classification
Title: Augmenting the Windows build to support code signing.
Type: enhancement Stage:
Components: Build Versions: Python 3.2
process
Status: closed Resolution: rejected
Dependencies: Superseder:
Assigned To: trent Nosy List: loewis, tmick, trent
Priority: normal Keywords:

Created on 2008-05-14 11:02 by trent, last changed 2010-07-10 05:45 by terry.reedy. This issue is now closed.

Messages (2)
msg66814 - (view) Author: Trent Nelson (trent) * (Python committer) Date: 2008-05-14 11:02
Now that we've finally got a VeriSign code-signing certificate 
(hurrah!), we can look at how we want to integrate the aspect of code 
signing into our build process.

I'd like to propose augmenting the build process such that as a post-
link step for .exe|.pyd targets, a little helper Python code signing 
script will be run (i.e. trunk/pcbuild/signfile.py).  The first thing 
that this script will check is whether or not the environment variable 
PYTHON_CODESIGNING_CERT_NAME is defined.  If it is not defined or is 
empty, the script will simply exit.  This will be the case for the vast 
majority of users.

However, if the environment variable exists, it indicates to the 
signfile.py script that the target .exe|.pyd should be signed, using 
the identifier specified by the environment variable, with Microsoft's 
code-signing facilities (signtool.exe etc).

The net effect is that if a user has a valid code-signing certificate 
installed, they can get the standard Python build system to 
automatically sign all binaries by setting this environment variable.  
I think this approach is more useful than, say, having Martin manually 
sign each binary when it comes to release time, as it is automated (and 
as such, less error prone), and can be leveraged by anyone wishing to 
create signed Python distributions, not just the PSF (i.e. ActiveState, 
Enthought, etc).

Assuming there are no objections to this proposal, a couple of other 
things I'll provide:
   a) documentation on both what's required in order to produce a
      signed distribution, as well as guidelines for other companies
      wishing to obtain code-signing certificates for the purposes of
      signing their custom Python distributions (perhaps better suited
      to a wiki entry)
   b) a helper script in pcbuild/ that can a) augment existing .vcprojs
      and add the post-link signing step, and b) be run in such a way
      that it checks all existing .vcprojs for .exe|.pyd targets have
      the post-link event correctly configured

Comments/objections?

    Trent.
msg66826 - (view) Author: Martin v. Löwis (loewis) * (Python committer) Date: 2008-05-14 17:17
Objection. I don't see the point of signing the binaries; signing the
MSI files should be enough.
History
Date User Action Args
2010-07-10 05:45:38terry.reedysetstatus: open -> closed
resolution: rejected
versions: + Python 3.2, - Python 2.6, Python 3.0
2008-05-14 17:17:41loewissetmessages: + msg66826
2008-05-14 11:02:49trentcreate