winsign is a python module for signing and manipulating Authenticode signatures in PE and MSI files.
- Works on Python 3.11 and up.
- Free software: MPL2
Most dependencies are specified in pyproject.toml, however, currently you also need osslsigncode installed to perform signing. This utility can be fetched from your distribution's package repository, or from e.g. https://github.com/mtrojnar/osslsigncode
Signing MSIX/APPX files currently requires Mozilla's fork of msix-packaging.
pip install winsign
usage: winsign [-h] --certs CERTS --key PRIV_KEY [-n COMMENT] [-i URL] -d
{sha1,sha256} [-t {old,rfc3161}] [-v] [-q]
infile [outfile]
positional arguments:
infile unsigned file to sign
outfile where to write output to. defaults to infile
optional arguments:
-h, --help show this help message and exit
--certs CERTS certificates to include in the signature
--key PRIV_KEY private key used to sign
-n COMMENT comment to include in signature
-i URL url to include in signature
-d {sha1,sha256} digest to use for signing. must be one of sha1 or sha256
-t {old,rfc3161}
-v, --verbose
-q, --quiet
- Stop using osslsigncode for PE signatures
- Refactor code so that osslsigncode functionality is in its own module
- Add python support for MSI, then we can drop dependency on osslsigncode
- Highly recommended to create a virtualenv, then run:
- pip install -e .
- make your changes to the source files
- run local tests: tox
- upon successful r+ and merging to master branch, you need to release a new version on PyPi.
- edit pyproject.toml to adjust the version
- generate .whl file locally: python setup.py bdist_wheel
- file will exist in: ./dist/winsign-{version}-py3-none-any.whl
- (assuming you have pypi access to upload)
- upload to pypi: twine upload --verbose dist/winsign-{version}-py3-none-any.whl
- Chris AtLee
- Ben Hearsum <bhearsum@mozilla.com>
- Joel Maher <jmaher@mozilla.com>