pyoxidizer: support code signing
Newer versions of PyOxidizer feature built-in support for
code signing. You simply declare a code signer in the Starlark
configuration file, activate it for automatic signing, and
PyOxidizer will add code signatures to signable files as it
encounters them.
This commit teaches our Starlark configuration file to enable
automatic code signing. But only on Windows for the moment, as our
immediate goal is to overhaul the Windows packaging.
The feature is opt-in: you must pass variables to PyOxidizer's
build context via `pyoxidizer build --var` or
`pyoxidizer build --var-env` to activate code signing.
Differential Revision: https://phab.mercurial-scm.org/D10684
--- a/rust/hgcli/pyoxidizer.bzl Thu May 06 16:03:43 2021 -0700
+++ b/rust/hgcli/pyoxidizer.bzl Thu May 06 16:04:24 2021 -0700
@@ -8,12 +8,29 @@
#
# EXTRA_MSI_FEATURES
# ; delimited string of extra features to advertise in the built MSA.
+#
+# SIGNING_PFX_PATH
+# Path to code signing certificate to use.
+#
+# SIGNING_PFX_PASSWORD
+# Password to code signing PFX file defined by SIGNING_PFX_PATH.
+#
+# SIGNING_SUBJECT_NAME
+# String fragment in code signing certificate subject name used to find
+# code signing certificate in Windows certificate store.
+#
+# TIME_STAMP_SERVER_URL
+# URL of time-stamp token authority (RFC 3161) servers to stamp code signatures.
ROOT = CWD + "/../.."
VERSION = VARS.get("VERSION", "5.8")
MSI_NAME = VARS.get("MSI_NAME", "mercurial")
EXTRA_MSI_FEATURES = VARS.get("EXTRA_MSI_FEATURES")
+SIGNING_PFX_PATH = VARS.get("SIGNING_PFX_PATH")
+SIGNING_PFX_PASSWORD = VARS.get("SIGNING_PFX_PASSWORD", "")
+SIGNING_SUBJECT_NAME = VARS.get("SIGNING_SUBJECT_NAME")
+TIME_STAMP_SERVER_URL = VARS.get("TIME_STAMP_SERVER_URL", "http://timestamp.digicert.com")
IS_WINDOWS = "windows" in BUILD_TARGET_TRIPLE
@@ -230,6 +247,24 @@
return wix
+def register_code_signers():
+ if not IS_WINDOWS:
+ return
+
+ if SIGNING_PFX_PATH:
+ signer = code_signer_from_pfx_file(SIGNING_PFX_PATH, SIGNING_PFX_PASSWORD)
+ elif SIGNING_SUBJECT_NAME:
+ signer = code_signer_from_windows_store_subject(SIGNING_SUBJECT_NAME)
+ else:
+ signer = None
+
+ if signer:
+ signer.set_time_stamp_server(TIME_STAMP_SERVER_URL)
+ signer.activate()
+
+
+register_code_signers()
+
register_target("distribution", make_distribution)
register_target("exe", make_exe, depends = ["distribution"])
register_target("app", make_manifest, depends = ["distribution", "exe"], default = True)