PyUpdater icon indicating copy to clipboard operation
PyUpdater copied to clipboard

Published 20 hours ago verified publisher icon Digital-Sapphire

How does pyupdater support Windows digital certificate signing when building EXE files?

Open kedl opened this issue 2 years ago • 4 comments

There is a system warning that content is "Unverified publisher: Do you want to allow this app from an unknow publisher to make changes to your device?" shown When user executes the exe file on Windows7 and Windows10. How does pyupdater support for sign Windows digital certificate on exe files?

kedl avatar Jul 12 '22 14:07 kedl

Anything certificate-related would be the responsibility of PyInstaller. It's what builds the .exe.

mheguy avatar Aug 18 '22 00:08 mheguy

Yes, pyinstaller builds the .exe, and then somebody (pyinstaller? pyupdater?) has to sign it before it goes into the .zip file. I haven't found any information about either entity having a step which runs signtool.

RussNelson avatar Aug 22 '22 17:08 RussNelson

From https://www.pyupdater.org/usage-cli/ - I think you would want to do your signing of the binary between steps 7 and 8.

mheguy avatar Aug 23 '22 20:08 mheguy

I've found a not-exactly-workaround workaround: sign it in the pyinstaller .spec file. It's Python after all. Since writing this comment, I've found that I can insert these two lines after EXE finishes: `import subprocess subprocess.run("signtool sign -f cert.pfx -p PASSWORD -fd sha256 myapp.exe".split("/"))

This causes pyupdater to run a pyinstaller which is configured to sign the executable, all hunky-dory!

RussNelson avatar Aug 23 '22 20:08 RussNelson