://timestamp.digicert.com', '/td', 'sha256']
+        if not identity:
+            signtool_args += ['/a']
+        else:
+            signtool_args += ['/sha1', identity]
+        signtool_args += ['/d', file.name, str(file.resolve())]
+
+        _run(signtool_args, cwd=src_dir, capture_output=False, shell=True)
 
     # noinspection PyMethodMayBeStatic
     def _macos_validate_keychain_profile(self, keychain_profile):

release-tool.py

@@ -482,8 +482,9 @@ if(WIN32)
             "${CMAKE_SOURCE_DIR}/LICENSE.GPL-2"
             "${CMAKE_CURRENT_BINARY_DIR}/INSTALLER_LICENSE.txt")
 
-    # Prepare portal zip file
-    set(CPACK_INSTALL_SCRIPTS "${CMAKE_SOURCE_DIR}/cmake/MakePortableZip.cmake")
+    # Prepare post-install script and set to run prior to building cpack installers
+    configure_file("${CMAKE_SOURCE_DIR}/cmake/WindowsPostInstall.cmake.in" "${CMAKE_BINARY_DIR}/WindowsPostInstall.cmake" @ONLY)
+    set(CPACK_PRE_BUILD_SCRIPTS "${CMAKE_BINARY_DIR}/WindowsPostInstall.cmake")
 
     string(REGEX REPLACE "-.*$" "" KEEPASSXC_VERSION_CLEAN ${KEEPASSXC_VERSION})