[Python-Dev] Code signing of Windows .msi/.dll/.exe's for 2.6/3.0
tnelson at onresolve.com
Thu Apr 17 13:56:28 CEST 2008
> * Why the binaries should be signed?
Makes the installation process on Windows Vista and Server 2008
a little nicer; instead of getting an "unknown-executable-could-
be-a-virus-aaaaaahhhh-watchout"-type dialog with a big red flag,
you get a less threatening message saying that you're about to
run something that's been digitally signed by the Python Software
Foundation. (I've come across a few entities (NSA, government
bodies, etc), who mandate that all installers/binaries they get
must be digitally signed.)
> * What is required to sign the binaries?
1. Obtain a code signing certificate from someone. I used VeriSign.
You end up with an .spc and a .pvk file. You need to combine them
into a single .pfx file via a tool called pvk2pfx.exe:
pvk2pfx -pvk <pvk-file> [-pi <pvk-pswd>] -spc <spc-file>
[-pfx <pfx-file> [-po <pfx-pswd>] [-f]]
-pvk <pvk-file> - input PVK file name.
-spc <spc-file> - input SPC file name.
-pfx <pfx-file> - output PFX file name.
-pi <pvk-pswd> - PVK password.
-po <pfx-pswd> - PFX password; same as -pi if not given.
-f - force overwrite existing PFX file.
if -pfx option is not given, an export wizard will pop up. in
this case, options -po and -f are ignored.
C:\..> pvk2pfx.exe -pvk verisign-privatekey.pvk -pi ****** -spc onresolve-verisign.spc -po ****** -pfx onresolve-verisign.pfx
3. The resulting .pfx file, onresolve-verisign.pfx in this case, can
then be installed as a 'Personal' certificate in Windows, using the
Certificate Management facility (CertMgr.exe). When you install it,
you provide a name that the certificate can be referred to by apps;
in my case I just used 'VeriSign'. This name is used below by the
4. Sign the executable, MSI or DLL as follows:
C:\..> signtool.exe sign /i "VeriSign" /d "Python 2.6.0" /du http://www.python.org /t http://timestamp.verisign.com/scripts/timstamp.dll Python-2.6.msi
Successfully signed and timestamped: Python-2.6.msi
> * Which binaries should be signed?
Personally, once I figured out the steps above, I hooked the signing
process into all my Visual Studio projects as a post-build step, such
that I sign all .exe and .dll files. Not really necessary, but eh,
it does have the advantage of looking more professional (users can
view properties on the .dll, for example, and see that it's been
digitally signed by the PSF). Additionally, it prevents any tampering;
Windows can detect if it's been altered in any way since it's been
signed, and will flat out prevent it from being loaded/run if that's
More information about the Python-Dev