[Distutils] How to sign a exe created with bdist_wininst?

Steve Dower Steve.Dower at microsoft.com
Sat Apr 18 16:46:49 CEST 2015

It may be possible to add an empty key container to the stub with signtool so that it can be filled in after adding the zip without having to extend the length. I believe the PE header is modified to locate the certificate, so it doesn't necessarily have to be at the end.

Feel free to investigate this yourself with the wininst stub in Lib\distutils\command. I'll take a look, but may not be able to get to it for a while (file an issue and nosy me if you don't get anywhere, or even if you do and we can support this in newer versions).


Top-posted from my Windows Phone
From: Paul Moore<mailto:p.f.moore at gmail.com>
Sent: ‎4/‎18/‎2015 2:58
To: Brian Cole<mailto:coleb at eyesopen.com>
Cc: distutils-sig at python.org<mailto:distutils-sig at python.org>
Subject: Re: [Distutils] How to sign a exe created with bdist_wininst?

On 17 April 2015 at 16:17, Brian Cole <coleb at eyesopen.com> wrote:
> We've recently converted over to using bdist_wininst for creating our
> Windows .exe installers for our libraries. Unfortunately, whenever we use
> the Windows signtool utility to cryptographically sign our installer it
> appears to corrupt the .exe and it can't be run anymore. The error message
> thrown by Windows is "Setup program invalid or damaged".
> My best guess at this point is that bdist_wininst is creating a checksum of
> the file somehow and signtool is altering the file in such a way to
> invalidate that checksum. The commands we're using at this point is like
> this:
> python3.4.exe setup.py bdist_wininst --target-version 3.4 --bitmap OurLogo
> --title OurTitle-OurVersion
> cp DistUtilsSetupFileName.exe OurSetupFileName.exe
> call "C:\program Files (x86)\Microsoft Visual Studio
> 9.0\Common7\Tools\vsvars32.bat"
> signtool sign /n OurCompany  /t
> http://timestamp.verisign.com/scripts/timstamp.dll /d OurProject /du
> OurWebsite OurSetupFileName.exe
> Anyone know of a way to cryptographically sign an .exe installer from
> bdist_wininst?

The wininst format is a stub Windows executable, with some ini-format
data and a zipfile appended (in that order). I don't know where
signtools adds the signature, but if it's at the end, then that won't
work (as it's necessary for the zip data to be the *last* thing in the
file - zipfile format supports prepending data but not appending it as
the central directory is defined as being at a fixed offset from the
end of the file).

There may also be a length or checksum in the ini data, I'd have to
check the source to confirm that. <pause> Just checked, no it doesn't
- the full details are here:

So basically, I don't think it's possible to sign (or otherwise
modify) wininst executables.
Distutils-SIG maillist  -  Distutils-SIG at python.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20150418/df7da88d/attachment.html>

More information about the Distutils-SIG mailing list