 | Start a set with this search |
 | Include this search in one of my sets |
 | Exclude this search from one of my sets |
 | Permalink to these results Paste this link in email or IM: |
 | Atom feed for tracking future search results Paste this URL into your reader: |
8 messages in org.python.python-devRe: [Python-Dev] Code signing of Wind...| From | Sent On | Attachments |
|---|---|---|
| Trent Nelson | Apr 17, 2008 3:16 am | |
| Christian Heimes | Apr 17, 2008 4:12 am | |
| Trent Nelson | Apr 17, 2008 4:56 am | |
| Guido van Rossum | Apr 17, 2008 7:47 am | |
| Barry Warsaw | Apr 17, 2008 8:04 am | |
| Christian Heimes | Apr 17, 2008 8:31 am | |
| Barry Warsaw | Apr 17, 2008 8:56 am | |
| sk...@pobox.com | Apr 17, 2008 10:01 am |
| Permalink for this message Paste this link in email or IM: |
| Permalink for this thread Paste this link in email or IM: |
| Atom feed for this thread Paste this URL into your reader: |
| Subject: | Re: [Python-Dev] Code signing of Windows .msi/.dll/.exe's for 2.6/3.0 | Actions... |
|---|---|---|
| From: | Trent Nelson (tnel...@onresolve.com) | |
| Date: | Apr 17, 2008 4:56:05 am | |
| List: | org.python.python-dev | |
* Why the binaries should be signed?
Makes the installation process on Windows Vista and Server 2008 a little nicer; instead of getting an "unknown-executable-could- be-a-virus-aaaaaahhhh-watchout"-type dialog with a big red flag, you get a less threatening message saying that you're about to run something that's been digitally signed by the Python Software Foundation. (I've come across a few entities (NSA, government bodies, etc), who mandate that all installers/binaries they get must be digitally signed.)
* What is required to sign the binaries?
1. Obtain a code signing certificate from someone. I used VeriSign. You end up with an .spc and a .pvk file. You need to combine them into a single .pfx file via a tool called pvk2pfx.exe:
Usage: pvk2pfx -pvk <pvk-file> [-pi <pvk-pswd>] -spc <spc-file> [-pfx <pfx-file> [-po <pfx-pswd>] [-f]]
-pvk <pvk-file> - input PVK file name. -spc <spc-file> - input SPC file name. -pfx <pfx-file> - output PFX file name. -pi <pvk-pswd> - PVK password. -po <pfx-pswd> - PFX password; same as -pi if not given. -f - force overwrite existing PFX file.
if -pfx option is not given, an export wizard will pop up. in this case, options -po and -f are ignored.
C:\..> pvk2pfx.exe -pvk verisign-privatekey.pvk -pi ****** -spc
onresolve-verisign.spc -po ****** -pfx onresolve-verisign.pfx
3. The resulting .pfx file, onresolve-verisign.pfx in this case, can then be installed as a 'Personal' certificate in Windows, using the Certificate Management facility (CertMgr.exe). When you install it, you provide a name that the certificate can be referred to by apps; in my case I just used 'VeriSign'. This name is used below by the signtool.exe app.
4. Sign the executable, MSI or DLL as follows:
C:\..> signtool.exe sign /i "VeriSign" /d "Python 2.6.0" /du
http://www.python.org /t http://timestamp.verisign.com/scripts/timstamp.dll
Python-2.6.msi
Successfully signed and timestamped: Python-2.6.msi
* Which binaries should be signed?
Personally, once I figured out the steps above, I hooked the signing process into all my Visual Studio projects as a post-build step, such that I sign all .exe and .dll files. Not really necessary, but eh, it does have the advantage of looking more professional (users can view properties on the .dll, for example, and see that it's been digitally signed by the PSF). Additionally, it prevents any tampering; Windows can detect if it's been altered in any way since it's been signed, and will flat out prevent it from being loaded/run if that's the case.
Trent.
_______________________________________________
Python-Dev mailing list
Pyth...@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: