1

Using Shake, I want to define a rule that depends on a bunch of executables (e.g. exe, dll, etc.). However, before using them, they need to be digitally signed. Since "signing" doesn't actually produce a new file, how can I ensure that my rule depends only on files after they have been signed?

Edit: Disambiguation is in order. My rules generate some of these files, but not all of them. Some are third-party and are part of our repository. So somehow I need to depend on those static files after they have been signed.

Elliot Cameron
  • 5,235
  • 2
  • 27
  • 34
  • I just noticed this edit came in after my answer. I think the answer covers that too, you should copy them when signing them. Let me know if it still isn't clear. – Neil Mitchell Oct 25 '14 at 07:20
  • Thanks. Yes, simply copying them is definitely superior to in-place changes. To help cut down zero-change build times, I've added a simple "task" interface atop Shake's built-in rules that merely touches a temp file. It's like "phony" but can actually be skipped if no dependencies have changed. – Elliot Cameron Oct 25 '14 at 19:54
  • Sounds sensible - generally depending on a phony rule is a bad idea, because it isn't dependency tracked. – Neil Mitchell Oct 26 '14 at 16:29

1 Answers1

1

One simple approach is to make the signing step do a copy first, so:

"signed//*" *> \out -> do
    copyFile ("unsigned" </> dropDirectory1 out) out
    cmd "signer" out

Another is to generate a file when signing that serves as a reminder the file has been signed:

"programs//*.key" *> \out -> do
    writeFile' out ""
    cmd "signer" $ dropExtension out

The second formulation is discouraged since generally rules shouldn't modify the value produced by other rules - it's easy to get excessive rebuilds (I think you probably would here).

If you extra files, for exes you generate, just generate and sign them in one step - that's a fairly common pattern if you are generating a file and then editing its properties (editbin on Windows). For files you don't generate, you could sign them before you check them in, but modifying source files in the repo (which is what the 3rd party stuff looks like) is probably a bad idea anyway, so a copy is probably better.

Neil Mitchell
  • 9,090
  • 1
  • 27
  • 85