uv icon indicating copy to clipboard operation
uv copied to clipboard

Published 20 hours ago verified publisher icon astral-sh

Sign published executables for Windows

Open zanieb opened this issue 10 months ago • 11 comments

It’d be great to sign our Windows releases so we stop getting reported by antivirus software. We haven’t done much investigation yet, but requiring a physical key on release would be disappointing — I think there are alternative workflows.

zanieb avatar Jan 06 '25 23:01 zanieb

You can use Azure Key Vault to store keys to sign - here's a globalsign guide on setting up AKV, and a similar guide for using the key

There's an azure action for signing - https://github.com/Azure/trusted-signing-action

(not affiliated with anyone, just using resources I know about)

shauneccles avatar Jan 07 '25 06:01 shauneccles

Thank you! That is the alternative I was referring to, just didn't have it off the top of my head :)

zanieb avatar Jan 07 '25 17:01 zanieb

Related https://github.com/astral-sh/python-build-standalone/issues/89

zanieb avatar Jan 07 '25 17:01 zanieb

I researched this a bunch a couple years ago, which is an important period because in June 2023 Windows codesigning became significantly more challenging: an agreement between all code signing cert providers went into affect and the minimum security level of (useful for Windows) code signing certs went up.

The result is that code signing certs cost hundreds of dollars a year and can only be issued via HSMs (yubikeys). This necessitates paying a certificate authority for the cert, and then paying a cloud services provider that has a peering agreement with them to host an HSM for you (and as of a year ago this was a tangle of bad interop stories). Alternatively you use your cert provider's cloud service where you upload files to be signed and they send them back to you (so they're hosting their own HSMs).

However last year Microsoft announced they were throwing a first-party hat into the process, which seemed cheaper and easier to use. However at the time they were quoting things like "you need 2 (3?) years of tax filings to apply for one of our certs" which bounced a lot of the folks we were working with. They've since left beta and redone all their copy so I am having trouble finding that requirement anymore, hopefully it's gone.

Useful links:

Gankra avatar Jan 13 '25 15:01 Gankra

Pinged in the mac signing topic as well.

We've been doing signing for our tool executables and installers for years now. Windows EV does not cost that much and can simply be stored in Azure Vault. At the moment mac signing costs more.

Getting the EV cert. takes a while and is a process to get, but manageable.

We would be open to contribute GHA pipeline examples if needed. This is not a thing to be afraid about, but having not-signed executables is becoming a non-starter for any kind of wide-scale enterprise us. Most antivirus tools are ML based and a un-signed executable download scripts and other executables is understandably not a good look.

kariharju avatar Oct 01 '25 15:10 kariharju

Do you have suggestions / preferences between the vendors at https://learn.microsoft.com/en-us/windows-hardware/drivers/dashboard/code-signing-reqs#where-to-get-ev-code-signing-certificates ?

zanieb avatar Oct 01 '25 15:10 zanieb

We went with GlobalSign, mostly because we had used that in our previous jobs. No real preference, the prices seem to differ a lot these days (for some weird reasons) And I guess the identity vetting process times can vary. We knew from get go that we needed to sign every single executable. Back 6 years ago this required the usb dongle and a dedicated machine.. which was .. fun 😅

Now in GHA it is just:

- name: Build
  run: |
    dotnet tool install --global AzureSignTool --version 3.0.0
    azuresigntool sign `
      --description-url "https://astral.sh" `
      --file-digest sha256 `
      --azure-key-vault-url $Env:VAULT_URL `
      --azure-key-vault-client-id $Env:CLIENT_ID `
      --azure-key-vault-tenant-id $Env:TENANT_ID `
      --azure-key-vault-client-secret $Env:CLIENT_SECRET `
      --azure-key-vault-certificate $Env:CERTIFICATE_NAME `
      --timestamp-rfc3161 http://timestamp.digicert.com `
      --timestamp-digest sha256 `
      <your executable>

..and setup the secrets.

kariharju avatar Oct 01 '25 15:10 kariharju

@kariharju Could you explain why an EV cert is needed here? My understanding is that Windows code signing (= Authenticode) doesn't require EV or OV, i.e. we could use just a basic code signing certificate here as long as it chains to one of MSFT's trusted roots. But I could be wrong about that 🙂

I'm basing that in part on Azure's "Trusted Signing" service, which appears to offer short-lived signing certs without the EV/OV validation bits.

woodruffw avatar Oct 01 '25 18:10 woodruffw

(@Gankra just informed me that EV is now the industry standard/baseline for codesigning certs, even outside of driver signing. Sorry for the confusion!)

woodruffw avatar Oct 01 '25 19:10 woodruffw

I just want to bump this issue / feature request. Currently I cannot fully use uv in my restrictive corporate environment (see #14401).

ffyring avatar Nov 19 '25 09:11 ffyring

I too cannot fully integrate uv into my team's workflow until it distributes signed Windows executables.

mattculler avatar Nov 24 '25 13:11 mattculler