[Python-Dev] Code signing of Windows .msi/.dll/.exe's for 2.6/3.0

Trent Nelson tnelson at onresolve.com
Thu Apr 17 13:56:28 CEST 2008

>  * Why the binaries should be signed?

    Makes the installation process on Windows Vista and Server 2008
    a little nicer; instead of getting an "unknown-executable-could-
    be-a-virus-aaaaaahhhh-watchout"-type dialog with a big red flag,
    you get a less threatening message saying that you're about to
    run something that's been digitally signed by the Python Software
    Foundation.  (I've come across a few entities (NSA, government
    bodies, etc), who mandate that all installers/binaries they get
    must be digitally signed.)

>  * What is required to sign the binaries?

 1. Obtain a code signing certificate from someone.  I used VeriSign.
    You end up with an .spc and a .pvk file.  You need to combine them
    into a single .pfx file via a tool called pvk2pfx.exe:

    pvk2pfx -pvk <pvk-file> [-pi <pvk-pswd>] -spc <spc-file>
           [-pfx <pfx-file> [-po <pfx-pswd>] [-f]]

        -pvk <pvk-file>  - input PVK file name.
        -spc <spc-file>  - input SPC file name.
        -pfx <pfx-file>  - output PFX file name.
        -pi <pvk-pswd>   - PVK password.
        -po <pfx-pswd>   - PFX password; same as -pi if not given.
        -f               - force overwrite existing PFX file.

        if -pfx option is not given, an export wizard will pop up. in
        this case, options -po and -f are ignored.

C:\..> pvk2pfx.exe -pvk verisign-privatekey.pvk -pi ****** -spc onresolve-verisign.spc -po ****** -pfx onresolve-verisign.pfx

  3. The resulting .pfx file, onresolve-verisign.pfx in this case, can
     then be installed as a 'Personal' certificate in Windows, using the
     Certificate Management facility (CertMgr.exe).  When you install it,
     you provide a name that the certificate can be referred to by apps;
     in my case I just used 'VeriSign'.  This name is used below by the
     signtool.exe app.

  4. Sign the executable, MSI or DLL as follows:

C:\..> signtool.exe sign /i "VeriSign" /d "Python 2.6.0" /du http://www.python.org /t http://timestamp.verisign.com/scripts/timstamp.dll Python-2.6.msi
Successfully signed and timestamped: Python-2.6.msi

>  * Which binaries should be signed?

    Personally, once I figured out the steps above, I hooked the signing
    process into all my Visual Studio projects as a post-build step, such
    that I sign all .exe and .dll files.  Not really necessary, but eh,
    it does have the advantage of looking more professional (users can
    view properties on the .dll, for example, and see that it's been
    digitally signed by the PSF).  Additionally, it prevents any tampering;
    Windows can detect if it's been altered in any way since it's been
    signed, and will flat out prevent it from being loaded/run if that's
    the case.


More information about the Python-Dev mailing list