devolutions/psign

★ 39RustAudience · ops devopsComplexity · 4/5ActiveSetup · moderate

Mindmap

mindmap
  root((psign))
    Inputs
      Binaries to sign
      Certificates
      RFC3161 servers
      Azure Key Vault
    Outputs
      Signed files
      Timestamped signatures
      Verification reports
      Stripped signatures
    Use Cases
      Cross platform code signing
      CI signing pipelines
      Migrate from AzureSignTool
    Tech Stack
      Rust
      Cargo
      dotnet tool
      WinTrust
      mssign32
      Azure REST

mindmap root((psign)) Inputs Binaries to sign Certificates RFC3161 servers Azure Key Vault Outputs Signed files Timestamped signatures Verification reports Stripped signatures Use Cases Cross platform code signing CI signing pipelines Migrate from AzureSignTool Tech Stack Rust Cargo dotnet tool WinTrust mssign32 Azure REST

Things people build with this

USE CASE 1

Drop psign into a Windows CI job as a signtool replacement and have parity tests prove the signatures match.

USE CASE 2

Sign PE executables, MSI installers, and CAB archives from Linux or macOS without touching a Windows VM.

USE CASE 3

Pull a signing certificate from Azure Key Vault or Azure Artifact Signing over REST and use it from a portable Rust binary.

USE CASE 4

Migrate an existing AzureSignTool pipeline to psign by following the migration notes referenced in the README.

Tech stack

RustCargodotnetWinTrustAzure

Getting it running

Difficulty · moderate Time to first run · 30min

Build with cargo or install via dotnet tool. Real-world use needs a code-signing certificate, often in Azure Key Vault.

License is not stated in the available content.

In plain English

psign is a command-line tool from Devolutions for code signing. Code signing is the process of attaching a cryptographic signature to a software file so that the operating system, and the people who download it, can check that the file really came from a specific publisher and has not been tampered with. On Windows, the standard tool for doing this has long been Microsoft's signtool.exe. psign is a Rust rewrite of that tool, aiming to behave the same way for the common operations: signing files, verifying signatures, adding RFC3161 timestamps, removing signatures, and inspecting them. The project tries to cover both worlds. On Windows it still uses the official system pieces (WinTrust, CryptSIP, and the mssign32 library) where it has to, so that its results match what signtool would produce. The README mentions that it runs differential parity tests against the native tool in continuous integration. On Linux and macOS it offers a portable mode, available through a 'portable' subcommand, that does the same work in pure Rust without calling any Windows APIs. That portable mode can sign PE executables, RDP files, CAB archives, MSI installers, and catalogs, and it can also talk to Azure Key Vault and Azure Artifact Signing over REST. Distribution is done in a couple of ways. You can build it from source with cargo build, which is the Rust package manager. There is also a dotnet tool package on NuGet.org called Devolutions.Psign.Tool, so on a machine with the .NET SDK installed (version 10 or newer) you can install or run psign-tool with a single dotnet tool install command. Native binaries are published for Windows, Linux, and macOS on both x64 and arm64. The README points to a script and a roadmap document for Linux contributors. psign also keeps its own file-based certificate store under ~/.psign/cert-store for portable workflows, using Windows-style SHA-1 thumbprints as file names so it can be addressed in the same way as the native Windows certificate store. The README is heavy on flags, feature gates, and cross-references to other markdown files (gap analysis, migration notes from AzureSignTool, Linux signing pipelines), which gives a clear sense that the project is aimed at people who already work with code signing on Windows and want a portable alternative.

Copy-paste prompts

Prompt 1

Install psign with dotnet tool install Devolutions.Psign.Tool and use it to sign a Windows MSI installer with an Azure Key Vault certificate.

Prompt 2

Wire psign into a GitHub Actions workflow that signs Linux, Windows, and macOS binaries from the same job, using a single Key Vault identity.

Prompt 3

Run psign portable against an RDP file on Linux and verify the resulting signature on a Windows host using signtool.

Prompt 4

Compare psign's differential parity tests against signtool and explain which file formats currently still diverge.

Prompt 5

Set up psign's local certificate store under ~/.psign/cert-store and configure a portable signing workflow that does not depend on the Windows certificate store.

Open on GitHub → Explain another repo

Generated 2026-05-22 · Model: sonnet-4-6 · Verify against the repo before relying on details.