sign_code - Digially sign code

The signet.command.sign_code module is responsible for digitally signing code. The module acts as a wrapper for the Windows SDK tool signtool. It is intended to be a companion to signet.command.build_signet, but can be used standalone to sign any executable code file.

The signed code will be timestamped if your computer is connected to the internet. sign_code will randomly select a public timestamp server. If the first attempt to timestamp fails, it will cycle through it’s list of servers, trying each up to 5 times before giving up.

class signet.command.sign_code.sign_code[source]
run()[source]

This is the main function responsible for digitally signing your code. It is not expected to be invoked directly, but installs itself into the distutils.command heirarcy by nature of it’s inheritance from disutils.command.config .

sign_code makes available additional arguments you can specify when calling distutils.core.setup()

argument name value type
pfx-file Path to PKCS#12 file with your signing signing certificate. This setting is required. a string
password Password associated with PKCS#12 file Either this or savedpassword is required. a string
savepassword Request sign_tool save password in your private registry. The saved password is stored encrypted (using windows DPAPI). a boolean
resetpassword Delete stored password. a boolean
digest Digest to use when signing (default is SHA1). a string
winsdk-path The path to find Windows SDK (if it is not installed in default path) a string

Examples

With options specified on command line, setup.py:

from distutils.core import setup, Extension
from signet.command.sign_code import sign_code

setup(name = 'hello',
    cmdclass = {'sign_code': sign_code},
    ext_modules = [Extension('hello', sources=['hello.py'])],
    )

Invoked as python setup.py sign_code --savedpassword --pfx-file CERT-1-Expired-2014-11.pfx

With options embedded in setup.py:

from distutils.core import setup, Extension
from signet.command.sign_code import sign_code

setup(name = 'hello',
    cmdclass = {'sign_code': sign_code},
    ext_modules = [Extension('hello', sources=['hello.py'])],
    options = { 'sign_code': {
                    'savedpassword': True,
                    'pfx_file': 'CERT-1-Expired-2014-11.pfx',
                    }
              },
    )

Invoked as python setup.py sign_code

Utility Functions

signet.command.sign_code.get_winsdk_path()[source]

Retrieve installed path for windows sdk.

signet.command.sign_code.get_saved_password(name)[source]

Retrieve previously saved password. The password is returned unencrypted. name is used to lookup a password on this machine, which must be the same name used in save_password().

signet.command.sign_code.save_password(name, password)[source]

Save password to user’s private registry (encrypted). name is used to save a password on this machine and can be any string that complies with Windows’s registry naming rules. password is the plain text password associated with name. Set password to None, to delete value from the registry.

TIP I recommend you use the certificate expiration date as the name. Remebering when a cert will expire is a maintenance headache, and using this as the name will help with this chore.

Example use:

>>> from signet.command.sign_code import *
>>> save_password('Cert-1-Expires-2014-11', 'abc123')
>>> get_saved_password('Cert-1-Expires-2014-11')
'abc123'

Table Of Contents

Previous topic

build_signet - Build a custom signet loader

Next topic

the loader

This Page