On 17 April 2015 at 16:17, Brian Cole <[email protected]> wrote: > We've recently converted over to using bdist_wininst for creating our > Windows .exe installers for our libraries. Unfortunately, whenever we use > the Windows signtool utility to cryptographically sign our installer it > appears to corrupt the .exe and it can't be run anymore. The error message > thrown by Windows is "Setup program invalid or damaged". > > My best guess at this point is that bdist_wininst is creating a checksum of > the file somehow and signtool is altering the file in such a way to > invalidate that checksum. The commands we're using at this point is like > this: > > python3.4.exe setup.py bdist_wininst --target-version 3.4 --bitmap OurLogo > --title OurTitle-OurVersion > cp DistUtilsSetupFileName.exe OurSetupFileName.exe > call "C:\program Files (x86)\Microsoft Visual Studio > 9.0\Common7\Tools\vsvars32.bat" > signtool sign /n OurCompany /t > http://timestamp.verisign.com/scripts/timstamp.dll /d OurProject /du > OurWebsite OurSetupFileName.exe > > Anyone know of a way to cryptographically sign an .exe installer from > bdist_wininst?
The wininst format is a stub Windows executable, with some ini-format data and a zipfile appended (in that order). I don't know where signtools adds the signature, but if it's at the end, then that won't work (as it's necessary for the zip data to be the *last* thing in the file - zipfile format supports prepending data but not appending it as the central directory is defined as being at a fixed offset from the end of the file). There may also be a length or checksum in the ini data, I'd have to check the source to confirm that. <pause> Just checked, no it doesn't - the full details are here: https://hg.python.org/cpython/file/bc1a178b3bc8/PC/bdist_wininst/install.c So basically, I don't think it's possible to sign (or otherwise modify) wininst executables. Paul _______________________________________________ Distutils-SIG maillist - [email protected] https://mail.python.org/mailman/listinfo/distutils-sig
