Skip to content

MSI: Add support for signing of installers #1224

Open
lrandersson wants to merge 1 commit intoconda:briefcase-integrationfrom
lrandersson:dev-ra-822
Open

MSI: Add support for signing of installers #1224
lrandersson wants to merge 1 commit intoconda:briefcase-integrationfrom
lrandersson:dev-ra-822

Conversation

@lrandersson
Copy link
Copy Markdown
Contributor

@lrandersson lrandersson commented Apr 24, 2026

Description

Adds code signing support for MSI installers built via Briefcase, reusing the existing EXE signing infrastructure.

  • Add sign() method to WindowsSignTool and AzureSignTool for direct file signing (post-build)
  • Extract signing tool initialization into create_signing_tool() factory to reduce duplication
  • Sign MSI after Briefcase builds it, using the same windows_signing_tool/signing_certificate config as EXE
  • Add signature verification to test_example_signing

Checklist - did you ...

  • Add a file to the news directory (using the template) for the next release's release notes?
  • Add / update necessary tests?
  • Add / update outdated documentation?

@lrandersson lrandersson self-assigned this Apr 24, 2026
@github-project-automation github-project-automation Bot moved this to 🆕 New in 🔎 Review Apr 24, 2026
@conda-bot conda-bot added the cla-signed [bot] added once the contributor has signed the CLA label Apr 24, 2026
lrandersson
lrandersson commented Apr 24, 2026
View reviewed changes
Comment thread constructor/signing.py
certificate_file=certificate_file,
)

def _get_signing_params(self):
Copy link
Copy Markdown
Contributor Author

@lrandersson lrandersson Apr 24, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

About the changes in this file to simplify review: The new code is based on existing patterns, _get_signing_params() extracts the same environment variables already used in get_signing_command(), and sign() builds the same command structure but as a list for direct execution. The create_signing_tool() function is essentially the same logic that was already in winexe.py, just moved to reduce duplicated code, but reuses existing logic to enable MSI signing.

lrandersson
lrandersson commented Apr 24, 2026
View reviewed changes
Comment thread tests/test_examples.py
CONSTRUCTOR_SIGNING_CERTIFICATE=str(cert_path),
CONSTRUCTOR_PFX_CERTIFICATE_PASSWORD=cert_pwd,
):
_verify_windows_signature(installer)
Copy link
Copy Markdown
Contributor Author

@lrandersson lrandersson Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added this because I thought it was odd that this test was even passing before signing of installers was supported for MSI Installers. This example was already running for EXE and MSI installers before this PR, and passed for MSI due to lack of actual verification during the testing.

@lrandersson lrandersson force-pushed the briefcase-integration branch from 6173fcf to c9cb1bd Compare April 24, 2026 16:18
@lrandersson lrandersson marked this pull request as ready for review April 24, 2026 19:13
@lrandersson lrandersson requested a review from a team as a code owner April 24, 2026 19:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@lrandersson lrandersson

Labels

cla-signed [bot] added once the contributor has signed the CLA

Projects

🔎 Review
Status: 🆕 New

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lrandersson @conda-bot