Unify psign-tool entry point

.cargo/config.toml

@@ -1,6 +1,6 @@
 [alias]
 # Main Windows CLI (`default-members` omit root crate — always pass `-p psign`).
-windows-bin = "build -p psign --bin psign-tool-windows --locked"
+windows-bin = "build -p psign --bin psign-tool --locked"
 # Portable Authenticode digest stack (no Win32). See docs/roadmap-authenticode-linux.md.
 digest-check = "check -p psign-sip-digest -p psign-digest-cli -p psign-authenticode-trust -p psign-codesigning-rest -p psign-azure-kv-rest --locked"
 # `psign-digest-cli` has integration tests only — keep it last so `--lib` does not silence them.

.github/workflows/parity-extensions.yml

@@ -10,7 +10,7 @@ on:
         type: boolean
         default: false
       run_catalog_verify:
-        description: Run Rust catalog verify against SIGNTOOL_RS_CATALOG_* secrets
+        description: Run Rust catalog verify against PSIGN_CATALOG_* secrets
         type: boolean
         default: false
 
@@ -21,23 +21,23 @@ jobs:
     steps:
       - uses: actions/checkout@v6
       - uses: dtolnay/rust-toolchain@stable
-      - run: cargo build -p psign --bin psign-tool-windows
+      - run: cargo build -p psign --bin psign-tool
       - name: Bootstrap Devolutions test PKI + pack minimal MSIX
         shell: pwsh
         env:
-          SIGNTOOL_RS_MSIX_DLIB: ${{ secrets.SIGNTOOL_RS_MSIX_DLIB }}
-          SIGNTOOL_RS_MSIX_DMDF: ${{ secrets.SIGNTOOL_RS_MSIX_DMDF }}
+          PSIGN_MSIX_DLIB: ${{ secrets.PSIGN_MSIX_DLIB }}
+          PSIGN_MSIX_DMDF: ${{ secrets.PSIGN_MSIX_DMDF }}
         run: |
-          if (-not $env:SIGNTOOL_RS_MSIX_DLIB -or -not $env:SIGNTOOL_RS_MSIX_DMDF) {
-            throw "Set repository secrets SIGNTOOL_RS_MSIX_DLIB and SIGNTOOL_RS_MSIX_DMDF."
+          if (-not $env:PSIGN_MSIX_DLIB -or -not $env:PSIGN_MSIX_DMDF) {
+            throw "Set repository secrets PSIGN_MSIX_DLIB and PSIGN_MSIX_DMDF."
           }
           ./scripts/ci/bootstrap-devolutions-authenticode.ps1 -EmitGithubEnv
           $ws = "${{ github.workspace }}"
-          $exe = Join-Path $ws "target\debug\psign-tool-windows.exe"
+          $exe = Join-Path $ws "target\debug\psign-tool.exe"
           $rt = if ($env:RUNNER_TEMP) { $env:RUNNER_TEMP } else { $env:TEMP }
           $msix = Join-Path $rt "psign_extension_decoupled.msix"
           ./scripts/ci/pack-minimal-msix.ps1 -WorkspaceRoot $ws -PeAsExecutable $exe -OutputMsix $msix
-          $env:SIGNTOOL_RS_MSIX_UNSIGNED_FIXTURE = $msix
+          $env:PSIGN_MSIX_UNSIGNED_FIXTURE = $msix
           ./scripts/msix-parity-sign.ps1 -UseDecoupledDigest -FailOnSemantic
 
   catalog-verify:
@@ -46,18 +46,18 @@ jobs:
     steps:
       - uses: actions/checkout@v6
       - uses: dtolnay/rust-toolchain@stable
-      - run: cargo build -p psign --bin psign-tool-windows
+      - run: cargo build -p psign --bin psign-tool
       - name: Catalog verify (Rust)
         shell: pwsh
         env:
-          SIGNTOOL_RS_CATALOG_TARGET: ${{ secrets.SIGNTOOL_RS_CATALOG_TARGET }}
-          SIGNTOOL_RS_CATALOG_FILE: ${{ secrets.SIGNTOOL_RS_CATALOG_FILE }}
+          PSIGN_CATALOG_TARGET: ${{ secrets.PSIGN_CATALOG_TARGET }}
+          PSIGN_CATALOG_FILE: ${{ secrets.PSIGN_CATALOG_FILE }}
         run: |
-          if (-not $env:SIGNTOOL_RS_CATALOG_TARGET -or -not $env:SIGNTOOL_RS_CATALOG_FILE) {
-            throw "Set repository secrets SIGNTOOL_RS_CATALOG_TARGET and SIGNTOOL_RS_CATALOG_FILE."
+          if (-not $env:PSIGN_CATALOG_TARGET -or -not $env:PSIGN_CATALOG_FILE) {
+            throw "Set repository secrets PSIGN_CATALOG_TARGET and PSIGN_CATALOG_FILE."
           }
-          $rust = Join-Path "${{ github.workspace }}" "target\debug\psign-tool-windows.exe"
-          & $rust verify $env:SIGNTOOL_RS_CATALOG_TARGET --catalog $env:SIGNTOOL_RS_CATALOG_FILE
+          $rust = Join-Path "${{ github.workspace }}" "target\debug\psign-tool.exe"
+          & $rust verify $env:PSIGN_CATALOG_TARGET --catalog $env:PSIGN_CATALOG_FILE
           if ($LASTEXITCODE -ne 0) { throw "Catalog verify failed with exit $LASTEXITCODE" }
-          & $rust verify $env:SIGNTOOL_RS_CATALOG_TARGET --catalog $env:SIGNTOOL_RS_CATALOG_FILE --os-version-check "386:10.0.26100.0"
+          & $rust verify $env:PSIGN_CATALOG_TARGET --catalog $env:PSIGN_CATALOG_FILE --os-version-check "386:10.0.26100.0"
           if ($LASTEXITCODE -ne 0) { throw "Catalog verify with --os-version-check failed with exit $LASTEXITCODE" }

.github/workflows/rust-sip-parity.yml

@@ -1,7 +1,7 @@
 name: rust-sip-parity
 
 # Portable SIP digest parity: Windows fixture/script smoke plus Linux gates for CMS §5.4 RS256
-# prehash ↔ PKCS#1 signature (Azure KV `keys/sign` contract toward psign-tool-portable signing).
+# prehash ↔ PKCS#1 signature (Azure KV `keys/sign` contract toward psign-tool portable signing).
 on:
   push:
     branches: [master, main]
@@ -27,7 +27,7 @@ jobs:
       - name: CAB RS256 prehash + extract (signed fixture + unsigned errors)
         run: cargo test -p psign-digest-cli --locked cab_rs256_
 
-      - name: CAB RS256 prehash helper (library: signed fixture + unsigned rejection)
+      - name: "CAB RS256 prehash helper (library: signed fixture + unsigned rejection)"
         run: cargo test -p psign-sip-digest --lib cab_rsa_sha256_signer_prehash --locked
 
       - name: MSI PKCS#7 extract + RS256 prehash CLI (OLE stub vs PE parity)
@@ -58,12 +58,22 @@ jobs:
         run: cargo test -p psign-authenticode-trust --lib detached_trust_ --locked
 
       - name: RFC3161 TimeStampReq/Resp + timestamp policy (library + CLI)
-        run: cargo test -p psign-sip-digest --lib timestamp:: --locked && cargo test -p psign-authenticode-trust --lib tiny32_upstream --locked && cargo test -p psign-authenticode-trust --lib tiny64_upstream_pe_pkcs7_pkcs9_signing_time_extracts --locked && cargo test -p psign-authenticode-trust --lib tiny64_upstream_bare_signed --locked && cargo test -p psign-authenticode-trust --lib nested_tstinfo --locked && cargo test -p psign-authenticode-trust --lib time_rejects --locked && cargo test -p psign-authenticode-trust --lib resolve_verification_ --locked && cargo test -p psign-digest-cli --locked trust_verify_pe_ok_require_valid_timestamp_pkcs9_signing_time_on_tiny32 && cargo test -p psign-digest-cli --locked trust_verify_pe_ok_require_valid_timestamp_pkcs9_signing_time_on_tiny64 && cargo test -p psign-digest-cli --locked portable_rfc3161_timestamp
-
-      - name: Build psign-tool-portable (timestamp-http feature, compile-only)
+        run: |
+          cargo test -p psign-sip-digest --lib timestamp:: --locked
+          cargo test -p psign-authenticode-trust --lib tiny32_upstream --locked
+          cargo test -p psign-authenticode-trust --lib tiny64_upstream_pe_pkcs7_pkcs9_signing_time_extracts --locked
+          cargo test -p psign-authenticode-trust --lib tiny64_upstream_bare_signed --locked
+          cargo test -p psign-authenticode-trust --lib nested_tstinfo --locked
+          cargo test -p psign-authenticode-trust --lib time_rejects --locked
+          cargo test -p psign-authenticode-trust --lib resolve_verification_ --locked
+          cargo test -p psign-digest-cli --locked trust_verify_pe_ok_require_valid_timestamp_pkcs9_signing_time_on_tiny32
+          cargo test -p psign-digest-cli --locked trust_verify_pe_ok_require_valid_timestamp_pkcs9_signing_time_on_tiny64
+          cargo test -p psign-digest-cli --locked portable_rfc3161_timestamp
+
+      - name: Build psign-tool portable (timestamp-http feature, compile-only)
         run: cargo build -p psign-digest-cli --features timestamp-http --locked
 
-      - name: Artifact Signing REST (library + mock :sign LRO)
+      - name: "Artifact Signing REST (library + mock :sign LRO)"
         run: cargo test -p psign-codesigning-rest --locked
 
       - name: Azure Key Vault REST helpers (library unit tests)

AGENTS.md

@@ -6,20 +6,20 @@ This repository is a **Rust port** of the Windows SDK **`signtool.exe`** (Authen
 
 | Area | Path | Notes |
 |------|------|--------|
-| Root package (Windows CLI + lib) | `Cargo.toml` (package **`psign`**) | **`windows`** crate feature deps under **`cfg(windows)`**; non-Windows builds use a stub **`main`**. |
+| Root package (unified CLI + lib) | `Cargo.toml` (package **`psign`**) | **`psign-tool`** dispatches to Win32 code on Windows or portable Rust paths via `--mode`; **`windows`** crate feature deps stay under **`cfg(windows)`**. |
 | Portable digest library | `crates/psign-sip-digest` | No **`windows`** dependency; Linux-safe unit tests. |
-| Portable Authenticode trust | `crates/psign-authenticode-trust` | Anchors + picky chain; **`psign-tool-portable`** **`trust-verify-pe`**, **`trust-verify-cab`**, **`trust-verify-catalog`**, **`trust-verify-detached`** — no OS trust store. |
-| Portable CLI | `crates/psign-digest-cli` | Binary **`psign-tool-portable`**. |
+| Portable Authenticode trust | `crates/psign-authenticode-trust` | Anchors + picky chain; **`psign-tool portable`** **`trust-verify-pe`**, **`trust-verify-cab`**, **`trust-verify-catalog`**, **`trust-verify-detached`** — no OS trust store. |
+| Portable CLI runner | `crates/psign-digest-cli` | Callable by **`psign-tool portable ...`**; compatibility binary **`psign-tool-portable`** remains during transition. |
 | Win32 implementation | `src/win/` | Verify, sign, timestamp, catalog, detached PKCS#7, etc. |
-| argv / response files | `src/native_argv.rs`, `src/response_argv.rs` | Shared with stub builds for **`cargo check`** on Unix. |
+| argv / response files | `src/native_argv.rs`, `src/response_argv.rs` | Shared by unified CLI and portable-mode builds. |
 
 **Important:** **`default-members`** are the three crates under **`crates/`** (digest, digest CLI, authenticode-trust). A bare **`cargo build`** or **`cargo test`** at the repo root does **not** build the **`psign`** binary unless you use **`--workspace`** or **`-p psign`**.
 
 ## Cargo aliases (`.cargo/config.toml`)
 
-- **`cargo windows-bin`** — build **`psign-tool-windows`** exe (**`-p psign --bin psign-tool-windows`**).
+- **`cargo windows-bin`** — build **`psign-tool`** exe (**`-p psign --bin psign-tool`**).
 - **`cargo digest-check`** / **`cargo digest-test`** — portable digest + trust crates (see **`.cargo/config.toml`**).
-- **`cargo unix-lib-check`** — **`psign`** library on non-Windows (stub-friendly).
+- **`cargo unix-lib-check`** — **`psign`** library on non-Windows (portable-mode friendly).
 - **`cargo depgraph`** — **`psign-depgraph`** binary (**needs `-p`** because of **`default-members`**).
 
 ## Commands agents should run
@@ -44,8 +44,8 @@ On Linux/macOS, match **`ci-unix`**: fmt check, metadata **`--locked`**, clippy
 | **`docs/rust-sip-architecture.md`** | Rust SIP digest add-ons vs OS SIP. |
 | **`docs/rust-sip-gaps.md`** | Known limitations (MSIX sign gap, `/ph`, PKCS#7 encode, VBA, encrypted MSIX, …). |
 | **`docs/rust-sip-spec-refs.md`** | Spec links + PE page-hash / **`SignerSignEx3`** notes. |
-| **`docs/ci-parity.md`** | CI steps, **`SIGNTOOL_RS_*`** env vars, parity gates. |
-| **`docs/roadmap-authenticode-linux.md`** | Unix/portable subset and **`psign-tool-portable`**. |
+| **`docs/ci-parity.md`** | CI steps, **`PSIGN_*`** env vars, parity gates. |
+| **`docs/roadmap-authenticode-linux.md`** | Unix/portable subset and **`psign-tool portable`**. |
 | **`docs/authenticode-trust-stack.md`** | Portable trust crate split (picky vs digest vs CMS). |
 | **`docs/authroot-linux-verify.md`** | Anchor dir + AuthRoot CAB usage on Linux. |
 | **`docs/plan-linux-authenticode-trust-verify.md`** | Technical plan (CTL, test matrix, risks). |

Cargo.toml

@@ -26,13 +26,18 @@ description = "Rust port of the Windows SDK signtool.exe (Authenticode sign/veri
 [features]
 default = []
 ## Azure Key Vault signing (`AuthenticatorDigestSign` callback + REST); enables Azure-shaped CLI flags on `sign`.
-azure-kv-sign = ["dep:psign-azure-kv-rest", "dep:reqwest"]
+azure-kv-sign = [
+    "dep:psign-azure-kv-rest",
+    "dep:reqwest",
+    "psign-digest-cli/azure-kv-sign-portable",
+]
 ## Azure Artifact Signing / Trusted Signing **data-plane** hash signing (REST LRO); experimental helper command `artifact-signing-submit`.
-artifact-signing-rest = ["dep:psign-codesigning-rest"]
+artifact-signing-rest = ["dep:psign-codesigning-rest", "psign-digest-cli/artifact-signing-rest"]
 
 [dependencies]
 psign-sip-digest = { path = "crates/psign-sip-digest" }
 psign-authenticode-trust = { path = "crates/psign-authenticode-trust" }
+psign-digest-cli = { path = "crates/psign-digest-cli" }
 anyhow = "1"
 clap = { version = "4", features = ["derive"] }
 serde = { version = "1", features = ["derive"] }
@@ -67,9 +72,13 @@ predicates = "3"
 psign-authenticode-trust = { path = "crates/psign-authenticode-trust" }
 
 [[bin]]
-name = "psign-tool-windows"
+name = "psign-tool"
 path = "src/main.rs"
 
+[[bin]]
+name = "psign-tool-windows"
+path = "src/bin/psign_tool_windows.rs"
+
 [[bin]]
 name = "psign-azure-sign-tool-compat"
 path = "src/bin/azure_sign_tool_compat.rs"