Message 66814 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	trent
Recipients	loewis, tmick, trent
Date	2008-05-14.11:02:24
SpamBayes Score	0.00021869226
Marked as misclassified	No
Message-id	<1210762970.34.0.566906557535.issue2850@psf.upfronthosting.co.za>
In-reply-to

Content
Now that we've finally got a VeriSign code-signing certificate (hurrah!), we can look at how we want to integrate the aspect of code signing into our build process. I'd like to propose augmenting the build process such that as a post- link step for .exe\|.pyd targets, a little helper Python code signing script will be run (i.e. trunk/pcbuild/signfile.py). The first thing that this script will check is whether or not the environment variable PYTHON_CODESIGNING_CERT_NAME is defined. If it is not defined or is empty, the script will simply exit. This will be the case for the vast majority of users. However, if the environment variable exists, it indicates to the signfile.py script that the target .exe\|.pyd should be signed, using the identifier specified by the environment variable, with Microsoft's code-signing facilities (signtool.exe etc). The net effect is that if a user has a valid code-signing certificate installed, they can get the standard Python build system to automatically sign all binaries by setting this environment variable. I think this approach is more useful than, say, having Martin manually sign each binary when it comes to release time, as it is automated (and as such, less error prone), and can be leveraged by anyone wishing to create signed Python distributions, not just the PSF (i.e. ActiveState, Enthought, etc). Assuming there are no objections to this proposal, a couple of other things I'll provide: a) documentation on both what's required in order to produce a signed distribution, as well as guidelines for other companies wishing to obtain code-signing certificates for the purposes of signing their custom Python distributions (perhaps better suited to a wiki entry) b) a helper script in pcbuild/ that can a) augment existing .vcprojs and add the post-link signing step, and b) be run in such a way that it checks all existing .vcprojs for .exe\|.pyd targets have the post-link event correctly configured Comments/objections? Trent.

Now that we've finally got a VeriSign code-signing certificate 
(hurrah!), we can look at how we want to integrate the aspect of code 
signing into our build process.

I'd like to propose augmenting the build process such that as a post-
link step for .exe|.pyd targets, a little helper Python code signing 
script will be run (i.e. trunk/pcbuild/signfile.py).  The first thing 
that this script will check is whether or not the environment variable 
PYTHON_CODESIGNING_CERT_NAME is defined.  If it is not defined or is 
empty, the script will simply exit.  This will be the case for the vast 
majority of users.

However, if the environment variable exists, it indicates to the 
signfile.py script that the target .exe|.pyd should be signed, using 
the identifier specified by the environment variable, with Microsoft's 
code-signing facilities (signtool.exe etc).

The net effect is that if a user has a valid code-signing certificate 
installed, they can get the standard Python build system to 
automatically sign all binaries by setting this environment variable.  
I think this approach is more useful than, say, having Martin manually 
sign each binary when it comes to release time, as it is automated (and 
as such, less error prone), and can be leveraged by anyone wishing to 
create signed Python distributions, not just the PSF (i.e. ActiveState, 
Enthought, etc).

Assuming there are no objections to this proposal, a couple of other 
things I'll provide:
   a) documentation on both what's required in order to produce a
      signed distribution, as well as guidelines for other companies
      wishing to obtain code-signing certificates for the purposes of
      signing their custom Python distributions (perhaps better suited
      to a wiki entry)
   b) a helper script in pcbuild/ that can a) augment existing .vcprojs
      and add the post-link signing step, and b) be run in such a way
      that it checks all existing .vcprojs for .exe|.pyd targets have
      the post-link event correctly configured

Comments/objections?

    Trent.

History
Date	User	Action	Args
2008-05-14 11:02:51	trent	set	spambayes_score: 0.000218692 -> 0.00021869226 recipients: + trent, loewis, tmick
2008-05-14 11:02:50	trent	set	spambayes_score: 0.000218692 -> 0.000218692 messageid: <1210762970.34.0.566906557535.issue2850@psf.upfronthosting.co.za>
2008-05-14 11:02:48	trent	link	issue2850 messages
2008-05-14 11:02:42	trent	create