> * Why the binaries should be signed? Makes the installation process on Windows Vista and Server 2008 a little nicer; instead of getting an "unknown-executable-could- be-a-virus-aaaaaahhhh-watchout"-type dialog with a big red flag, you get a less threatening message saying that you're about to run something that's been digitally signed by the Python Software Foundation. (I've come across a few entities (NSA, government bodies, etc), who mandate that all installers/binaries they get must be digitally signed.)
> * What is required to sign the binaries? 1. Obtain a code signing certificate from someone. I used VeriSign. You end up with an .spc and a .pvk file. You need to combine them into a single .pfx file via a tool called pvk2pfx.exe: Usage: pvk2pfx -pvk <pvk-file> [-pi <pvk-pswd>] -spc <spc-file> [-pfx <pfx-file> [-po <pfx-pswd>] [-f]] -pvk <pvk-file> - input PVK file name. -spc <spc-file> - input SPC file name. -pfx <pfx-file> - output PFX file name. -pi <pvk-pswd> - PVK password. -po <pfx-pswd> - PFX password; same as -pi if not given. -f - force overwrite existing PFX file. if -pfx option is not given, an export wizard will pop up. in this case, options -po and -f are ignored. C:\..> pvk2pfx.exe -pvk verisign-privatekey.pvk -pi ****** -spc onresolve-verisign.spc -po ****** -pfx onresolve-verisign.pfx 3. The resulting .pfx file, onresolve-verisign.pfx in this case, can then be installed as a 'Personal' certificate in Windows, using the Certificate Management facility (CertMgr.exe). When you install it, you provide a name that the certificate can be referred to by apps; in my case I just used 'VeriSign'. This name is used below by the signtool.exe app. 4. Sign the executable, MSI or DLL as follows: C:\..> signtool.exe sign /i "VeriSign" /d "Python 2.6.0" /du http://www.python.org /t http://timestamp.verisign.com/scripts/timstamp.dll Python-2.6.msi Successfully signed and timestamped: Python-2.6.msi > * Which binaries should be signed? Personally, once I figured out the steps above, I hooked the signing process into all my Visual Studio projects as a post-build step, such that I sign all .exe and .dll files. Not really necessary, but eh, it does have the advantage of looking more professional (users can view properties on the .dll, for example, and see that it's been digitally signed by the PSF). Additionally, it prevents any tampering; Windows can detect if it's been altered in any way since it's been signed, and will flat out prevent it from being loaded/run if that's the case. Trent. _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com