Add code signing of release binaries via cargo-code-sign#18280
Draft
Add code signing of release binaries via cargo-code-sign#18280
cargo-code-sign#18280Conversation
zanieb
force-pushed
the
zb/cargo-auditable
branch
from
d64d72a to
5cacad5
Compare
zanieb
force-pushed
the
zb/cargo-code-sign
branch
8 times, most recently
from
1104b91 to
5810e1c
Compare
zanieb
force-pushed
the
zb/cargo-auditable
branch
2 times, most recently
from
9db7448 to
6e33a04
Compare
zanieb
force-pushed
the
zb/cargo-code-sign
branch
from
5810e1c to
921eac1
Compare
zanieb
force-pushed
the
zb/cargo-auditable
branch
5 times, most recently
from
49125e3 to
355fe05
Compare
zanieb
force-pushed
the
zb/cargo-code-sign
branch
5 times, most recently
from
e91fbc7 to
6ea7974
Compare
zanieb
force-pushed
the
zb/cargo-code-sign
branch
from
6ea7974 to
b7dd415
Compare
woodruffw
reviewed
Mar 4, 2026
Comment on lines
+111
to
+116
| openssl req -x509 -newkey rsa:2048 -sha256 -days 7 -nodes \ | ||
| -keyout "$CERT_DIR/key.pem" \ | ||
| -out "$CERT_DIR/cert.pem" \ | ||
| -subj "/CN=$CERT_NAME" \ | ||
| -addext "extendedKeyUsage=codeSigning" \ | ||
| -addext "keyUsage=digitalSignature" |
Member
There was a problem hiding this comment.
I think there are additional Apple-specific X.509 extensions we need to include here, in order for the self-signed cert to look "right" to Apple's codesigning machinery.
Ref: https://docs.rs/apple-codesign/0.29.0/src/apple_codesign/certificate.rs.html#1276-1286
(Maybe it makes sense to use rcodesign to bootstrap the testing cert here?)
Collaborator
There was a problem hiding this comment.
Note this will also inherit from the host openssl.conf (if it exists) and may alter the output in some cases. Normally when I have done this I tend to pass the entire config via stdin to avoid such cases with scripts invoking openssl e.g.
openssl req -x509 -newkey rsa:2048 -sha256 -days 7 -nodes \
-keyout "$CERT_DIR/key.pem" \
-out "$CERT_DIR/cert.pem" \
-config <(
cat <<-EOF
[req]
prompt = no
distinguished_name = dn
x509_extensions = ext
[dn]
O = Astral Software Inc.
CN = $CERT_NAME
[ext]
keyUsage = digitalSignature
extendedKeyUsage = codeSigning
EOF
)
zanieb
added a commit
that referenced
this pull request
Mar 6, 2026
Inspired by #18252 This required an upstream change rust-secure-code/cargo-auditable#245 which is now released. This increases binary sizes slightly, ~4KB. The cargo wrapper implementation will be extended in #18280 to code sign binaries.
zanieb
added a commit
that referenced
this pull request
Mar 6, 2026
Instead of generating test secrets in the workflow itself as was done in #18280 for testing. This includes a script to generate self-signed certificates and adds them to the `release-test` environment. We'll populate the real secrets in the `release` environment. We may want a dedicated environment for code-signing secrets? We also may want to sign with the real secrets on `main` or similar.
Instead of generating test secrets in the workflow itself as was done in #18280 for testing. This includes a script to generate self-signed certificates and adds them to the `release-test` environment. We'll populate the real secrets in the `release` environment. We may want a dedicated environment for code-signing secrets? We also may want to sign with the real secrets on `main` or similar.
zanieb
force-pushed
the
zb/cargo-code-sign
branch
from
971341a to
7cfc0b7
Compare
zanieb
commented
Mar 6, 2026
Comment on lines
+5
to
+7
| ## Secrets: CODESIGN_CERTIFICATE_PASSWORD, CODESIGN_IDENTITY_MACOS, | ||
| ## CODESIGN_CERTIFICATE_MACOS, CODESIGN_CERTIFICATE_WINDOWS | ||
| ## Variables: CODESIGN_ALLOW_UNTRUSTED_MACOS |
Member
Author
There was a problem hiding this comment.
Enumerate these in a bullet point list, we don't need to differentiate between secrets / variables in this doc
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds code signing of our release binaries on Windows and macOS, using temporary self-signed certificates for testing.
Instead of signing via
uv buildas explored in #18262, we use a cargo extension to sign on build. This allows us to sign both the artifacts inside and outside of wheels without changing maturin. This builds on patterns introduced in #18276.I built
cargo-code-signas a standalone tool, heavily referencing existing code signing techniques in the ecosystem, see https://github.com/zanieb/code-sign-toolsIncludes #18295
This does not configure secrets for the actual release environment yet.