➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2008-05-14 11:02 by trent, last changed 2022-04-11 14:56 by admin. This issue is now closed.
| Messages (2) | |||
|---|---|---|---|
| msg66814 - (view) | Author: Trent Nelson (trent) *  |
Date: 2008-05-14 11:02 | |
Now that we've finally got a VeriSign code-signing certificate
(hurrah!), we can look at how we want to integrate the aspect of code
signing into our build process.
I'd like to propose augmenting the build process such that as a post-
link step for .exe|.pyd targets, a little helper Python code signing
script will be run (i.e. trunk/pcbuild/signfile.py). The first thing
that this script will check is whether or not the environment variable
PYTHON_CODESIGNING_CERT_NAME is defined. If it is not defined or is
empty, the script will simply exit. This will be the case for the vast
majority of users.
However, if the environment variable exists, it indicates to the
signfile.py script that the target .exe|.pyd should be signed, using
the identifier specified by the environment variable, with Microsoft's
code-signing facilities (signtool.exe etc).
The net effect is that if a user has a valid code-signing certificate
installed, they can get the standard Python build system to
automatically sign all binaries by setting this environment variable.
I think this approach is more useful than, say, having Martin manually
sign each binary when it comes to release time, as it is automated (and
as such, less error prone), and can be leveraged by anyone wishing to
create signed Python distributions, not just the PSF (i.e. ActiveState,
Enthought, etc).
Assuming there are no objections to this proposal, a couple of other
things I'll provide:
a) documentation on both what's required in order to produce a
signed distribution, as well as guidelines for other companies
wishing to obtain code-signing certificates for the purposes of
signing their custom Python distributions (perhaps better suited
to a wiki entry)
b) a helper script in pcbuild/ that can a) augment existing .vcprojs
and add the post-link signing step, and b) be run in such a way
that it checks all existing .vcprojs for .exe|.pyd targets have
the post-link event correctly configured
Comments/objections?
Trent.
|
|||
| msg66826 - (view) | Author: Martin v. Löwis (loewis) * |
Date: 2008-05-14 17:17 | |
Objection. I don't see the point of signing the binaries; signing the MSI files should be enough. |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:56:34 | admin | set | github: 47099 |
| 2010-07-10 05:45:38 | terry.reedy | set | status: open -> closed resolution: rejected versions: + Python 3.2, - Python 2.6, Python 3.0 |
| 2008-05-14 17:17:41 | loewis | set | messages: + msg66826 |
| 2008-05-14 11:02:49 | trent | create | |