Re: [Distutils] How to sign a exe created with bdist_wininst?
On 18 April 2015 at 18:27, Vinay Sajip vinay_sa...@yahoo.co.uk wrote: Wouldn't it be safer for the stub to work correctly in the presence of a signature? Presumably it could use a different algorithm to locate the archive directory, rather than just expecting it to be at the end of the file. It's the definition of the zip format which mandates that you seek from the end of file to get the directory. Sure, bdist_wininst could write its own code based on its current zip extraction code, but the fact that wininst files are zip files is used elsewhere (wheel convert uses it, and I have used it to investigate wininst files by opening them in 7-zip). Paul ___ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
Re: [Distutils] How to sign a exe created with bdist_wininst?
It may be possible to add an empty key container to the stub with signtool so that it can be filled in after adding the zip without having to extend the length. I believe the PE header is modified to locate the certificate, so it doesn't necessarily have to be at the end. Feel free to investigate this yourself with the wininst stub in Lib\distutils\command. I'll take a look, but may not be able to get to it for a while (file an issue and nosy me if you don't get anywhere, or even if you do and we can support this in newer versions). Cheers, Steve Top-posted from my Windows Phone From: Paul Mooremailto:p.f.mo...@gmail.com Sent: 4/18/2015 2:58 To: Brian Colemailto:co...@eyesopen.com Cc: distutils-sig@python.orgmailto:distutils-sig@python.org Subject: Re: [Distutils] How to sign a exe created with bdist_wininst? On 17 April 2015 at 16:17, Brian Cole co...@eyesopen.com wrote: We've recently converted over to using bdist_wininst for creating our Windows .exe installers for our libraries. Unfortunately, whenever we use the Windows signtool utility to cryptographically sign our installer it appears to corrupt the .exe and it can't be run anymore. The error message thrown by Windows is Setup program invalid or damaged. My best guess at this point is that bdist_wininst is creating a checksum of the file somehow and signtool is altering the file in such a way to invalidate that checksum. The commands we're using at this point is like this: python3.4.exe setup.py bdist_wininst --target-version 3.4 --bitmap OurLogo --title OurTitle-OurVersion cp DistUtilsSetupFileName.exe OurSetupFileName.exe call C:\program Files (x86)\Microsoft Visual Studio 9.0\Common7\Tools\vsvars32.bat signtool sign /n OurCompany /t http://timestamp.verisign.com/scripts/timstamp.dll /d OurProject /du OurWebsite OurSetupFileName.exe Anyone know of a way to cryptographically sign an .exe installer from bdist_wininst? The wininst format is a stub Windows executable, with some ini-format data and a zipfile appended (in that order). I don't know where signtools adds the signature, but if it's at the end, then that won't work (as it's necessary for the zip data to be the *last* thing in the file - zipfile format supports prepending data but not appending it as the central directory is defined as being at a fixed offset from the end of the file). There may also be a length or checksum in the ini data, I'd have to check the source to confirm that. pause Just checked, no it doesn't - the full details are here: https://hg.python.org/cpython/file/bc1a178b3bc8/PC/bdist_wininst/install.c So basically, I don't think it's possible to sign (or otherwise modify) wininst executables. Paul ___ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig ___ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
Re: [Distutils] How to sign a exe created with bdist_wininst?
According to this resource: http://recon.cx/2012/schedule/attachments/54_Signed_executables.pps it is doable, but tricky, and IIUC may not work on Windows XP SP2/SP3. Wouldn't it be safer for the stub to work correctly in the presence of a signature? Presumably it could use a different algorithm to locate the archive directory, rather than just expecting it to be at the end of the file. Or if it is less work, just make a temporary copy of the wininst .exe excluding the appended signature, and use that for the unarchiving operation. (Just my 2 cents, or should I say tuppence ...) Regards, Vinay Sajip From: Steve Dower steve.do...@microsoft.com To: Paul Moore p.f.mo...@gmail.com; Brian Cole co...@eyesopen.com Cc: distutils-sig@python.org distutils-sig@python.org Sent: Saturday, 18 April 2015, 15:46 Subject: Re: [Distutils] How to sign a exe created with bdist_wininst? #yiv2682230560 #yiv2682230560 -- .yiv2682230560EmailQuote {margin-left:1pt;padding-left:4pt;border-left:#80 2px solid;}#yiv2682230560 It may be possible to add an empty key container to the stub with signtool so that it can be filled in after adding the zip without having to extend the length. I believe the PE header is modified to locate the certificate, so it doesn't necessarily have to be at the end. Feel free to investigate this yourself with the wininst stub in Lib\distutils\command. I'll take a look, but may not be able to get to it for a while (file an issue and nosy me if you don't get anywhere, or even if you do and we can support this in newer versions). Cheers, Steve Top-posted from my Windows Phone From:Paul Moore Sent:4/18/2015 2:58 To:Brian Cole Cc:distutils-sig@python.org Subject:Re: [Distutils] How to sign a exe created with bdist_wininst? On 17 April 2015 at 16:17, Brian Cole co...@eyesopen.com wrote: We've recently converted over to using bdist_wininst for creating our Windows .exe installers for our libraries. Unfortunately, whenever we use the Windows signtool utility to cryptographically sign our installer it appears to corrupt the .exe and it can't be run anymore. The error message thrown by Windows is Setup program invalid or damaged. My best guess at this point is that bdist_wininst is creating a checksum of the file somehow and signtool is altering the file in such a way to invalidate that checksum. The commands we're using at this point is like this: python3.4.exe setup.py bdist_wininst --target-version 3.4 --bitmap OurLogo --title OurTitle-OurVersion cp DistUtilsSetupFileName.exe OurSetupFileName.exe call C:\program Files (x86)\Microsoft Visual Studio 9.0\Common7\Tools\vsvars32.bat signtool sign /n OurCompany /t http://timestamp.verisign.com/scripts/timstamp.dll /d OurProject /du OurWebsite OurSetupFileName.exe Anyone know of a way to cryptographically sign an .exe installer from bdist_wininst? The wininst format is a stub Windows executable, with some ini-format data and a zipfile appended (in that order). I don't know where signtools adds the signature, but if it's at the end, then that won't work (as it's necessary for the zip data to be the *last* thing in the file - zipfile format supports prepending data but not appending it as the central directory is defined as being at a fixed offset from the end of the file). There may also be a length or checksum in the ini data, I'd have to check the source to confirm that. pause Just checked, no it doesn't - the full details are here: https://hg.python.org/cpython/file/bc1a178b3bc8/PC/bdist_wininst/install.c So basically, I don't think it's possible to sign (or otherwise modify) wininst executables. Paul ___ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig ___ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig ___ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
Re: [Distutils] How to sign a exe created with bdist_wininst?
On 17 April 2015 at 16:17, Brian Cole co...@eyesopen.com wrote: We've recently converted over to using bdist_wininst for creating our Windows .exe installers for our libraries. Unfortunately, whenever we use the Windows signtool utility to cryptographically sign our installer it appears to corrupt the .exe and it can't be run anymore. The error message thrown by Windows is Setup program invalid or damaged. My best guess at this point is that bdist_wininst is creating a checksum of the file somehow and signtool is altering the file in such a way to invalidate that checksum. The commands we're using at this point is like this: python3.4.exe setup.py bdist_wininst --target-version 3.4 --bitmap OurLogo --title OurTitle-OurVersion cp DistUtilsSetupFileName.exe OurSetupFileName.exe call C:\program Files (x86)\Microsoft Visual Studio 9.0\Common7\Tools\vsvars32.bat signtool sign /n OurCompany /t http://timestamp.verisign.com/scripts/timstamp.dll /d OurProject /du OurWebsite OurSetupFileName.exe Anyone know of a way to cryptographically sign an .exe installer from bdist_wininst? The wininst format is a stub Windows executable, with some ini-format data and a zipfile appended (in that order). I don't know where signtools adds the signature, but if it's at the end, then that won't work (as it's necessary for the zip data to be the *last* thing in the file - zipfile format supports prepending data but not appending it as the central directory is defined as being at a fixed offset from the end of the file). There may also be a length or checksum in the ini data, I'd have to check the source to confirm that. pause Just checked, no it doesn't - the full details are here: https://hg.python.org/cpython/file/bc1a178b3bc8/PC/bdist_wininst/install.c So basically, I don't think it's possible to sign (or otherwise modify) wininst executables. Paul ___ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
[Distutils] How to sign a exe created with bdist_wininst?
We've recently converted over to using bdist_wininst for creating our Windows .exe installers for our libraries. Unfortunately, whenever we use the Windows signtool utility to cryptographically sign our installer it appears to corrupt the .exe and it can't be run anymore. The error message thrown by Windows is Setup program invalid or damaged. My best guess at this point is that bdist_wininst is creating a checksum of the file somehow and signtool is altering the file in such a way to invalidate that checksum. The commands we're using at this point is like this: python3.4.exe setup.py bdist_wininst --target-version 3.4 --bitmap OurLogo --title OurTitle-OurVersion cp DistUtilsSetupFileName.exe OurSetupFileName.exe call C:\program Files (x86)\Microsoft Visual Studio 9.0\Common7\Tools\vsvars32.bat signtool sign /n OurCompany /t http://timestamp.verisign.com/scripts/timstamp.dll /d OurProject /du OurWebsite OurSetupFileName.exe Anyone know of a way to cryptographically sign an .exe installer from bdist_wininst? Thanks, Brian ___ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
[Distutils] How to sign a exe created with bdist_wininst?
We've recently converted over to using bdist_wininst for creating our Windows .exe installers for our libraries. Unfortunately, whenever we use the Windows signtool utility to cryptographically sign our installer it appears to corrupt the .exe and it can't be run anymore. The error message thrown by Windows is Setup program invalid or damaged. My best guess at this point is that bdist_wininst is creating a checksum of the file somehow and signtool is altering the file in such a way to invalidate that checksum. The commands we're using at this point is like this: python3.4.exe setup.py bdist_wininst --target-version 3.4 --bitmap OurLogo --title OurTitle-OurVersion cp DistUtilsSetupFileName.exe OurSetupFileName.exe call C:\program Files (x86)\Microsoft Visual Studio 9.0\Common7\Tools\vsvars32.bat signtool sign /n OurCompany /t http://timestamp.verisign.com/scripts/timstamp.dll /d OurProject /du OurWebsite OurSetupFileName.exe Anyone know of a way to cryptographically sign an .exe installer from bdist_wininst? Thanks, Brian ___ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig