Lib.rs

Development tools
#code-signing #codesign #signtool #security

native-code-sign

Platform-native code signing (macOS codesign, Windows signtool)

Owned by Zanie Blue.

2 unstable releases

Uses new Rust 2024

new 0.2.0 Mar 6, 2026
0.1.0 Mar 4, 2026

#1097 in Development tools


Used in cargo-code-sign

MIT/Apache

54KB
995 lines

native-code-sign

Code signing wrappers using platform-native signing tools.

macOS

Uses Apple's codesign tool.

Set the following environment variables:

  • CODE_SIGN_IDENTITY: signing identity (e.g. "Developer ID Application: ...")
  • CODE_SIGN_CERTIFICATE: base64-encoded .p12 certificate
  • CODE_SIGN_CERTIFICATE_PASSWORD: password for the .p12
  • CODE_SIGN_OPTIONS: (optional) extra --options value (e.g. runtime for hardened runtime / notarization)
  • CODE_SIGN_ALLOW_UNTRUSTED: (optional) set to 1/true to allow self-signed certs not in system trust

An ephemeral keychain is used to store the certificate, temporarily modifying the keychain search list. This modification is robust to concurrent cargo-code-sign invocations, but not to other programs modifying the keychain search list.

Windows

Uses Microsoft signtool.exe.

Local certificate signing (.pfx)

Set the following environment variables:

  • CODE_SIGN_CERTIFICATE_PATH: path to a .pfx certificate file
  • CODE_SIGN_CERTIFICATE_PASSWORD: password for the .pfx
  • CODE_SIGN_TIMESTAMP_URL: (optional) RFC 3161 timestamp server URL
  • CODE_SIGN_DESCRIPTION: (optional) description shown in UAC prompts (signtool /d flag)
  • CODE_SIGN_TOOL_PATH: (optional) path to signtool.exe (defaults to signtool.exe from PATH)

Azure Trusted Signing

Set all of:

  • CODE_SIGN_AZURE_DLIB_PATH: path to Azure.CodeSigning.Dlib.dll
  • CODE_SIGN_AZURE_ENDPOINT: Artifact Signing endpoint (for example https://eus.codesigning.azure.net)
  • CODE_SIGN_AZURE_ACCOUNT: CodeSigningAccountName
  • CODE_SIGN_AZURE_CERTIFICATE_PROFILE: CertificateProfileName

Optional:

  • CODE_SIGN_AZURE_CORRELATION_ID: correlation ID for request tracing
  • CODE_SIGN_TIMESTAMP_URL: RFC 3161 timestamp URL (defaults to http://timestamp.acs.microsoft.com)
  • CODE_SIGN_DESCRIPTION: description shown in UAC prompts (/d)
  • CODE_SIGN_TOOL_PATH: explicit path to signtool.exe

Azure authentication is handled by the dlib via DefaultAzureCredential.

Dependencies

~7–15MB
~221K SLoC