Now that we've finally got a VeriSign code-signing certificate
(hurrah!), we can look at how we want to integrate the aspect of code
signing into our build process.
I'd like to propose augmenting the build process such that as a post-
link step for .exe|.pyd targets, a little helper Python code signing
script will be run (i.e. trunk/pcbuild/signfile.py). The first thing
that this script will check is whether or not the environment variable
PYTHON_CODESIGNING_CERT_NAME is defined. If it is not defined or is
empty, the script will simply exit. This will be the case for the vast
majority of users.
However, if the environment variable exists, it indicates to the
signfile.py script that the target .exe|.pyd should be signed, using
the identifier specified by the environment variable, with Microsoft's
code-signing facilities (signtool.exe etc).
The net effect is that if a user has a valid code-signing certificate
installed, they can get the standard Python build system to
automatically sign all binaries by setting this environment variable.
I think this approach is more useful than, say, having Martin manually
sign each binary when it comes to release time, as it is automated (and
as such, less error prone), and can be leveraged by anyone wishing to
create signed Python distributions, not just the PSF (i.e. ActiveState,
Enthought, etc).
Assuming there are no objections to this proposal, a couple of other
things I'll provide:
a) documentation on both what's required in order to produce a
signed distribution, as well as guidelines for other companies
wishing to obtain code-signing certificates for the purposes of
signing their custom Python distributions (perhaps better suited
to a wiki entry)
b) a helper script in pcbuild/ that can a) augment existing .vcprojs
and add the post-link signing step, and b) be run in such a way
that it checks all existing .vcprojs for .exe|.pyd targets have
the post-link event correctly configured
Comments/objections?
Trent.
|