Push diff

.buildkite/ci.mjs

@@ -11,6 +11,7 @@ import {
   getBuildkiteEmoji,
   getBuildMetadata,
   getBuildNumber,
+  getCanaryRevision,
   getCommitMessage,
   getEmoji,
   getEnv,
@@ -43,7 +44,7 @@ import {
  * @property {Arch} arch
  * @property {Abi} [abi]
  * @property {boolean} [baseline]
- * @property {boolean} [canary]
+ * @property {number} [canary]
  * @property {Profile} [profile]
  */
 
@@ -91,7 +92,7 @@ function getTargetLabel(target) {
  * @property {Arch} arch
  * @property {Abi} [abi]
  * @property {boolean} [baseline]
- * @property {boolean} [canary]
+ * @property {number} [canary]
  * @property {Profile} [profile]
  * @property {Distro} [distro]
  * @property {string} release
@@ -103,15 +104,15 @@ function getTargetLabel(target) {
  */
 const buildPlatforms = [
   { os: "darwin", arch: "aarch64", release: "14" },
-  { os: "darwin", arch: "x64", release: "14" },
-  { os: "linux", arch: "aarch64", distro: "debian", release: "11" },
-  { os: "linux", arch: "x64", distro: "debian", release: "11" },
-  { os: "linux", arch: "x64", baseline: true, distro: "debian", release: "11" },
-  { os: "linux", arch: "aarch64", abi: "musl", distro: "alpine", release: "3.20" },
-  { os: "linux", arch: "x64", abi: "musl", distro: "alpine", release: "3.20" },
-  { os: "linux", arch: "x64", abi: "musl", baseline: true, distro: "alpine", release: "3.20" },
-  { os: "windows", arch: "x64", release: "2019" },
-  { os: "windows", arch: "x64", baseline: true, release: "2019" },
+  // { os: "darwin", arch: "x64", release: "14" },
+  // { os: "linux", arch: "aarch64", distro: "debian", release: "11" },
+  // { os: "linux", arch: "x64", distro: "debian", release: "11" },
+  // { os: "linux", arch: "x64", baseline: true, distro: "debian", release: "11" },
+  // { os: "linux", arch: "aarch64", abi: "musl", distro: "alpine", release: "3.20" },
+  // { os: "linux", arch: "x64", abi: "musl", distro: "alpine", release: "3.20" },
+  // { os: "linux", arch: "x64", abi: "musl", baseline: true, distro: "alpine", release: "3.20" },
+  // { os: "windows", arch: "x64", release: "2019" },
+  // { os: "windows", arch: "x64", baseline: true, release: "2019" },
 ];
 
 /**
@@ -119,33 +120,33 @@ const buildPlatforms = [
  */
 const testPlatforms = [
   { os: "darwin", arch: "aarch64", release: "14", tier: "latest" },
-  { os: "darwin", arch: "aarch64", release: "13", tier: "previous" },
-  { os: "darwin", arch: "x64", release: "14", tier: "latest" },
-  { os: "darwin", arch: "x64", release: "13", tier: "previous" },
-  { os: "linux", arch: "aarch64", distro: "debian", release: "12", tier: "latest" },
-  { os: "linux", arch: "aarch64", distro: "debian", release: "11", tier: "previous" },
-  { os: "linux", arch: "x64", distro: "debian", release: "12", tier: "latest" },
-  { os: "linux", arch: "x64", distro: "debian", release: "11", tier: "previous" },
-  { os: "linux", arch: "x64", baseline: true, distro: "debian", release: "12", tier: "latest" },
-  { os: "linux", arch: "x64", baseline: true, distro: "debian", release: "11", tier: "previous" },
-  { os: "linux", arch: "aarch64", distro: "ubuntu", release: "24.04", tier: "latest" },
-  { os: "linux", arch: "aarch64", distro: "ubuntu", release: "22.04", tier: "previous" },
-  { os: "linux", arch: "aarch64", distro: "ubuntu", release: "20.04", tier: "oldest" },
-  { os: "linux", arch: "x64", distro: "ubuntu", release: "24.04", tier: "latest" },
-  { os: "linux", arch: "x64", distro: "ubuntu", release: "22.04", tier: "previous" },
-  { os: "linux", arch: "x64", distro: "ubuntu", release: "20.04", tier: "oldest" },
-  { os: "linux", arch: "x64", baseline: true, distro: "ubuntu", release: "24.04", tier: "latest" },
-  { os: "linux", arch: "x64", baseline: true, distro: "ubuntu", release: "22.04", tier: "previous" },
-  { os: "linux", arch: "x64", baseline: true, distro: "ubuntu", release: "20.04", tier: "oldest" },
-  { os: "linux", arch: "aarch64", abi: "musl", distro: "alpine", release: "3.20", tier: "latest" },
-  { os: "linux", arch: "x64", abi: "musl", distro: "alpine", release: "3.20", tier: "latest" },
-  { os: "linux", arch: "x64", abi: "musl", baseline: true, distro: "alpine", release: "3.20", tier: "latest" },
-  { os: "windows", arch: "x64", release: "2025", tier: "latest" },
-  { os: "windows", arch: "x64", release: "2022", tier: "previous" },
-  { os: "windows", arch: "x64", release: "2019", tier: "oldest" },
-  { os: "windows", arch: "x64", release: "2025", baseline: true, tier: "latest" },
-  { os: "windows", arch: "x64", release: "2022", baseline: true, tier: "previous" },
-  { os: "windows", arch: "x64", release: "2019", baseline: true, tier: "oldest" },
+  // { os: "darwin", arch: "aarch64", release: "13", tier: "previous" },
+  // { os: "darwin", arch: "x64", release: "14", tier: "latest" },
+  // { os: "darwin", arch: "x64", release: "13", tier: "previous" },
+  // { os: "linux", arch: "aarch64", distro: "debian", release: "12", tier: "latest" },
+  // { os: "linux", arch: "aarch64", distro: "debian", release: "11", tier: "previous" },
+  // { os: "linux", arch: "x64", distro: "debian", release: "12", tier: "latest" },
+  // { os: "linux", arch: "x64", distro: "debian", release: "11", tier: "previous" },
+  // { os: "linux", arch: "x64", baseline: true, distro: "debian", release: "12", tier: "latest" },
+  // { os: "linux", arch: "x64", baseline: true, distro: "debian", release: "11", tier: "previous" },
+  // { os: "linux", arch: "aarch64", distro: "ubuntu", release: "24.04", tier: "latest" },
+  // { os: "linux", arch: "aarch64", distro: "ubuntu", release: "22.04", tier: "previous" },
+  // { os: "linux", arch: "aarch64", distro: "ubuntu", release: "20.04", tier: "oldest" },
+  // { os: "linux", arch: "x64", distro: "ubuntu", release: "24.04", tier: "latest" },
+  // { os: "linux", arch: "x64", distro: "ubuntu", release: "22.04", tier: "previous" },
+  // { os: "linux", arch: "x64", distro: "ubuntu", release: "20.04", tier: "oldest" },
+  // { os: "linux", arch: "x64", baseline: true, distro: "ubuntu", release: "24.04", tier: "latest" },
+  // { os: "linux", arch: "x64", baseline: true, distro: "ubuntu", release: "22.04", tier: "previous" },
+  // { os: "linux", arch: "x64", baseline: true, distro: "ubuntu", release: "20.04", tier: "oldest" },
+  // { os: "linux", arch: "aarch64", abi: "musl", distro: "alpine", release: "3.20", tier: "latest" },
+  // { os: "linux", arch: "x64", abi: "musl", distro: "alpine", release: "3.20", tier: "latest" },
+  // { os: "linux", arch: "x64", abi: "musl", baseline: true, distro: "alpine", release: "3.20", tier: "latest" },
+  // { os: "windows", arch: "x64", release: "2025", tier: "latest" },
+  // { os: "windows", arch: "x64", release: "2022", tier: "previous" },
+  // { os: "windows", arch: "x64", release: "2019", tier: "oldest" },
+  // { os: "windows", arch: "x64", release: "2025", baseline: true, tier: "latest" },
+  // { os: "windows", arch: "x64", release: "2022", baseline: true, tier: "previous" },
+  // { os: "windows", arch: "x64", release: "2019", baseline: true, tier: "oldest" },
 ];
 
 /**
@@ -386,14 +387,18 @@ function getTestAgent(platform) {
 function getBuildEnv(target) {
   const { profile, baseline, canary, abi } = target;
   const release = !profile || profile === "release";
+  const revision = typeof canary === "undefined" ? 1 : canary;
 
   return {
     CMAKE_BUILD_TYPE: release ? "Release" : profile === "debug" ? "Debug" : "RelWithDebInfo",
     ENABLE_BASELINE: baseline ? "ON" : "OFF",
-    ENABLE_CANARY: canary ? "ON" : "OFF",
+    ENABLE_CANARY: revision > 0 ? "ON" : "OFF",
+    CANARY_REVISION: revision.toFixed(),
     ENABLE_ASSERTIONS: release ? "OFF" : "ON",
     ENABLE_LOGS: release ? "OFF" : "ON",
     ABI: abi === "musl" ? "musl" : undefined,
+    // HACK to speed up CI testing
+    BUILDKITE_BUILD_ID_OVERRIDE: "7484",
   };
 }
 
@@ -408,7 +413,10 @@ function getBuildVendorStep(platform) {
     agents: getCppAgent(platform),
     retry: getRetry(),
     cancel_on_build_failing: isMergeQueue(),
-    env: getBuildEnv(platform),
+    env: {
+      ...getBuildEnv(platform),
+      ENABLE_CODESIGN: "OFF",
+    },
     command: "bun run build:ci --target dependencies",
   };
 }
@@ -425,8 +433,9 @@ function getBuildCppStep(platform) {
     retry: getRetry(),
     cancel_on_build_failing: isMergeQueue(),
     env: {
-      BUN_CPP_ONLY: "ON",
       ...getBuildEnv(platform),
+      BUN_CPP_ONLY: "ON",
+      ENABLE_CODESIGN: "OFF",
     },
     command: "bun run build:ci --target bun",
   };
@@ -460,7 +469,10 @@ function getBuildZigStep(platform) {
     agents: getZigAgent(platform),
     retry: getRetry(),
     cancel_on_build_failing: isMergeQueue(),
-    env: getBuildEnv(platform),
+    env: {
+      ...getBuildEnv(platform),
+      ENABLE_CODESIGN: "OFF",
+    },
     command: `bun run build:ci --target bun-zig --toolchain ${toolchain}`,
   };
 }
@@ -473,17 +485,17 @@ function getLinkBunStep(platform) {
   return {
     key: `${getTargetKey(platform)}-build-bun`,
     label: `${getTargetLabel(platform)} - build-bun`,
-    depends_on: [
-      `${getTargetKey(platform)}-build-vendor`,
-      `${getTargetKey(platform)}-build-cpp`,
-      `${getTargetKey(platform)}-build-zig`,
-    ],
+    // depends_on: [
+    //   `${getTargetKey(platform)}-build-vendor`,
+    //   `${getTargetKey(platform)}-build-cpp`,
+    //   `${getTargetKey(platform)}-build-zig`,
+    // ],
     agents: getCppAgent(platform),
     retry: getRetry(),
     cancel_on_build_failing: isMergeQueue(),
     env: {
-      BUN_LINK_ONLY: "ON",
       ...getBuildEnv(platform),
+      BUN_LINK_ONLY: "ON",
     },
     command: "bun run build:ci --target bun",
   };
@@ -926,7 +938,7 @@ async function getPipelineOptions() {
     const buildPlatformKeys = parseArray(options["build-platforms"]);
     const testPlatformKeys = parseArray(options["test-platforms"]);
     return {
-      canary: parseBoolean(options["canary"]),
+      canary: parseBoolean(options["canary"]) ? await getCanaryRevision() : 0,
       skipBuilds: parseBoolean(options["skip-builds"]),
       forceBuilds: parseBoolean(options["force-builds"]),
       skipTests: parseBoolean(options["skip-tests"]),
@@ -960,10 +972,11 @@ async function getPipelineOptions() {
     return false;
   };
 
+  const canary =
+    !parseBoolean(getEnv("RELEASE", false) || "false") &&
+    !/\[(release|build release|release build)\]/i.test(commitMessage);
   return {
-    canary:
-      !parseBoolean(getEnv("RELEASE", false) || "false") &&
-      !/\[(release|build release|release build)\]/i.test(commitMessage),
+    canary: canary ? await getCanaryRevision() : 0,
     skipEverything: parseOption(/\[(skip ci|no ci)\]/i),
     skipBuilds: parseOption(/\[(skip builds?|no builds?|only tests?)\]/i),
     forceBuilds: parseOption(/\[(force builds?)\]/i),
@@ -1042,9 +1055,9 @@ async function getPipeline(options = {}) {
               steps: unifiedBuilds
                 ? [getBuildBunStep(target)]
                 : [
-                    getBuildVendorStep(target),
-                    getBuildCppStep(target),
-                    getBuildZigStep(target),
+                    // getBuildVendorStep(target),
+                    // getBuildCppStep(target),
+                    // getBuildZigStep(target),
                     getLinkBunStep(target),
                   ],
             },

CMakeLists.txt

@@ -14,9 +14,6 @@ include(Globals)
 
 # --- Compilers ---
 
-if(CMAKE_HOST_APPLE)
-  include(SetupMacSDK)
-endif()
 include(SetupLLVM)
 include(SetupCcache)
 
@@ -36,6 +33,7 @@ include(SetupBun)
 include(SetupEsbuild)
 include(SetupZig)
 include(SetupRust)
+include(SetupCodesign)
 
 # --- Targets ---
 

cmake/Globals.cmake

@@ -24,8 +24,9 @@ endmacro()
 #   PREVIEW     string - The preview value of the variable
 #   REGEX       string - The regex to match the value
 #   REQUIRED    bool   - Whether the variable is required
+#   SECRET      bool   - Whether the variable is secret
 macro(optionx variable type description)
-  set(options REQUIRED)
+  set(options REQUIRED SECRET)
   set(oneValueArgs DEFAULT PREVIEW REGEX)
   set(multiValueArgs)
   cmake_parse_arguments(${variable} "${options}" "${oneValueArgs}" "${multiValueArgs}" ${ARGN})
@@ -51,6 +52,27 @@ macro(optionx variable type description)
     set(${variable}_PREVIEW ${variable})
   endif()
 
+  if(${variable}_SECRET AND NOT ${variable})
+    set(${variable}_SOURCE "secret")
+    set(${variable}_PREVIEW ${variable})
+    if(BUILDKITE)
+      execute_process(
+        COMMAND buildkite-agent secret get "${variable}"
+        OUTPUT_VARIABLE ${variable}
+        OUTPUT_STRIP_TRAILING_WHITESPACE
+        ERROR_VARIABLE ${variable}_ERROR
+        ERROR_STRIP_TRAILING_WHITESPACE
+      )
+      if(${variable}_ERROR)
+        message(FATAL_ERROR "Failed to get secret ${variable}: ${${variable}_ERROR}")
+      endif()
+    endif()
+  endif()
+
+  if(${${variable}_REQUIRED} AND NOT DEFINED ${variable})
+    message(FATAL_ERROR "Required ${${variable}_SOURCE} is missing: please set, ${${variable}_PREVIEW}=<${${variable}_REGEX}>")
+  endif()
+
   if(NOT ${variable} AND ${${variable}_REQUIRED})
     message(FATAL_ERROR "Required ${${variable}_SOURCE} is missing: please set, ${${variable}_PREVIEW}=<${${variable}_REGEX}>")
   endif()
@@ -65,8 +87,10 @@ macro(optionx variable type description)
     endif()
   endif()
 
-  if(DEFINED ${variable}_REGEX AND NOT "^(${${variable}_REGEX})$" MATCHES "${${variable}}")
-    message(FATAL_ERROR "Invalid ${${variable}_SOURCE}: ${${variable}_PREVIEW}=\"${${variable}}\", please use ${${variable}_PREVIEW}=<${${variable}_REGEX}>")
+  if(DEFINED ${variable}_REGEX)
+    if(NOT "^(${${variable}_REGEX})$" MATCHES "${${variable}}")
+      message(FATAL_ERROR "Invalid ${${variable}_SOURCE}: ${${variable}_PREVIEW}=\"${${variable}}\", please use ${${variable}_PREVIEW}=<${${variable}_REGEX}>")
+    endif()
   endif()
 
   if(NOT ${variable}_VALUE STREQUAL ${variable})

cmake/Options.cmake

@@ -67,13 +67,7 @@ optionx(ENABLE_ASSERTIONS BOOL "If debug assertions should be enabled" DEFAULT $
 
 optionx(ENABLE_CANARY BOOL "If canary features should be enabled" DEFAULT ON)
 
-if(ENABLE_CANARY AND BUILDKITE)
-  execute_process(
-    COMMAND buildkite-agent meta-data get "canary"
-    OUTPUT_VARIABLE DEFAULT_CANARY_REVISION
-    OUTPUT_STRIP_TRAILING_WHITESPACE
-  )
-elseif(ENABLE_CANARY)
+if(ENABLE_CANARY)
   set(DEFAULT_CANARY_REVISION "1")
 else()
   set(DEFAULT_CANARY_REVISION "0")

cmake/targets/BuildBun.cmake

@@ -1096,6 +1096,77 @@ if(NOT BUN_CPP_ONLY)
       OUTPUTS
         ${BUILD_PATH}/${bunStripExe}
     )
+
+    if(ENABLE_CODESIGN AND APPLE)
+      register_command(
+        TARGET
+          ${bun}
+        TARGET_PHASE
+          POST_BUILD
+        COMMENT
+          "Signing ${bunStripExe}"
+        COMMAND
+          ${CODESIGN_PROGRAM}
+            ${bunStripExe}
+            --sign ${APPLE_CODESIGN_IDENTITY}
+            --keychain ${APPLE_CODESIGN_KEYCHAIN_PATH}
+            --entitlements ${CWD}/entitlements.plist
+            --options runtime
+            --force
+            --timestamp
+            -vvvv
+            --deep
+            --strict
+        ALWAYS_RUN
+      )
+    endif()
+  endif()
+
+  if(APPLE AND bunStrip)
+    register_command(
+      TARGET
+        ${bun}
+      TARGET_PHASE
+        POST_BUILD
+      COMMENT
+        "Generating ${bun}.dSYM"
+      COMMAND
+        ${CMAKE_DSYMUTIL}
+          ${bunExe}
+          --flat
+          --keep-function-for-static
+          --object-prefix-map .=${CWD}
+          -o ${bun}.dSYM
+          -j ${CMAKE_BUILD_PARALLEL_LEVEL}
+      CWD
+        ${BUILD_PATH}
+      OUTPUTS
+        ${BUILD_PATH}/${bun}.dSYM
+    )
+  endif()
+
+  if(ENABLE_CODESIGN AND APPLE)
+    register_command(
+      TARGET
+        ${bun}
+      TARGET_PHASE
+        POST_BUILD
+      COMMENT
+        "Signing ${bunExe}"
+      COMMAND
+        ${CODESIGN_PROGRAM}
+          ${bunExe}
+          --sign ${APPLE_CODESIGN_IDENTITY}
+          --keychain ${APPLE_CODESIGN_KEYCHAIN_PATH}
+          --entitlements ${CWD}/entitlements.debug.plist
+          --options runtime
+          --force
+          --timestamp
+          -vvvv
+          --deep
+          --strict
+      ALWAYS_RUN
+    )
   endif()
 
   register_command(
@@ -1138,29 +1209,6 @@ if(NOT BUN_CPP_ONLY)
     )
   endif()
 
-  if(CMAKE_HOST_APPLE AND bunStrip)
-    register_command(
-      TARGET
-        ${bun}
-      TARGET_PHASE
-        POST_BUILD
-      COMMENT
-        "Generating ${bun}.dSYM"
-      COMMAND
-        ${CMAKE_DSYMUTIL}
-          ${bun}
-          --flat
-          --keep-function-for-static
-          --object-prefix-map .=${CWD}
-          -o ${bun}.dSYM
-          -j ${CMAKE_BUILD_PARALLEL_LEVEL}
-      CWD
-        ${BUILD_PATH}
-      OUTPUTS
-        ${BUILD_PATH}/${bun}.dSYM
-    )
-  endif()
-
   if(CI)
     set(bunTriplet bun-${OS}-${ARCH})
     if(LINUX AND ABI STREQUAL "musl")
@@ -1170,7 +1218,9 @@ if(NOT BUN_CPP_ONLY)
       set(bunTriplet ${bunTriplet}-baseline)
     endif()
     string(REPLACE bun ${bunTriplet} bunPath ${bun})
+
     set(bunFiles ${bunExe} features.json)
+
     if(WIN32)
       list(APPEND bunFiles ${bun}.pdb)
     elseif(APPLE)
@@ -1181,7 +1231,6 @@ if(NOT BUN_CPP_ONLY)
       list(APPEND bunFiles ${bun}.linker-map)
     endif()
 
-
     register_command(
       TARGET
         ${bun}
@@ -1201,6 +1250,24 @@ if(NOT BUN_CPP_ONLY)
         ${BUILD_PATH}/${bunPath}.zip
     )
 
+    if(ENABLE_CODESIGN AND APPLE)
+      register_command(
+        TARGET
+          ${bun}
+        TARGET_PHASE
+          POST_BUILD
+        COMMENT
+          "Signing ${bunPath}.zip"
+        COMMAND
+          ${CMAKE_COMMAND} -E rm -rf ${bunPath}.zip
+          && ${DITTO_PROGRAM} -ck --rsrc --sequesterRsrc --keepParent ${bunPath} ${bunPath}.zip
+        CWD
+          ${BUILD_PATH}
+        ARTIFACTS
+          ${BUILD_PATH}/${bunPath}.zip
+      )
+    endif()
+
     if(bunStrip)
       string(REPLACE bun ${bunTriplet} bunStripPath ${bunStrip})
       register_command(
@@ -1221,6 +1288,24 @@ if(NOT BUN_CPP_ONLY)
         ARTIFACTS
           ${BUILD_PATH}/${bunStripPath}.zip
       )
+
+      if(ENABLE_CODESIGN AND APPLE)
+        register_command(
+          TARGET
+            ${bun}
+          TARGET_PHASE
+            POST_BUILD
+          COMMENT
+            "Signing ${bunStripPath}.zip"
+          COMMAND
+            ${CMAKE_COMMAND} -E rm -rf ${bunStripPath}.zip
+            && ${DITTO_PROGRAM} -ck --rsrc --sequesterRsrc --keepParent ${bunStripPath} ${bunStripPath}.zip
+          CWD
+            ${BUILD_PATH}
+          ARTIFACTS
+            ${BUILD_PATH}/${bunStripPath}.zip
+        )
+      endif()
     endif()
   endif()
 endif()

cmake/tools/SetupCodesign.cmake

@@ -0,0 +1,154 @@
+optionx(ENABLE_CODESIGN BOOL "Enable code signing" DEFAULT ${CI})
+
+if(ENABLE_CODESIGN AND APPLE)
+  find_command(VARIABLE SECURITY_PROGRAM COMMAND security REQUIRED)
+  find_command(VARIABLE CODESIGN_PROGRAM COMMAND codesign REQUIRED)
+  find_command(VARIABLE DITTO_PROGRAM COMMAND ditto REQUIRED)
+
+  set(DEFAULT_APPLE_CODESIGN_KEYCHAIN_PATH ${BUILD_PATH}/apple-codesign-keychain.db)
+  optionx(APPLE_CODESIGN_KEYCHAIN_PATH FILEPATH "Path to the keychain to use for code signing" DEFAULT ${DEFAULT_APPLE_CODESIGN_KEYCHAIN_PATH})
+  get_filename_component(APPLE_CODESIGN_KEYCHAIN_FILENAME ${APPLE_CODESIGN_KEYCHAIN_PATH} NAME)
+
+  if(APPLE_CODESIGN_KEYCHAIN_PATH STREQUAL "${DEFAULT_APPLE_CODESIGN_KEYCHAIN_PATH}")
+    set(APPLE_CODESIGN_KEYCHAIN_PASSWORD "")
+  else()
+    optionx(APPLE_CODESIGN_KEYCHAIN_PASSWORD STRING "Password for the keychain" DEFAULT "" SECRET)
+  endif()
+
+  if(NOT EXISTS ${APPLE_CODESIGN_KEYCHAIN_PATH})
+    execute_process(
+      COMMAND ${SECURITY_PROGRAM} create-keychain -p "${APPLE_CODESIGN_KEYCHAIN_PASSWORD}" ${APPLE_CODESIGN_KEYCHAIN_PATH}
+      COMMAND_ECHO STDOUT
+      OUTPUT_QUIET
+      ERROR_VARIABLE CREATE_KEYCHAIN_ERROR
+      ERROR_STRIP_TRAILING_WHITESPACE
+    )
+
+    if(CREATE_KEYCHAIN_ERROR)
+      message(FATAL_ERROR "Failed to create keychain ${APPLE_CODESIGN_KEYCHAIN_FILENAME}: ${CREATE_KEYCHAIN_ERROR}")
+    endif()
+
+    execute_process(
+      COMMAND ${SECURITY_PROGRAM} set-keychain-settings -l ${APPLE_CODESIGN_KEYCHAIN_PATH}
+      COMMAND_ECHO STDOUT
+      OUTPUT_QUIET
+      ERROR_VARIABLE SET_KEYCHAIN_SETTINGS_ERROR
+      ERROR_STRIP_TRAILING_WHITESPACE
+    )
+
+    if(SET_KEYCHAIN_SETTINGS_ERROR)
+      message(FATAL_ERROR "Failed to set keychain settings for ${APPLE_CODESIGN_KEYCHAIN_FILENAME}: ${SET_KEYCHAIN_SETTINGS_ERROR}")
+    endif()
+  endif()
+
+  execute_process(
+    COMMAND ${SECURITY_PROGRAM} unlock-keychain -p "${APPLE_CODESIGN_KEYCHAIN_PASSWORD}" ${APPLE_CODESIGN_KEYCHAIN_PATH}
+    COMMAND_ECHO STDOUT
+    OUTPUT_QUIET
+    ERROR_VARIABLE UNLOCK_KEYCHAIN_ERROR
+    ERROR_STRIP_TRAILING_WHITESPACE
+  )
+
+  if(UNLOCK_KEYCHAIN_ERROR)
+    message(FATAL_ERROR "Failed to unlock keychain ${APPLE_CODESIGN_KEYCHAIN_FILENAME}: ${UNLOCK_KEYCHAIN_ERROR}")
+  endif()
+
+  optionx(APPLE_CODESIGN_IDENTITY STRING "Code signing identity on macOS (e.g. 'FRXF46ZSN')" SECRET)
+
+  if(NOT APPLE_CODESIGN_IDENTITY)
+    message(FATAL_ERROR "Code signing is enabled, but no APPLE_CODESIGN_IDENTITY is set.\n"
+      "To fix this, either:\n"
+      "  - Set ENABLE_CODESIGN=OFF to disable code signing\n"
+      "  - Find your identity in your keychain and set APPLE_CODESIGN_IDENTITY to the identity's name\n"
+    )
+  endif()
+
+  set(DEFAULT_APPLE_CODESIGN_IDENTITY_PATH ${BUILD_PATH}/apple-codesign-identity.p12)
+  optionx(APPLE_CODESIGN_IDENTITY_PATH FILEPATH "Path to the code signing identity .p12 file" DEFAULT ${DEFAULT_APPLE_CODESIGN_IDENTITY_PATH})
+  optionx(APPLE_CODESIGN_IDENTITY_BASE64 STRING "Base64-encoded code signing identity .p12 file" SECRET)
+
+  if(APPLE_CODESIGN_IDENTITY_BASE64)
+    find_command(VARIABLE BASE64_PROGRAM COMMAND base64 REQUIRED)
+
+    file(WRITE ${APPLE_CODESIGN_IDENTITY_PATH}.base64 "${APPLE_CODESIGN_IDENTITY_BASE64}")
+    execute_process(
+      COMMAND ${BASE64_PROGRAM} --decode -i ${APPLE_CODESIGN_IDENTITY_PATH}.base64 -o ${APPLE_CODESIGN_IDENTITY_PATH}
+      COMMAND_ECHO STDOUT
+      OUTPUT_QUIET
+      ERROR_VARIABLE DECODE_IDENTITY_ERROR
+      ERROR_STRIP_TRAILING_WHITESPACE
+    )
+    file(REMOVE ${APPLE_CODESIGN_IDENTITY_PATH}.base64)
+
+    if(DECODE_IDENTITY_ERROR)
+      message(FATAL_ERROR "Failed to decode base64 identity: ${DECODE_IDENTITY_ERROR}")
+    endif()
+  endif()
+
+  execute_process(
+    COMMAND ${SECURITY_PROGRAM} find-identity -v -p codesigning ${APPLE_CODESIGN_KEYCHAIN_PATH}
+    COMMAND_ECHO STDOUT
+    OUTPUT_VARIABLE FIND_IDENTITY_OUTPUT
+    OUTPUT_STRIP_TRAILING_WHITESPACE
+    ERROR_VARIABLE FIND_IDENTITY_ERROR
+    ERROR_STRIP_TRAILING_WHITESPACE
+  )
+
+  if(FIND_IDENTITY_ERROR)
+    message(FATAL_ERROR "Failed to find identity ${APPLE_CODESIGN_IDENTITY} in keychain ${APPLE_CODESIGN_KEYCHAIN_FILENAME}: ${FIND_IDENTITY_ERROR}")
+  endif()
+
+  optionx(APPLE_CODESIGN_IDENTITY_PASSWORD STRING "Password for the code signing identity .p12 file" DEFAULT "" SECRET)
+
+  if(NOT FIND_IDENTITY_OUTPUT MATCHES "${APPLE_CODESIGN_IDENTITY}")
+    execute_process(
+      COMMAND ${SECURITY_PROGRAM} import ${APPLE_CODESIGN_IDENTITY_PATH} -k ${APPLE_CODESIGN_KEYCHAIN_PATH} -P "${APPLE_CODESIGN_IDENTITY_PASSWORD}" -T ${CODESIGN_PROGRAM}
+      COMMAND_ECHO STDOUT
+      OUTPUT_QUIET
+      ERROR_VARIABLE IMPORT_IDENTITY_ERROR
+      ERROR_STRIP_TRAILING_WHITESPACE
+    )
+
+    if(IMPORT_IDENTITY_ERROR)
+      message(FATAL_ERROR "Failed to import identity ${APPLE_CODESIGN_IDENTITY_PATH}: ${IMPORT_IDENTITY_ERROR}")
+    endif()
+
+    execute_process(
+      COMMAND ${SECURITY_PROGRAM} set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${APPLE_CODESIGN_KEYCHAIN_PASSWORD}" ${APPLE_CODESIGN_KEYCHAIN_PATH}
+      COMMAND_ECHO STDOUT
+      OUTPUT_QUIET
+      ERROR_VARIABLE SET_KEY_PARTITION_LIST_ERROR
+      ERROR_STRIP_TRAILING_WHITESPACE
+    )
+
+    if(SET_KEY_PARTITION_LIST_ERROR)
+      message(FATAL_ERROR "Failed to set key partition list for ${APPLE_CODESIGN_KEYCHAIN_FILENAME}: ${SET_KEY_PARTITION_LIST_ERROR}")
+    endif()
+
+    execute_process(
+      COMMAND ${SECURITY_PROGRAM} find-identity -v -p codesigning ${APPLE_CODESIGN_KEYCHAIN_PATH}
+      COMMAND_ECHO STDOUT
+      OUTPUT_VARIABLE FIND_IDENTITY_OUTPUT
+      OUTPUT_STRIP_TRAILING_WHITESPACE
+      ERROR_VARIABLE FIND_IDENTITY_ERROR
+      ERROR_STRIP_TRAILING_WHITESPACE
+    )
+
+    if(FIND_IDENTITY_ERROR)
+      message(FATAL_ERROR "Failed to find identity ${APPLE_CODESIGN_IDENTITY} in keychain ${APPLE_CODESIGN_KEYCHAIN_FILENAME}: ${FIND_IDENTITY_ERROR}")
+    endif()
+
+    if(NOT FIND_IDENTITY_OUTPUT MATCHES "${APPLE_CODESIGN_IDENTITY}")
+      message(FATAL_ERROR "Code signing is enabled, but no identity was found in your keychain.\n"
+        "To fix this, either:\n"
+        "  - Add the identity to your keychain by running 'security import [identity-path] -k [keychain-path] -T ${CODESIGN_PROGRAM}'\n"
+        "  - Set APPLE_CODESIGN_IDENTITY_PATH to the path of the .p12 file for the identity\n"
+        "  - Set APPLE_CODESIGN_IDENTITY_BASE64 to the base64-encoded .p12 file for the identity\n"
+      )
+    endif()
+  endif()
+endif()
+
+if(ENABLE_CODESIGN AND WIN32)
+  # TODO: Implement code signing for Windows
+endif()