The signet.command.sign_code module is responsible for digitally signing code. The module acts as a wrapper for the Windows SDK tool signtool. It is intended to be a companion to signet.command.build_signet, but can be used standalone to sign any executable code file.
The signed code will be timestamped if your computer is connected to the internet. sign_code will randomly select a public timestamp server. If the first attempt to timestamp fails, it will cycle through it’s list of servers, trying each up to 5 times before giving up.
This is the main function responsible for digitally signing your code. It is not expected to be invoked directly, but installs itself into the distutils.command heirarcy by nature of it’s inheritance from disutils.command.config .
sign_code makes available additional arguments you can specify when calling distutils.core.setup()
| argument name | value | type |
|---|---|---|
| pfx-file | Path to PKCS#12 file with your signing signing certificate. This setting is required. | a string |
| password | Password associated with PKCS#12 file Either this or savedpassword is required. | a string |
| savepassword | Request sign_tool save password in your private registry. The saved password is stored encrypted (using windows DPAPI). | a boolean |
| resetpassword | Delete stored password. | a boolean |
| digest | Digest to use when signing (default is SHA1). | a string |
| winsdk-path | The path to find Windows SDK (if it is not installed in default path) | a string |
With options specified on command line, setup.py:
from distutils.core import setup, Extension
from signet.command.sign_code import sign_code
setup(name = 'hello',
cmdclass = {'sign_code': sign_code},
ext_modules = [Extension('hello', sources=['hello.py'])],
)
Invoked as python setup.py sign_code --savedpassword --pfx-file CERT-1-Expired-2014-11.pfx
With options embedded in setup.py:
from distutils.core import setup, Extension
from signet.command.sign_code import sign_code
setup(name = 'hello',
cmdclass = {'sign_code': sign_code},
ext_modules = [Extension('hello', sources=['hello.py'])],
options = { 'sign_code': {
'savedpassword': True,
'pfx_file': 'CERT-1-Expired-2014-11.pfx',
}
},
)
Invoked as python setup.py sign_code
Retrieve previously saved password. The password is returned unencrypted. name is used to lookup a password on this machine, which must be the same name used in save_password().
Save password to user’s private registry (encrypted). name is used to save a password on this machine and can be any string that complies with Windows’s registry naming rules. password is the plain text password associated with name. Set password to None, to delete value from the registry.
TIP I recommend you use the certificate expiration date as the name. Remebering when a cert will expire is a maintenance headache, and using this as the name will help with this chore.
Example use:
>>> from signet.command.sign_code import *
>>> save_password('Cert-1-Expires-2014-11', 'abc123')
>>> get_saved_password('Cert-1-Expires-2014-11')
'abc123'