feat: add code signing support for macOS and Windows binaries#2208
Draft
feat: add code signing support for macOS and Windows binaries#2208
Conversation
Add a new `build.signing` section to the recipe schema that allows configuring native code signing for macOS (codesign) and Windows (signtool or Azure Trusted Signing). Key changes: - Recipe schema: `build.signing.macos` (identity, keychain, entitlements, options) and `build.signing.windows` (local certificate via signtool OR Azure Trusted Signing via azure_endpoint/account/profile) - Stage0 parsing + Stage1 evaluation for signing configuration - New `post_process::signing` module that signs all Mach-O/PE binaries after relinking but before packaging - Signature verification after signing - Safety check: errors if signed binaries contain the build prefix (which would be corrupted by conda's prefix replacement at install time) - Added `Signtool` to system_tools enum The signing step integrates into the packaging pipeline after relinking and post-processing but before metadata creation, ensuring archives contain properly signed binaries. https://claude.ai/code/session_017eLvzM9YezN2oJ6Q7etqHu
…d_signing sub-objects
Instead of flat fields with azure_ prefixes, Windows signing now uses
grouped sub-objects for clearer separation of signing methods:
signing:
windows:
signtool:
certificate_file: "cert.pfx"
certificate_password: "${{ env.PW }}"
timestamp_url: "http://timestamp.digicert.com"
# OR
signing:
windows:
azure_trusted_signing:
endpoint: "${{ env.ENDPOINT }}"
account_name: "${{ env.ACCT }}"
certificate_profile: "${{ env.PROF }}"
Shared settings (timestamp_url, digest_algorithm) remain at the
windows level. The parser validates mutual exclusivity at parse time.
https://claude.ai/code/session_017eLvzM9YezN2oJ6Q7etqHu
Comprehensive documentation covering: - Why sign binaries in conda packages (prefix replacement problem) - Pipeline order (signing happens after relinking, before archiving) - macOS signing via codesign (identity, keychain, entitlements, options) - Windows signing via signtool (local .pfx certificate) - Windows signing via Azure Trusted Signing (cloud-based) - Cross-platform configuration - CI/CD examples for GitHub Actions (macOS + Windows) - File type detection, troubleshooting, and links to related docs https://claude.ai/code/session_017eLvzM9YezN2oJ6Q7etqHu
Adds examples/code-signing/ containing: - A minimal C project (hello executable + libgreet shared library) - recipe.yaml with macOS codesign + Windows signtool signing config - GitHub Actions workflow that imports certificates from secrets, builds with rattler-build, and signs binaries on macOS + Windows - README with instructions for copying into your own repo Also updates docs/code_signing.md with a link to the example. https://claude.ai/code/session_017eLvzM9YezN2oJ6Q7etqHu
Member
Author
|
Another motivating blog post: https://d34dl0ck.me/cargo-codesign/index.html |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
We want to replace
cargo-distby building the Pixi (and rattler-build) binaries with rattler-build, including proper signing. We would then extract the files from the conda package for the release.Claude comments
Add a new
build.signingsection to the recipe schema that allows configuring native code signing for macOS (codesign) and Windows (signtool or Azure Trusted Signing).Key changes:
build.signing.macos(identity, keychain, entitlements, options) andbuild.signing.windows(local certificate via signtool OR Azure Trusted Signing via azure_endpoint/account/profile)post_process::signingmodule that signs all Mach-O/PE binaries after relinking but before packagingSigntoolto system_tools enumThe signing step integrates into the packaging pipeline after relinking and post-processing but before metadata creation, ensuring archives contain properly signed binaries.
https://claude.ai/code/session_017eLvzM9YezN2oJ6Q7etqHu