[WIP] More implementation

Author: zooba

ci/release.yml

@@ -87,22 +87,22 @@ stages:
       displayName: 'Install Nuget'
 
     - powershell: |
-        nuget install python -Version 3.14.3 -x -noninteractive -o host_python
+        nuget install python -Version 3.14.4 -x -noninteractive -o host_python
         $py = Get-Item host_python\python\tools
         Write-Host "Adding $py to PATH"
         Write-Host "##vso[task.prependpath]$py"
-      displayName: Set up Python 3.14.3
+      displayName: Set up Python 3.14.4
       workingDirectory: $(Build.BinariesDirectory)
 
     - powershell: >
         python -c "import sys;
         print(sys.version);
         print(sys.executable);
-        sys.exit(0 if sys.version_info[:5] == (3, 14, 3, 'final', 0) else 1)"
-      displayName: Check Python version is 3.14.3
+        sys.exit(0 if sys.version_info[:5] == (3, 14, 4, 'final', 0) else 1)"
+      displayName: Check Python version is 3.14.4
 
     - powershell: |
-        python -m pip install "pymsbuild>=1.2.0b1"
+        python -m pip install "pymsbuild==1.2.2"
       displayName: 'Install build dependencies'
 
     - ${{ if eq(parameters.PreTest, 'true') }}:
@@ -357,13 +357,13 @@ stages:
         $hashes = $files  | `
             Sort-Object Name | `
             Format-Table Name, @{
-              Label="MD5";
-              Expression={(Get-FileHash $_ -Algorithm MD5).Hash}
+              Label="SHA256";
+              Expression={(Get-FileHash $_ -Algorithm SHA256).Hash}
             }, Length -AutoSize | `
             Out-String -Width 4096
         $hashes
       workingDirectory: $(DIST_DIR)
-      displayName: 'Generate hashes (MD5)'
+      displayName: 'Generate hashes (SHA256)'
 
     - ${{ if eq(parameters.Publish, 'true') }}:
       - ${{ if eq(parameters.Sign, 'true') }}:
@@ -374,7 +374,7 @@ stages:
           displayName: 'Download PuTTY key'
 
       - powershell: |
-          git clone https://github.com/python/cpython-bin-deps --branch putty --single-branch --depth 1 --progress -v "putty"
+          git clone https://github.com/python/cpython-bin-deps --revision 9f9e6fc31a55406ee5ff0198ea47bbb445eeb942 --depth 1 --progress -v "putty"
           "##vso[task.prependpath]$(gi putty)"
         workingDirectory: $(Pipeline.Workspace)
         displayName: 'Download PuTTY binaries'

ci/repartition-index.yml

@@ -13,7 +13,7 @@ parameters:
   type: boolean
   default: false
 - name: TestPublish
-  displayName: "Run all steps without publishing"
+  displayName: "Run all steps (including signing) without publishing"
   type: boolean
   default: false
 
@@ -29,6 +29,8 @@ stages:
 
     variables:
     - group: PythonOrgPublish
+    - ${{ if or(eq(parameters.Publish, 'true'), eq(parameters.TestPublish, 'true')) }}:
+      - group: CPythonSign
 
     steps:
     - checkout: self
@@ -50,6 +52,45 @@ stages:
       displayName: 'Repartition index'
       workingDirectory: $(Build.BinariesDirectory)
 
+    - ${{ if or(eq(parameters.Publish, 'true'), eq(parameters.TestPublish, 'true')) }}:
+      - powershell: |
+          git clone https://github.com/python/cpython-bin-deps --revision fb06137dccc43ed5b030cdd9e3560990b37f39da --depth 1 --progress -v "signtool"
+          "##vso[task.setvariable variable=MAKECAT]$(gi signtool\x64\makecat.exe)"
+          "##vso[task.setvariable variable=SIGNTOOL]$(gi signtool\x64\signtool.exe)"
+          "##vso[task.setvariable variable=DLIB]$(gi signtool\azure_trusted_signing\x64\Azure.CodeSigning.Dlib.dll)"
+        workingDirectory: $(Pipeline.Workspace)
+        displayName: 'Download signtool binaries'
+
+      - task: AzureCLI@2
+        displayName: 'Azure Login (1/2)'
+        inputs:
+          azureSubscription: 'Python Signing'
+          scriptType: 'ps'
+          scriptLocation: 'inlineScript'
+          inlineScript: |
+            "##vso[task.setvariable variable=AZURE_CLIENT_ID;issecret=true]${env:servicePrincipalId}" 
+            "##vso[task.setvariable variable=AZURE_ID_TOKEN;issecret=true]${env:idToken}"
+            "##vso[task.setvariable variable=AZURE_TENANT_ID;issecret=true]${env:tenantId}"
+          addSpnToEnvironment: true
+
+      - powershell: >
+          az login --service-principal
+          -u $(AZURE_CLIENT_ID)
+          --tenant $(AZURE_TENANT_ID)
+          --allow-no-subscriptions
+          --federated-token $(AZURE_ID_TOKEN)
+        displayName: 'Azure Login (2/2)'
+
+      - powershell: |
+          python "$(Build.SourcesDirectory)\ci\sign-json.py" (dir *.json)
+        displayName: 'Sign index files'
+        workingDirectory: $(Build.BinariesDirectory)
+        env:
+          SIGN_TOOLS: $(Pipeline.Workspace)\sign_tools
+          TRUSTED_SIGNING_URI: $(TrustedSigningUri)
+          TRUSTED_SIGNING_ACCOUNT: $(TrustedSigningAccount)
+          TRUSTED_SIGNING_CERTIFICATE_NAME: $(TrustedSigningCertificateName)
+
     - publish: $(Build.BinariesDirectory)\index
       artifact: index
       displayName: Publish index artifact
@@ -63,7 +104,7 @@ stages:
           displayName: 'Download PuTTY key'
 
       - powershell: |
-          git clone https://github.com/python/cpython-bin-deps --branch putty --single-branch --depth 1 --progress -v "putty"
+          git clone https://github.com/python/cpython-bin-deps --revision 9f9e6fc31a55406ee5ff0198ea47bbb445eeb942 --depth 1 --progress -v "putty"
           "##vso[task.prependpath]$(gi putty)"
         workingDirectory: $(Pipeline.Workspace)
         displayName: 'Download PuTTY binaries'

ci/sign-json.py

@@ -14,6 +14,7 @@
 except KeyError:
     TOOLS = Path("_sign_tools").absolute()
 
+
 def download_tool(url, name):
     dest = TOOLS / name
     dest.mkdir(parents=True, exist_ok=True)
@@ -34,7 +35,10 @@ def download_tool(url, name):
             with open(dest / f, "wb") as f2:
                 f2.write(zf.read(f))
 
-def find_tool(pattern, url):
+
+def find_tool(env, pattern, url):
+    if os.getenv(env):
+        return Path(os.environ[env])
     tools = list(TOOLS.glob(pattern))
     if tools:
         return tools[-1]
@@ -46,15 +50,19 @@ def find_tool(pattern, url):
     print("Failed to install tool for", pattern.replace("/", "\\").rpartition("\\")[-1])
     sys.exit(1)
 
+
 SIGNTOOL = find_tool(
+    "SIGNTOOL",
     "sign/bin/*/x64/signtool.exe",
     "https://www.nuget.org/api/v2/package/Microsoft.Windows.SDK.BuildTools/10.0.28000.1721",
 )
 MAKECAT = find_tool(
+    "MAKECAT",
     "sign/bin/*/x64/makecat.exe",
     None,
 )
 DLIB = find_tool(
+    "DLIB",
     "dlib/bin/x64/Azure.CodeSigning.Dlib.dll",
     "https://www.nuget.org/api/v2/package/Microsoft.ArtifactSigning.Client/1.0.128",
 )
@@ -64,6 +72,7 @@ def find_tool(pattern, url):
 print("makecat:", MAKECAT)
 print("dlib:", DLIB)
 
+
 AAS_DATA = {
     "Endpoint": os.environ["TRUSTED_SIGNING_URI"],
     "CodeSigningAccountName": os.environ["TRUSTED_SIGNING_ACCOUNT"],
@@ -74,18 +83,20 @@ def find_tool(pattern, url):
         "SharedTokenCacheCredential",
         "VisualStudioCredential",
         "VisualStudioCodeCredential",
-        "AzureCliCredential",
         "AzurePowerShellCredential",
         "AzureDeveloperCliCredential",
         "InteractiveBrowserCredential"
     ]
 }
 
+
 with open(TOOLS / "metadata.json", "w", encoding="utf-8") as f:
     json.dump(AAS_DATA, f, indent=2)
 
+
 CAT = Path.cwd() / (Path(sys.argv[1]).stem + ".cat")
 
+
 with open(TOOLS / "files.cdf", "w", encoding="ansi") as f:
     print("[CatalogHeader]", file=f)
     print("Name=", CAT.name, sep="", file=f)
@@ -99,18 +110,22 @@ def find_tool(pattern, url):
     for a in map(Path, sys.argv[1:]):
         print("<HASH>", a.name, "=", a.absolute(), sep="", file=f)
 
+
 if CAT.is_file():
     CAT.unlink()
 
+
 args = [MAKECAT, "-v", TOOLS / "files.cdf"]
 print("##[command]", end="")
 print(*args)
 run(args)
 
+
 if not CAT.is_file():
     print("Failed to create catalog.")
     sys.exit(2)
 
+
 args = [
     SIGNTOOL, "sign",
     "/v",
@@ -122,6 +137,7 @@ def find_tool(pattern, url):
     CAT
 ]
 
+
 print("##[command]", end="")
 print(*args)
 run(args)

src/_native/verify_trust.cpp

@@ -14,34 +14,145 @@ extern "C" {
 }
 
 
-static bool cert_subject_matches(PCCERT_CONTEXT pCert, const wchar_t *expected)
+static std::vector<BYTE> nameinfo_from_blob(CERT_NAME_BLOB *name)
 {
-    if (!pCert || !expected || !*expected) {
-        return true;
+    DWORD cb = 0;
+    if (!CryptDecodeObjectEx(
+            X509_ASN_ENCODING,
+            X509_NAME,
+            name->pbData,
+            name->cbData,
+            0,
+            nullptr,
+            nullptr,
+            &cb
+    ) || cb == 0) {
+        return {};
+    }
+
+    std::vector<BYTE> buf(cb);
+    if (!CryptDecodeObjectEx(
+            X509_ASN_ENCODING,
+            X509_NAME,
+            name->pbData,
+            name->cbData,
+            0,
+            nullptr,
+            buf.data(),
+            &cb
+    )) {
+        return {};
     }
+    buf.resize(cb);
+    return buf;
+}
 
+
+static std::vector<BYTE> nameinfo_from_name(const wchar_t *name)
+{
     DWORD encoded_size = 0;
 
-    if (!CertStrToNameW(X509_ASN_ENCODING, expected, CERT_X500_NAME_STR,
+    if (!CertStrToNameW(X509_ASN_ENCODING, name, CERT_X500_NAME_STR,
                         nullptr, nullptr, &encoded_size, nullptr)) {
-        return false;
+        return {};
     }
 
     std::vector<BYTE> encoded(encoded_size);
 
-    if (!CertStrToNameW(X509_ASN_ENCODING, expected, CERT_X500_NAME_STR,
+    if (!CertStrToNameW(X509_ASN_ENCODING, name, CERT_X500_NAME_STR,
                         nullptr, encoded.data(), &encoded_size, nullptr)) {
-        return false;
+        return {};
     }
 
     CERT_NAME_BLOB expected_name = {};
     expected_name.cbData = encoded_size;
     expected_name.pbData = encoded.data();
 
-    return CertCompareCertificateName(X509_ASN_ENCODING, &pCert->pCertInfo->Subject, &expected_name);
+    return nameinfo_from_blob(&expected_name);
+}
+
+
+static std::wstring read_rdn_attr(CERT_RDN_ATTR &attr) {
+    DWORD cb = CertRDNValueToStrW(attr.dwValueType, &attr.Value, nullptr, 0);
+    if (cb > 1024) {
+        return {};
+    }
+    std::wstring v(cb, L'\0');
+    v.resize(CertRDNValueToStrW(attr.dwValueType, &attr.Value, v.data(), cb));
+    return v;
 }
 
 
+static bool cert_subject_matches(PCCERT_CONTEXT pCert, const wchar_t *expected)
+{
+    if (!pCert || !expected || !*expected) {
+        return true;
+    }
+
+    auto expected_info_buf = nameinfo_from_name(expected);
+    auto actual_info_buf = nameinfo_from_blob(&pCert->pCertInfo->Subject);
+
+    if (expected_info_buf.empty() || actual_info_buf.empty()) {
+        return false;
+    }
+
+    const CERT_NAME_INFO *expected_info =
+        reinterpret_cast<const CERT_NAME_INFO *>(expected_info_buf.data());
+    const CERT_NAME_INFO *actual_info =
+        reinterpret_cast<const CERT_NAME_INFO *>(actual_info_buf.data());
+
+    // Turn constraints into a vector of (oid, value) pairs.
+    // Each pair must be present in the actual name.
+    std::vector<std::pair<std::string, std::wstring>> expected_pairs;
+    expected_pairs.reserve(8);
+
+    for (DWORD i = 0; i < expected_info->cRDN; ++i) {
+        CERT_RDN &rdn = expected_info->rgRDN[i];
+        for (DWORD j = 0; j < rdn.cRDNAttr; ++j) {
+            CERT_RDN_ATTR &attr = rdn.rgRDNAttr[j];
+            if (!attr.pszObjId) {
+                return false;
+            }
+
+            auto v = read_rdn_attr(attr);
+            if (!v.empty()) {
+                expected_pairs.emplace_back(std::string(attr.pszObjId), std::move(v));
+            }
+        }
+    }
+
+    // For each expected (OID, value), find an identical (OID, value) in the actual name.
+    for (const auto &need : expected_pairs) {
+        const std::string &oid = need.first;
+        const std::wstring &expect = need.second;
+
+        bool found = false;
+
+        for (DWORD i = 0; i < actual_info->cRDN && !found; ++i) {
+            CERT_RDN &rdn = actual_info->rgRDN[i];
+            for (DWORD j = 0; j < rdn.cRDNAttr; ++j) {
+                CERT_RDN_ATTR &attr = rdn.rgRDNAttr[j];
+                if (!attr.pszObjId || oid != attr.pszObjId) {
+                    continue;
+                }
+
+                auto v = read_rdn_attr(attr);
+
+                if (CompareStringOrdinal(v.c_str(), -1, expect.c_str(), -1, TRUE) == CSTR_EQUAL) {
+                    found = true;
+                    break;
+                }
+            }
+        }
+
+        if (!found) {
+            return false;
+        }
+    }
+
+    return true;
+}
+
 static bool resolve_eku_to_oid_utf8(const wchar_t *eku_in, std::string &oid_out) {
     oid_out.clear();
     if (!eku_in || !*eku_in) {