[Distutils] How to sign a exe created with bdist_wininst?

Sat Apr 18 19:27:24 CEST 2015

According to this resource:
http://recon.cx/2012/schedule/attachments/54_Signed_executables.pps

it is doable, but tricky, and IIUC may not work on Windows XP SP2/SP3.
Wouldn't it be safer for the stub to work correctly in the presence of a signature? Presumably it could use a different algorithm to locate the archive directory, rather than just expecting it to be at the end of the file. Or if it is less work, just make a temporary copy of the wininst .exe excluding the appended signature, and use that for the unarchiving operation. (Just my 2 cents, or should I say tuppence ...)
Regards,
Vinay Sajip
      From: Steve Dower <Steve.Dower at microsoft.com>
 To: Paul Moore <p.f.moore at gmail.com>; Brian Cole <coleb at eyesopen.com> 
Cc: "distutils-sig at python.org" <distutils-sig at python.org> 
 Sent: Saturday, 18 April 2015, 15:46
 Subject: Re: [Distutils] How to sign a exe created with bdist_wininst?

#yiv2682230560 #yiv2682230560 -- .yiv2682230560EmailQuote {margin-left:1pt;padding-left:4pt;border-left:#800000 2px solid;}#yiv2682230560 It may be possible to add an empty key container to the stub with signtool so that it can be filled in after adding the zip without having to extend the length. I believe the PE header is modified to locate the certificate, so it doesn't necessarily have to be at the end.

Feel free to investigate this yourself with the wininst stub in Lib\distutils\command. I'll take a look, but may not be able to get to it for a while (file an issue and nosy me if you don't get anywhere, or even if you do and we can support this in newer versions).

Cheers,
Steve

Top-posted from my Windows Phone

From:Paul Moore
Sent:‎4/‎18/‎2015 2:58
To:Brian Cole
Cc:distutils-sig at python.org
Subject:Re: [Distutils] How to sign a exe created with bdist_wininst?

On 17 April 2015 at 16:17, Brian Cole <coleb at eyesopen.com> wrote:
> We've recently converted over to using bdist_wininst for creating our
> Windows .exe installers for our libraries. Unfortunately, whenever we use
> the Windows signtool utility to cryptographically sign our installer it
> appears to corrupt the .exe and it can't be run anymore. The error message
> thrown by Windows is "Setup program invalid or damaged".
>
> My best guess at this point is that bdist_wininst is creating a checksum of
> the file somehow and signtool is altering the file in such a way to
> invalidate that checksum. The commands we're using at this point is like
> this:
>
> python3.4.exe setup.py bdist_wininst --target-version 3.4 --bitmap OurLogo
> --title OurTitle-OurVersion
> cp DistUtilsSetupFileName.exe OurSetupFileName.exe
> call "C:\program Files (x86)\Microsoft Visual Studio
> 9.0\Common7\Tools\vsvars32.bat"
> signtool sign /n OurCompany  /t
> http://timestamp.verisign.com/scripts/timstamp.dll /d OurProject /du
> OurWebsite OurSetupFileName.exe
>
> Anyone know of a way to cryptographically sign an .exe installer from
> bdist_wininst?

The wininst format is a stub Windows executable, with some ini-format
data and a zipfile appended (in that order). I don't know where
signtools adds the signature, but if it's at the end, then that won't
work (as it's necessary for the zip data to be the *last* thing in the
file - zipfile format supports prepending data but not appending it as
the central directory is defined as being at a fixed offset from the
end of the file).

There may also be a length or checksum in the ini data, I'd have to
check the source to confirm that. <pause> Just checked, no it doesn't
- the full details are here:
https://hg.python.org/cpython/file/bc1a178b3bc8/PC/bdist_wininst/install.c

So basically, I don't think it's possible to sign (or otherwise
modify) wininst executables.
Paul
_______________________________________________
Distutils-SIG maillist  -  Distutils-SIG at python.org
https://mail.python.org/mailman/listinfo/distutils-sig

_______________________________________________
Distutils-SIG maillist  -  Distutils-SIG at python.org
https://mail.python.org/mailman/listinfo/distutils-sig

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20150418/a0723769/attachment-0001.html>