Functions for signing PE and MSI files.


Create a signer function that signs with a private key.


priv_key (key object) – A cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateKey instance


A signer function with signature signer(digest: bytes, digest_algo: str) -> bytes

async winsign.sign.sign_file(infile, outfile, digest_algo, certs, signer, cafile=None, timestampfile=None, url=None, comment=None, crosscert=None, timestamp_style=None, timestamp_url=None)

Sign a PE or MSI file.

  • infile (str) – Path to the unsigned file

  • outfile (str) – Path to where the signed file will be written

  • digest_algo (str) – Which digest algorithm to use. Generally ‘sha1’ or ‘sha256’

  • certs (list of x509 certificates) – certificates to attach to the new signature

  • cafile (str) – path to cafile of the cert we use to sign

  • timestampfile (str) – path to the ca for verifying the timestamp

  • signer (function) – Function that takes (digest, digest_algo) and returns bytes of the signature. Normally this will be using a private key object to sign the digest.

  • url (str) – A URL to embed into the signature

  • comment (str) – A string to embed into the signature

  • crosscert (str) – Extra certificates to attach to the signature

  • timestamp_style (str) – What kind of signed timestamp to include in the signature. Can be None, ‘old’, or ‘rfc3161’.

  • timestamp_url (str) – URL for the timestamp server to use. Required if timestamp_style is set.


True on success False otherwise