[Python-checkins] Enable signing of nuget.org packages and update to supported timestamp server (GH-23132)

miss-islington webhook-mailer at python.org
Tue Nov 3 18:07:44 EST 2020

• Previous message (by thread): [Python-checkins] Enable signing of nuget.org packages and update to supported timestamp server (GH-23132)
• Next message (by thread): [Python-checkins] bpo-42251: Add gettrace and getprofile to threading (GH-23125)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

https://github.com/python/cpython/commit/db4932e311c83c1c93985b117d082988e1128f34
commit: db4932e311c83c1c93985b117d082988e1128f34
branch: 3.8
author: Miss Skeleton (bot) <31488909+miss-islington at users.noreply.github.com>
committer: miss-islington <31488909+miss-islington at users.noreply.github.com>
date: 2020年11月03日T15:07:37-08:00
summary:
Enable signing of nuget.org packages and update to supported timestamp server (GH-23132)
(cherry picked from commit db6434c474f7389a98b8118ca87fca988416bf33)
Co-authored-by: Steve Dower <steve.dower at python.org>
files:
M .azure-pipelines/windows-release/stage-pack-msix.yml
M .azure-pipelines/windows-release/stage-pack-nuget.yml
M .azure-pipelines/windows-release/stage-sign.yml
M PCbuild/pyproject.props
M Tools/msi/sdktools.psm1
diff --git a/.azure-pipelines/windows-release/stage-pack-msix.yml b/.azure-pipelines/windows-release/stage-pack-msix.yml
index 26a5712e845ca..f967cfdbe326f 100644
--- a/.azure-pipelines/windows-release/stage-pack-msix.yml
+++ b/.azure-pipelines/windows-release/stage-pack-msix.yml
@@ -120,10 +120,11 @@ jobs:
 artifactName: unsigned_msix
 downloadPath: $(Build.BinariesDirectory)
 
+ # MSIX must be signed and timestamped simultaneously
 - powershell: |
 $failed = $true
 foreach ($retry in 1..3) {
- signtool sign /a /n "$(SigningCertificate)" /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d "$(SigningDescription)" (gi *.msix)
+ signtool sign /a /n "$(SigningCertificate)" /fd sha256 /tr http://timestamp.digicert.com/ /td sha256 /d "$(SigningDescription)" (gi *.msix)
 if ($?) {
 $failed = $false
 break
diff --git a/.azure-pipelines/windows-release/stage-pack-nuget.yml b/.azure-pipelines/windows-release/stage-pack-nuget.yml
index b100364820d95..8dfea382c3562 100644
--- a/.azure-pipelines/windows-release/stage-pack-nuget.yml
+++ b/.azure-pipelines/windows-release/stage-pack-nuget.yml
@@ -4,7 +4,7 @@ jobs:
 condition: and(succeeded(), eq(variables['DoNuget'], 'true'))
 
 pool:
- vmImage: windows-2019
+ name: 'Windows Release'
 
 workspace:
 clean: all
@@ -36,6 +36,14 @@ jobs:
 nuget pack "$(Build.BinariesDirectory)\layout\python.nuspec" -OutputDirectory $(Build.ArtifactStagingDirectory) -NoPackageAnalysis -NonInteractive
 displayName: 'Create nuget package'
 
+ - powershell: |
+ gci *.nupkg | %{
+ nuget sign "$_" -CertificateSubjectName "$(SigningCertificate)" -Timestamper http://timestamp.digicert.com/ -Overwrite
+ }
+ displayName: 'Sign nuget package'
+ workingDirectory: $(Build.ArtifactStagingDirectory)
+ condition: and(succeeded(), variables['SigningCertificate'])
+
 - task: PublishBuildArtifacts at 1
 displayName: 'Publish Artifact: nuget'
 inputs:
diff --git a/.azure-pipelines/windows-release/stage-sign.yml b/.azure-pipelines/windows-release/stage-sign.yml
index 584772af8b428..c21e1c9f2b0f9 100644
--- a/.azure-pipelines/windows-release/stage-sign.yml
+++ b/.azure-pipelines/windows-release/stage-sign.yml
@@ -57,7 +57,7 @@ jobs:
 $files = (gi ${{ parameters.Include }} -Exclude ${{ parameters.Exclude }})
 $failed = $true
 foreach ($retry in 1..10) {
- signtool timestamp /t http://timestamp.verisign.com/scripts/timestamp.dll $files
+ signtool timestamp /tr http://timestamp.digicert.com/ /td sha256 $files
 if ($?) {
 $failed = $false
 break
diff --git a/PCbuild/pyproject.props b/PCbuild/pyproject.props
index 360b4eda230dd..5bac7c340d6db 100644
--- a/PCbuild/pyproject.props
+++ b/PCbuild/pyproject.props
@@ -192,8 +192,8 @@ public override bool Execute() {
 <SdkBinPath Condition="!Exists($(SdkBinPath))">$(registry:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Kits\Installed Roots at KitsRoot81)\bin\x86</SdkBinPath>
 <SdkBinPath Condition="!Exists($(SdkBinPath))">$(registry:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Kits\Installed Roots at KitsRoot)\bin\x86</SdkBinPath>
 <SdkBinPath Condition="!Exists($(SdkBinPath))">$(registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SDKs\Windows\v7.1A at InstallationFolder)\Bin\</SdkBinPath>
- <_SignCommand Condition="Exists($(SdkBinPath)) and '$(SigningCertificate)' != '' and $(SupportSigning)">"$(SdkBinPath)\signtool.exe" sign /a /n "$(SigningCertificate)" /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d "Python $(PythonVersion)"</_SignCommand>
- <_SignCommand Condition="Exists($(SdkBinPath)) and '$(SigningCertificateSha1)' != '' and $(SupportSigning)">"$(SdkBinPath)\signtool.exe" sign /a /sha1 "$(SigningCertificateSha1)" /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d "Python $(PythonVersion)"</_SignCommand>
+ <_SignCommand Condition="Exists($(SdkBinPath)) and '$(SigningCertificate)' != '' and $(SupportSigning)">"$(SdkBinPath)\signtool.exe" sign /a /n "$(SigningCertificate)" /fd sha256 /tr http://timestamp.digicert.com/ /td sha256 /d "Python $(PythonVersion)"</_SignCommand>
+ <_SignCommand Condition="Exists($(SdkBinPath)) and '$(SigningCertificateSha1)' != '' and $(SupportSigning)">"$(SdkBinPath)\signtool.exe" sign /a /sha1 "$(SigningCertificateSha1)" /fd sha256 /tr http://timestamp.digicert.com/ /td sha256 /d "Python $(PythonVersion)"</_SignCommand>
 <_MakeCatCommand Condition="Exists($(SdkBinPath))">"$(SdkBinPath)\makecat.exe"</_MakeCatCommand>
 </PropertyGroup>
 
diff --git a/Tools/msi/sdktools.psm1 b/Tools/msi/sdktools.psm1
index 8081b104d85a7..c5973f9abc6ab 100644
--- a/Tools/msi/sdktools.psm1
+++ b/Tools/msi/sdktools.psm1
@@ -37,11 +37,11 @@ function Sign-File {
 
 foreach ($a in $files) {
 if ($certsha1) {
- SignTool sign /sha1 $certsha1 /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d $description $a
+ SignTool sign /sha1 $certsha1 /fd sha256 /tr http://timestamp.digicert.com/ /td sha256 /d $description $a
 } elseif ($certname) {
- SignTool sign /a /n $certname /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d $description $a
+ SignTool sign /a /n $certname /fd sha256 /tr http://timestamp.digicert.com/ /td sha256 /d $description $a
 } elseif ($certfile) {
- SignTool sign /f $certfile /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d $description $a
+ SignTool sign /f $certfile /fd sha256 /tr http://timestamp.digicert.com/ /td sha256 /d $description $a
 }
 }
 }

---

• Previous message (by thread): [Python-checkins] Enable signing of nuget.org packages and update to supported timestamp server (GH-23132)
• Next message (by thread): [Python-checkins] bpo-42251: Add gettrace and getprofile to threading (GH-23125)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

More information about the Python-checkins mailing list