How we code sign py2exe executables

Our entire stack at Pathio is based on Python, including our desktop client. In order to “compile” and ship it to the user’s desktop, we make heavy usage of py2exe.

Py2exe is a great package to convert Python scripts into standalone Windows executable programmes. Python code compiled via py2exe can be run on other Windows computers without having to install Python on those computers.

When deploying your executables, you usually want them to ship code signed. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed by use of a cryptographic hash.

Unfortunately, the Windows code signing ecosystem is wild west and it can be very time consuming understanding what type of certificate is required, where to get one and whether it would even work once purchased.

Purchase a certificate

We purchased a certificate from K Software, a Comodo certificates reseller. Their prices are far more reasonable than Comodo themselves.

The process of verifying our identity as a publisher required two steps : Firstly, we had to have our company listed on an one of these two online directories: http://www.numberway.com and http://world.192.com. As soon as our company was listed, we initiated a telephone callback to verify our phone number and shortly after received the certificate.

The certificate installs into the Windows certificate store from which it needs to be exported as a password protected pfx file.

Create the executable

Without going too much into detail, the exe created by py2exe is a simple loader that loads the Python interpreter plus your Python code. The Python code can either be bundled inside the exe or be detached from the exe loader as a separate library.

In order to apply a sign certificate, we need to detach the library from the exe loader. This is done by specifying the zipfile property on the setup dictionary

setup(name="name",
      console=[],
      windows=[app],
      ...
      # py2exe options
      zipfile = "app.lib", # detached zip library
      data_files = [],
      options={"py2exe": py2exe_options},
)

Code sign the executable

This generates — among other files — app.exe and app.lib. You can now code sign app.exe using the Windows sign tool:

C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin\signtool sign /f key.pfx /p <password> app.exe

That’s it. Happy code signing!

If you have any questions, comments or suggestions, please don’t hesitate to get in touch; you can email me directly at bjoern.stiel@pathio.com.

—