Collating codesign for the end?

Currently I codesign executables with

function(um_add_executable name)
		TARGET ${name}

Which is fine and works. But since each codesign is a separate process, I have to enter the PIN each time, for each executable in the projected.
Curious if there was an easy/smart way to collect all executables, and at the very end of the build, codesign them as one go - and maybe I only need to enter the PIN once?

I don’t think that would work as nicely since the build tool (make or ninja) would have no way to know if it needs to be run. AFAICT, codesign modifies binaries in-place, so the rule that signs the code could not depend on the binary since it will modify it on its own.

I would say that signing should be left to be an installation step or to bundle it with a step that copies the binary from the build and signs the copy (so that there’s no dependency loop). Either of these solutions should be able to do batching (up to what codesign supports for batching).