Skip to content

Add Windows Authenticode signing support with PKCS#11 HSM#431

Merged
shannah merged 4 commits intomasterfrom
claude/investigate-windows-signing-QlM7S
Mar 11, 2026
Merged

Add Windows Authenticode signing support with PKCS#11 HSM#431
shannah merged 4 commits intomasterfrom
claude/investigate-windows-signing-QlM7S

Conversation

@shannah
Copy link
Copy Markdown
Owner

@shannah shannah commented Mar 11, 2026

Summary

This PR adds comprehensive Windows Authenticode signing capabilities to jdeploy, supporting both local keystores (PFX/JKS) and PKCS#11 hardware security modules (HSMs). This enables code signing for Windows executables during the packaging process, with support for real HSMs (SafeNet, YubiKey) and cloud HSM services via PKCS#11.

Key Changes

  • WindowsSigningConfig: New configuration class that encapsulates all signing parameters (keystore path, password, alias, timestamp URL, PKCS#11 config path, etc.) with validation logic
  • WindowsSigningService: Core signing service that handles both in-place and separate-file signing using the jsign library, supporting both local keystores and PKCS#11 tokens
  • WindowsSigningConfigFactory: Factory that builds signing configuration from environment variables (JDEPLOY_WIN_*), enabling CI/CD integration without code changes
  • Integration tests:
    • WindowsSigningPfxIntegrationTest: Tests signing with self-signed PFX certificates, including in-place signing, separate output file, and auto-alias detection
    • WindowsSigningPkcs11IntegrationTest: Tests PKCS#11 signing path using SoftHSM2, verifying the same code path used by real HSMs
  • Unit tests: Comprehensive test coverage for config validation, factory creation, and service error handling
  • PackageService integration: Wired WindowsSigningService and WindowsSigningConfigFactory into the dependency injection container for use during packaging
  • Setup script: softhsm2-test-setup.sh for CI environments to install SoftHSM2 and OpenSC prerequisites

Notable Implementation Details

  • PKCS#11 support is abstracted through the standard KeyStoreBuilder interface, making it compatible with any PKCS#11 provider (hardware HSMs, cloud HSMs, SoftHSM2)
  • Configuration validation ensures required fields are present before attempting to sign
  • Tests use Assumptions.assumeTrue() to gracefully skip when prerequisites (keytool, softhsm2-util) are unavailable
  • Minimal PE executable generation in tests includes proper data directory entries (certificate table at index 4) required by jsign
  • Environment variable naming follows a consistent JDEPLOY_WIN_* pattern for discoverability

https://claude.ai/code/session_01Fh1FJsRT8MXrqZMuniWbwR

claude added 4 commits March 9, 2026 23:14
@claude
feat: add Windows Authenticode signing service using jsign
bb4d736 
Add WindowsSigningService that signs Windows EXEs with Authenticode
signatures, supporting PFX/JKS keystores and PKCS#11 HSM tokens.
Configuration is driven by environment variables (JDEPLOY_WIN_*).
Signing is automatically applied during Windows bundling in
PackageService when signing env vars are present.

https://claude.ai/code/session_01Fh1FJsRT8MXrqZMuniWbwR
@claude
test: add integration tests for Windows signing with PFX and PKCS#11/…
382d54e 
…SoftHSM2

Adds two integration test classes:
- WindowsSigningPfxIntegrationTest: tests signing with a self-signed PFX
  keystore (requires only keytool)
- WindowsSigningPkcs11IntegrationTest: tests signing through PKCS#11 using
  SoftHSM2 as a software HSM, exercising the same code path as Azure Key
  Vault and AWS CloudHSM

Both tests auto-skip when prerequisites are missing. Includes a CI setup
script for installing SoftHSM2.

https://claude.ai/code/session_01Fh1FJsRT8MXrqZMuniWbwR
@claude
fix: update test files to match PackageService constructor signature
6f4f527 
Add missing WindowsSigningService and WindowsSigningConfigFactory mock
parameters to PackageServiceIntegrationTest and
GitHubPublishDriverIntegrationTest.

https://claude.ai/code/session_01Fh1FJsRT8MXrqZMuniWbwR
@claude
fix: correct PE structure in WindowsSigningPfxIntegrationTest
f5009f8 
The minimal PE had incorrect data directory layout — NumberOfRvaAndSizes
was written at the wrong offset (0x10C instead of 0xEC), causing the
certificate table entry to not be recognized by jsign. Rebuilt the PE
with correct PE32 optional header field offsets, proper section headers,
and section data.

https://claude.ai/code/session_01Fh1FJsRT8MXrqZMuniWbwR
@shannah shannah merged commit a38fd7c into master Mar 11, 2026
16 checks passed
@shannah shannah deleted the claude/investigate-windows-signing-QlM7S branch March 11, 2026 23:12
shannah pushed a commit that referenced this pull request Mar 15, 2026
@claude
docs: add RFC for Windows Authenticode signing feature
ba658c4 
Documents the black-box specification for the Authenticode signing
support added in PR #431, including environment variable configuration,
supported keystore types (PFX, JKS, PKCS#11), and usage examples.

https://claude.ai/code/session_01Vwovc4eQee9KZ5LmUSJyqv
shannah added a commit that referenced this pull request Mar 15, 2026
@shannah @claude
docs: add RFC for Windows Authenticode signing feature (#443)
1a472ac 
Documents the black-box specification for the Authenticode signing
support added in PR #431, including environment variable configuration,
supported keystore types (PFX, JKS, PKCS#11), and usage examples.

https://claude.ai/code/session_01Vwovc4eQee9KZ5LmUSJyqv

Co-authored-by: Claude <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@shannah @claude