osslsigncode/cmake/SetCompilerFlags.cmake

include(CheckCCompilerFlag)

function(add_compile_flags_target target)
  if (CMAKE_C_COMPILER_ID MATCHES "Clang|AppleClang|GNU" )
    target_compile_options(${target} PRIVATE $<$<CONFIG:DEBUG>:-ggdb -g>)
  endif()

  if(CMAKE_C_COMPILER_ID MATCHES "GNU|Clang")
    # Support address space layout randomization (ASLR)
    target_compile_options(${target} PRIVATE -fPIE)
    check_c_compiler_flag("-fstack-protector-all"  HAVE_STACK_PROTECTOR_ALL)
    if(HAVE_STACK_PROTECTOR_ALL)
      target_link_options(${target} PRIVATE -fstack-protector-all)
    else()
      check_c_compiler_flag("-fstack-protector"    HAVE_STACK_PROTECTOR)
      if(HAVE_STACK_PROTECTOR)
        target_link_options(${target} PRIVATE -fstack-protector)
      else()
        message(WARNING "No stack protection supported")
      endif()
    endif()
    target_link_options(${target} PRIVATE -fstack-check)
    target_link_options(${target} PRIVATE -fPIE -pie)
    target_link_options(${target} PRIVATE -Wl,-z,relro)
    target_link_options(${target} PRIVATE -Wl,-z,now)
    target_link_options(${target} PRIVATE -Wl,-z,noexecstack)

    target_compile_options(${target} PRIVATE $<$<CONFIG:DEBUG>:-O2>)
    target_compile_options(${target} PRIVATE $<$<CONFIG:DEBUG>:-pedantic>)
    target_compile_options(${target} PRIVATE $<$<CONFIG:DEBUG>:-Wno-long-long>)
    target_compile_options(${target} PRIVATE $<$<CONFIG:DEBUG>:-Wconversion>)
    target_compile_options(${target} PRIVATE $<$<CONFIG:DEBUG>:-D_FORTIFY_SOURCE=2>)
    target_compile_options(${target} PRIVATE $<$<CONFIG:DEBUG>:-Wformat=2>)
    target_compile_options(${target} PRIVATE $<$<CONFIG:DEBUG>:-Wundef>)
    target_compile_options(${target} PRIVATE $<$<CONFIG:DEBUG>:-Wshadow>)
    target_compile_options(${target} PRIVATE $<$<CONFIG:DEBUG>:-Wredundant-decls>)
    target_compile_options(${target} PRIVATE $<$<CONFIG:DEBUG>:-Wcast-qual>)
    target_compile_options(${target} PRIVATE $<$<CONFIG:DEBUG>:-Wnull-dereference>)
    target_compile_options(${target} PRIVATE $<$<CONFIG:DEBUG>:-Wmissing-declarations>)
    target_compile_options(${target} PRIVATE $<$<CONFIG:DEBUG>:-Wmissing-prototypes>)
  endif()

  if(CMAKE_C_COMPILER_ID MATCHES "GNU")
    target_compile_options(${target} PRIVATE $<$<CONFIG:DEBUG>:-Wall>)
    target_compile_options(${target} PRIVATE $<$<CONFIG:DEBUG>:-Wextra>)
    target_compile_options(${target} PRIVATE $<$<CONFIG:DEBUG>:-Wno-deprecated-declarations>)
    target_compile_options(${target} PRIVATE $<$<CONFIG:DEBUG>:-Wstrict-aliasing=3>)
    target_compile_options(${target} PRIVATE $<$<CONFIG:DEBUG>:-Wstrict-overflow=2>)
    target_compile_options(${target} PRIVATE $<$<CONFIG:DEBUG>:-Wlogical-op>)
    target_compile_options(${target} PRIVATE $<$<CONFIG:DEBUG>:-Wwrite-strings>)
    target_compile_options(${target} PRIVATE $<$<CONFIG:DEBUG>:-Wcast-align=strict>)
    target_compile_options(${target} PRIVATE $<$<CONFIG:DEBUG>:-Wdisabled-optimization>)
    target_compile_options(${target} PRIVATE $<$<CONFIG:DEBUG>:-Wshift-overflow=2>)
  endif()

  if(MSVC)
    # Enable parallel builds
    add_definitions(/MP)
    # Use address space layout randomization, generate PIE code for ASLR (default on)
    target_link_options(${target} PRIVATE /DYNAMICBASE)
    # Create terminal server aware application (default on)
    target_link_options(${target} PRIVATE /TSAWARE)
    # Mark the binary as compatible with Intel Control-flow Enforcement Technology (CET) Shadow Stack
    target_link_options(${target} PRIVATE /CETCOMPAT)
    # Enable compiler generation of Control Flow Guard security checks
    target_compile_options(${target} PRIVATE /guard:cf)
    target_link_options(${target} PRIVATE /guard:cf)
    # Buffer Security Check
    target_compile_options(${target} PRIVATE /GS)
    # Suppress startup banner
    target_link_options(${target} PRIVATE /NOLOGO)
    # Generate debug info
    target_link_options(${target} PRIVATE /DEBUG)
    if("${CMAKE_SIZEOF_VOID_P}" STREQUAL "8")
      # High entropy ASLR for 64 bits targets (default on)
      target_link_options(${target} PRIVATE /HIGHENTROPYVA)
      # Enable generation of EH Continuation (EHCONT) metadata by the compiler
      target_compile_options(${target} PRIVATE /guard:ehcont)
      target_link_options(${target} PRIVATE /guard:ehcont)
    else()
      # Can handle addresses larger than 2 gigabytes
      target_link_options(${target} PRIVATE /LARGEADDRESSAWARE)
      # Safe structured exception handlers (x86 only)
      target_link_options(${target} PRIVATE /SAFESEH)
    endif()
    target_compile_options(${target} PRIVATE $<$<CONFIG:DEBUG>:/D_FORTIFY_SOURCE=2>)
    # Unrecognized compiler options are errors
    target_compile_options(${target} PRIVATE $<$<CONFIG:DEBUG>:/options:strict>)
  endif()
endfunction()

add_compile_flags_target(osslsigncode)