[New-bugs-announce] [issue2850] Augmenting the Windows build to support code signing.

Trent Nelson report at bugs.python.org
Wed May 14 13:02:50 CEST 2008 

New submission from Trent Nelson <tnelson at onresolve.com>:

Now that we've finally got a VeriSign code-signing certificate 
(hurrah!), we can look at how we want to integrate the aspect of code 
signing into our build process.

I'd like to propose augmenting the build process such that as a post-
link step for .exe|.pyd targets, a little helper Python code signing 
script will be run (i.e. trunk/pcbuild/signfile.py).  The first thing 
that this script will check is whether or not the environment variable 
PYTHON_CODESIGNING_CERT_NAME is defined.  If it is not defined or is 
empty, the script will simply exit.  This will be the case for the vast 
majority of users.

However, if the environment variable exists, it indicates to the 
signfile.py script that the target .exe|.pyd should be signed, using 
the identifier specified by the environment variable, with Microsoft's 
code-signing facilities (signtool.exe etc).

The net effect is that if a user has a valid code-signing certificate 
installed, they can get the standard Python build system to 
automatically sign all binaries by setting this environment variable.  
I think this approach is more useful than, say, having Martin manually 
sign each binary when it comes to release time, as it is automated (and 
as such, less error prone), and can be leveraged by anyone wishing to 
create signed Python distributions, not just the PSF (i.e. ActiveState, 
Enthought, etc).

Assuming there are no objections to this proposal, a couple of other 
things I'll provide:
   a) documentation on both what's required in order to produce a
      signed distribution, as well as guidelines for other companies
      wishing to obtain code-signing certificates for the purposes of
      signing their custom Python distributions (perhaps better suited
      to a wiki entry)
   b) a helper script in pcbuild/ that can a) augment existing .vcprojs
      and add the post-link signing step, and b) be run in such a way
      that it checks all existing .vcprojs for .exe|.pyd targets have
      the post-link event correctly configured

Comments/objections?

    Trent.

----------
assignee: Trent.Nelson
components: Build
messages: 66814
nosy: Trent.Nelson, loewis, tmick
priority: normal
severity: normal
status: open
title: Augmenting the Windows build to support code signing.
type: feature request
versions: Python 2.6, Python 3.0

__________________________________
Tracker <report at bugs.python.org>
<http://bugs.python.org/issue2850>
__________________________________

More information about the New-bugs-announce mailing list