Support azure signtool

.github/workflows/main.yml

@@ -94,6 +94,10 @@ jobs:
           activate-environment: constructor-dev
           environment-file: dev/environment.yml
           python-version: ${{ matrix.python-version }}
+      - name: Install AzureSignTool
+        if: matrix.os == 'windows'
+        run: dotnet.exe tool install --global AzureSignTool
+        shell: pwsh
       - name: Supply extra dependencies and install constructor
         run: |
           files=(--file "tests/requirements.txt")
@@ -129,6 +133,11 @@ jobs:
           flags: unit
       - name: Run examples
         env:
+          AZURE_SIGNTOOL_KEY_VAULT_CERTIFICATE: ${{ secrets.AZURE_SIGNTOOL_KEY_VAULT_CERTIFICATE }}
+          AZURE_SIGNTOOL_KEY_VAULT_CLIENT_ID: ${{ secrets.AZURE_SIGNTOOL_KEY_VAULT_CLIENT_ID }}
+          AZURE_SIGNTOOL_KEY_VAULT_SECRET: ${{ secrets.AZURE_SIGNTOOL_KEY_VAULT_SECRET }}
+          AZURE_SIGNTOOL_KEY_VAULT_TENANT_ID: ${{ secrets.AZURE_SIGNTOOL_KEY_VAULT_TENANT_ID }}
+          AZURE_SIGNTOOL_KEY_VAULT_URL: ${{ secrets.AZURE_SIGNTOOL_KEY_VAULT_URL }}
           CONSTRUCTOR_EXAMPLES_KEEP_ARTIFACTS: "${{ runner.temp }}/examples_artifacts"
           CONSTRUCTOR_SIGNTOOL_PATH: "C:/Program Files (x86)/Windows Kits/10/bin/10.0.17763.0/x86/signtool.exe"
         run: |

CONSTRUCT.md

@@ -332,18 +332,25 @@ to sign `conda.exe`. For this, you need an "Application certificate" (different
 "Installer certificate" mentioned above). Common values for this option follow the format
 `Developer ID Application: Name of the owner (XXXXXX)`.
 
-### `signing_certificate`
+### `windows_signing_tool`
 
 _required:_ no<br/>
 _type:_ string<br/>
 
-On Windows only, set this key to the path of a PFX certificate to be used with `signtool`.
-Additional environment variables can be used to configure this step, namely:
+The tool used to sign Windows installers. Must be one of: azuresigntool, signtool.
+Some tools require `signing_certificate` to be set.
+Defaults to `signtool` if `signing_certificate` is set.
+Additional environment variables may need to be used to configure signing.
+See the documentation for details:
+https://conda.github.io/constructor/howto/#signing-exe-installers
+
+### `signing_certificate`
+
+_required:_ no<br/>
+_type:_ string<br/>
 
-- `CONSTRUCTOR_PFX_CERTIFICATE_PASSWORD` (password to unlock the certificate, if needed)
-- `CONSTRUCTOR_SIGNTOOL_PATH` (absolute path to `signtool.exe`, in case is not in `PATH`)
-- `CONSTRUCTOR_SIGNTOOL_TIMESTAMP_SERVER_URL` (custom RFC 3161 timestamping server, default is
-http://timestamp.sectigo.com)
+On Windows only, set this key to the path of the certificate file to be used
+with the `windows_signing_tool`.
 
 ### `attempt_hardlinks`
 

constructor/construct.py

@@ -15,6 +15,11 @@
 from constructor.exceptions import UnableToParse, UnableToParseMissingJinja2, YamlParsingError
 from constructor.utils import yaml
 
+WIN_SIGNTOOLS = [
+    "azuresigntool",
+    "signtool",
+]
+
 # list of tuples (key name, required, type, description)
 KEYS = [
     ('name',                   True,  str, '''
@@ -242,14 +247,18 @@
 `Developer ID Application: Name of the owner (XXXXXX)`.
 '''),
 
-    ('signing_certificate',  False, str, '''
-On Windows only, set this key to the path of a PFX certificate to be used with `signtool`.
-Additional environment variables can be used to configure this step, namely:
+    ('windows_signing_tool', False, str, f'''
+The tool used to sign Windows installers. Must be one of: {", ".join(WIN_SIGNTOOLS)}.
+Some tools require `signing_certificate` to be set.
+Defaults to `signtool` if `signing_certificate` is set.
+Additional environment variables may need to be used to configure signing.
+See the documentation for details:
+https://conda.github.io/constructor/howto/#signing-exe-installers
+'''),
 
-- `CONSTRUCTOR_PFX_CERTIFICATE_PASSWORD` (password to unlock the certificate, if needed)
-- `CONSTRUCTOR_SIGNTOOL_PATH` (absolute path to `signtool.exe`, in case is not in `PATH`)
-- `CONSTRUCTOR_SIGNTOOL_TIMESTAMP_SERVER_URL` (custom RFC 3161 timestamping server, default is
-http://timestamp.sectigo.com)
+    ('signing_certificate',  False, str, '''
+On Windows only, set this key to the path of the certificate file to be used
+with the `windows_signing_tool`.
 '''),
 
     ('attempt_hardlinks',          False, (bool, str), '''
@@ -792,6 +801,15 @@ def verify(info):
                 types_str = " or ".join([type_.__name__ for type_ in types])
                 sys.exit(f"Value for 'extra_envs.{env_name}.{key}' "
                          f"must be an instance of {types_str}")
+    if signtool := info.get("windows_signing_tool"):
+        if signtool.lower().replace(".exe", "") not in WIN_SIGNTOOLS:
+            sys.exit(
+                "Value for 'windows_signing_tool' must be one of: "
+                f"{', '.join(WIN_SIGNTOOLS)}. You tried to use: {signtool}."
+            )
+        need_cert_file = ["signtool"]
+        if signtool in need_cert_file and not info.get("signing_certificate"):
+            sys.exit(f"The signing tool {signtool} requires 'signing_certificate' to be set.")
 
 
 def generate_doc():

constructor/main.py

@@ -109,6 +109,12 @@ def main_build(dir_path, output_dir='.', platform=cc_platform,
         if info.get(key):  # only join if there's a truthy value set
             info[key] = abspath(join(dir_path, info[key]))
 
+    # Normalize name and set default value
+    if info.get("windows_signing_tool"):
+        info["windows_signing_tool"] = info["windows_signing_tool"].lower().replace(".exe", "")
+    elif info.get("signing_certificate"):
+        info["windows_signing_tool"] = "signtool"
+
     for key in 'specs', 'packages':
         if key not in info:
             continue

constructor/signing.py

@@ -0,0 +1,220 @@
+import logging
+import os
+import shutil
+from pathlib import Path
+from subprocess import PIPE, STDOUT, check_call, run
+from typing import Union
+
+from .utils import check_required_env_vars, win_str_esc
+
+logger = logging.getLogger(__name__)
+
+
+class SigningTool:
+    """Base class to sign installers.
+
+    Attributes
+    ----------
+    executable: str | Path
+        Path to the signing tool binary.
+    certificate_file: str | Path
+        Path to the certificate file
+    """
+    def __init__(
+        self,
+        executable: Union[str, Path],
+        certificate_file: Union[str, Path] = None,
+    ):
+        self.executable = str(executable)
+        if certificate_file and not Path(certificate_file).exists():
+            raise FileNotFoundError(f"Certificate file {certificate_file} does not exist.")
+        self.certificate_file = certificate_file
+
+    def _verify_tool_is_available(self):
+        """Helper function to verify that the signing tool executable exists.
+
+        This is a minimum verification step and should be done even if other steps are performed
+        to verify the signing tool (e.g., signtool.exe /?) to receive better error messages.
+        For example, using `signtool.exe /?` when the path does not exist, results in a misleading
+        Permission Denied error.
+        """
+        logger.info(f"Checking for {self.executable}...")
+        if not shutil.which(self.executable):
+            raise FileNotFoundError(
+                f"Could not find {self.executable}. Verify that the file exists or is in PATH."
+            )
+
+    def verify_signing_tool(self):
+        """Verify that the signing tool is usable."""
+        self._verify_tool_is_available()
+
+    def get_signing_command(self):
+        """Get the string of the signing command to be executed.
+
+        For Windows, this command is inserted into the NSIS template.
+        """
+        return self.executable
+
+    def verify_signature(self):
+        """Verify the signed installer."""
+        raise NotImplementedError("Signature verification not implemented for base class.")
+
+
+class WindowsSignTool(SigningTool):
+    def __init__(self, certificate_file=None):
+        super().__init__(
+            os.environ.get("CONSTRUCTOR_SIGNTOOL_PATH", "signtool"),
+            certificate_file=certificate_file,
+        )
+
+    def get_signing_command(self) -> str:
+        timestamp_server = os.environ.get(
+            "CONSTRUCTOR_SIGNTOOL_TIMESTAMP_SERVER_URL",
+            "http://timestamp.sectigo.com"
+        )
+        timestamp_digest = os.environ.get(
+            "CONSTRUCTOR_SIGNTOOL_TIMESTAMP_DIGEST",
+            "sha256"
+        )
+        file_digest = os.environ.get(
+            "CONSTRUCTOR_SIGNTOOL_FILE_DIGEST",
+            "sha256"
+        )
+        command = (
+            f"{win_str_esc(self.executable)} sign /f {win_str_esc(self.certificate_file)} "
+            f"/tr {win_str_esc(timestamp_server)} /td {timestamp_digest} /fd {file_digest}"
+        )
+        if "CONSTRUCTOR_PFX_CERTIFICATE_PASSWORD" in os.environ:
+            # signtool can get the password from the env var on its own
+            command += ' /p "%CONSTRUCTOR_PFX_CERTIFICATE_PASSWORD%"'
+        return command
+
+    def verify_signing_tool(self):
+        super()._verify_tool_is_available()
+        if not Path(self.certificate_file).exists():
+            raise FileNotFoundError(f"Could not find certificate file {self.certificate_file}.")
+        check_call([self.executable, "/?"], stdout=PIPE, stderr=PIPE)
+
+    def verify_signature(self, installer_file: Union[str, Path]):
+        proc = run(
+            [self.executable, "verify", "/v", str(installer_file)],
+            stdout=PIPE,
+            stderr=STDOUT,
+            text=True,
+        )
+        logger.info(proc.stdout)
+        if "SignTool Error: No signature found" in proc.stdout:
+            # This is a signing error!
+            proc.check_returncode()
+        elif proc.returncode:
+            # we had errors but maybe not critical ones
+            logger.error(
+                f"SignTool could find a signature in {installer_file} but detected errors. "
+                "This is expected for untrusted (development) certificates. "
+                "If it is supposed to be trusted, please check your certificate!"
+            )
+
+
+class AzureSignTool(SigningTool):
+    def __init__(self):
+        super().__init__(os.environ.get("AZURE_SIGNTOOL_PATH", "AzureSignTool"))
+
+    def get_signing_command(self) -> str:
+
+        required_env_vars = (
+            "AZURE_SIGNTOOL_KEY_VAULT_URL",
+            "AZURE_SIGNTOOL_KEY_VAULT_CERTIFICATE",
+        )
+        check_required_env_vars(required_env_vars)
+        timestamp_server = os.environ.get(
+            "AZURE_SIGNTOOL_TIMESTAMP_SERVER_URL",
+            "http://timestamp.sectigo.com"
+        )
+        timestamp_digest = os.environ.get(
+            "AZURE_SIGNTOOL_TIMESTAMP_DIGEST",
+            "sha256"
+        )
+        file_digest = os.environ.get(
+            "AZURE_SIGNTOOL_FILE_DIGEST",
+            "sha256"
+        )
+
+        command = (
+            f"{win_str_esc(self.executable)} sign -v"
+            ' -kvu "%AZURE_SIGNTOOL_KEY_VAULT_URL%"'
+            ' -kvc "%AZURE_SIGNTOOL_KEY_VAULT_CERTIFICATE%"'
+            f' -tr "{timestamp_server}"'
+            f" -td {timestamp_digest}"
+            f" -fd {file_digest}"
+        )
+        # There are three ways to sign:
+        #   1. Access token
+        #   2. Secret (requires tenant ID)
+        #   3. Managed identity (requires prior login to Azure)
+        if "AZURE_SIGNTOOL_KEY_VAULT_ACCESSTOKEN" in os.environ:
+            logger.info("AzureSignTool: signing binary using access token.")
+            command += ' -kva "%AZURE_SIGNTOOL_KEY_VAULT_ACCESSTOKEN%"'
+        elif "AZURE_SIGNTOOL_KEY_VAULT_SECRET" in os.environ:
+            # Authentication via secret required client and tenant ID
+            logger.info("AzureSignTool: signing binary using secret.")
+            required_env_vars = (
+                "AZURE_SIGNTOOL_KEY_VAULT_CLIENT_ID",
+                "AZURE_SIGNTOOL_KEY_VAULT_TENANT_ID",
+            )
+            check_required_env_vars(required_env_vars)
+            command += (
+                ' -kvi "%AZURE_SIGNTOOL_KEY_VAULT_CLIENT_ID%"'
+                ' -kvt "%AZURE_SIGNTOOL_KEY_VAULT_TENANT_ID%"'
+                ' -kvs "%AZURE_SIGNTOOL_KEY_VAULT_SECRET%"'
+            )
+        else:
+            # No token or secret found, assume managed identity
+            logger.info("AzureSignTool: signing binary using managed identity.")
+            command += " -kvm"
+        return command
+
+    def verify_signing_tool(self):
+        self._verify_tool_is_available()
+        check_call([self.executable, "--help"], stdout=PIPE, stderr=PIPE)
+
+    def verify_signature(self, installer_file: Union[str, Path]):
+        """Use Powershell to verify signature.
+
+        For available statuses, see the Microsoft documentation:
+        https://learn.microsoft.com/en-us/dotnet/api/system.management.automation.signaturestatus
+        """
+        if shutil.which("powershell") is None:
+            logger.error("Could not verify signature: PowerShell not found.")
+            return
+        command = (
+            f"$sig = Get-AuthenticodeSignature -LiteralPath {installer_file};"
+            "$sig.Status.value__;"
+            "$sig.StatusMessage"
+        )
+        proc = run([
+                "powershell",
+                "-c",
+                command,
+            ],
+            capture_output=True,
+            text=True,
+        )
+        # The return code will always be 0,
+        # but stderr will be non-empty on errors
+        if proc.stderr:
+            raise RuntimeError(f"Signature verification failed.\n{proc.stderr}")
+        try:
+            status, status_message = proc.stdout.strip().split("\n")
+            status = int(status)
+            if status > 1:
+                # Includes missing signature
+                raise RuntimeError(f"Error signing {installer_file}: {status_message}")
+            elif status == 1:
+                logger.error(
+                    f"{installer_file} contains a signature that is either invalid or not trusted. "
+                    "This is expected with development certificates. "
+                    "If it is supposed to be trusted, please check your certificate!"
+                )
+        except ValueError:
+            # Something else is in the output
+            raise RuntimeError(f"Unexpected signature verification output: {proc.stdout}")

constructor/utils.py

@@ -10,7 +10,7 @@
 import re
 import sys
 from io import StringIO
-from os import sep, unlink
+from os import environ, sep, unlink
 from os.path import basename, isdir, isfile, islink, join, normpath
 from shutil import rmtree
 from subprocess import check_call, check_output
@@ -265,3 +265,20 @@ def identify_conda_exe(conda_exe=None):
         name = "micromamba"
         version = output.strip()
     return name, version
+
+
+def win_str_esc(s, newlines=True):
+    maps = [('$', '$$'), ('"', '$\\"'), ('\t', '$\\t')]
+    if newlines:
+        maps.extend([('\n', '$\\n'), ('\r', '$\\r')])
+    for a, b in maps:
+        s = s.replace(a, b)
+    return '"%s"' % s
+
+
+def check_required_env_vars(env_vars):
+    missing_vars = {var for var in env_vars if var not in environ}
+    if missing_vars:
+        raise RuntimeError(
+            f"Missing required environment variables {', '.join(missing_vars)}."
+        )