MSI: Add support for signing of installers

[lrandersson]

Description

Adds code signing support for MSI installers built via Briefcase, reusing the existing EXE signing infrastructure.

• Add sign() method to WindowsSignTool and AzureSignTool for direct file signing (post-build)
• Extract signing tool initialization into create_signing_tool() factory to reduce duplication
• Sign MSI after Briefcase builds it, using the same windows_signing_tool/signing_certificate config as EXE
• Add signature verification to test_example_signing

Checklist - did you ...

• Add a file to the news directory (using the template) for the next release's release notes?
• Add / update necessary tests?
• Add / update outdated documentation?

[lrandersson]

About the changes in this file to simplify review: The new code is based on existing patterns, _get_signing_params() extracts the same environment variables already used in get_signing_command(), and sign() builds the same command structure but as a list for direct execution. The create_signing_tool() function is essentially the same logic that was already in winexe.py, just moved to reduce duplicated code, but reuses existing logic to enable MSI signing.

[lrandersson]

I added this because I thought it was odd that this test was even passing before signing of installers was supported for MSI Installers. This example was already running for EXE and MSI installers before this PR, and passed for MSI due to lack of actual verification during the testing.

[marcoesters]

Should we sign before moving the installer out of the staging directory?

[lrandersson]

Good point I like that idea, 72d0414

[marcoesters]

There is still some duplication here since get_signing_command is just the " ".join() on the list you're building inside sign()

[lrandersson]

Yeah this is with some code duplication but its kept intentionally because I tried to keep it simple, here get_signing_command and sign have very different requirements.
To unify them, we'd need some kind of helper function that returns the command as a list of tuples like (value, needs_escaping, is_env_reference). Then sign() would extract just the values, while get_signing_command() would iterate through, apply win_str_esc() where needs_escaping=True, and replace actual values with %VAR% syntax where is_env_reference=True. For context:

• paths: sign() uses actual value, get_signing_command() needs win_str_esc(value)
• password: sign() uses actual value, get_signing_command() emits "%ENV_VAR%" literal for NSIS to expand during runtime.
  Most elements just need optional escaping, but password is fundamentally different.

I'm happy to do this refactoring if we are OK with the added complexity.

[marcoesters]

In that case, I think keeping them separate is good.

[marcoesters]

Same here: get_signing_command and what you need for sign are just two different representations of the same data.

[marcoesters]

Suggested change

	"""Create a signing tool based on construct.yaml configuration.
	"""Create a signing tool based on construct.yaml.

[lrandersson]

72d0414

[marcoesters]

This function seems to only cover Windows, but this file also contains macOS signing tools.

[lrandersson]

I renamed it to make it more clear 72d0414

[lrandersson]

@marcoesters I just added two more commits

1. 1b2d01c - which wasn't enough
2. e7771ba
   The reason for this is that the macos-latest, Python 3.12 was failing with a bizarre error and it seems that the latest runner system Python has been updated to Python 3.14, because the command pip install -e was failing. I don't know why (is it intentional) that we use system pip? The pip command was finding /Library/Frameworks/Python.framework/Versions/3.14/bin/pip first in PATH, even though the conda environment is activated.
   With the above mentioned reason I explicitly now invoke pip via python (that hopefully is the python from the conda environment), then the second commit I guess we need ever since the update to conda-libmamba-solver with sharded repodata enabled as default (since we saw that pip was no longer included as a dependency).
   The jobs are still running with these changes so there might be additional changes needed to make it work.

[marcoesters]

2. I don't know why (is it intentional) that we use system pip?

This is strange. The environment should have been activated (and it is, or conda install wouldn't have worked). Maybe it's the way setup-miniconda is used? There has been a major release recently.

[lrandersson]

This is strange. The environment should have been activated (and it is, or conda install wouldn't have worked). Maybe it's the way setup-miniconda is used? There has been a major release recently.

@marcoesters Im not sure, this branch is still pinned to the previous version conda-incubator/setup-miniconda@fc2d68f6413eb2d87b895e92f8584b5b94a10167 # v3.3.0. It also only happened on the macos latest runner which is odd so I wonder if its just due to updates in the environment upstream.

[lrandersson]

@marcoesters this has also been rebased and I removed the python/pip specific commits after the rebase so it also needs a new approval.