psign
Portable code signing tool
Rust rewrite of Microsoft's signtool.exe for code signing on Windows, with a portable Linux and macOS mode that signs PE, RDP, CAB, MSI, and catalog files and talks to Azure Key Vault over REST.
psign is a command-line tool from Devolutions for code signing. Code signing is the process of attaching a cryptographic signature to a software file so that the operating system, and the people who download it, can check that the file really came from a specific publisher and has not been tampered with. On Windows, the standard tool for doing this has long been Microsoft's signtool.exe. psign is a Rust rewrite of that tool, aiming to behave the same way for the common operations: signing files, verifying signatures, adding RFC3161 timestamps, removing signatures, and inspecting them.
The project tries to cover both worlds. On Windows it still uses the official system pieces (WinTrust, CryptSIP, and the mssign32 library) where it has to, so that its results match what signtool would produce. The README mentions that it runs differential parity tests against the native tool in continuous integration. On Linux and macOS it offers a portable mode, available through a 'portable' subcommand, that does the same work in pure Rust without calling any Windows APIs. That portable mode can sign PE executables, RDP files, CAB archives, MSI installers, and catalogs, and it can also talk to Azure Key Vault and Azure Artifact Signing over REST.
Distribution is done in a couple of ways. You can build it from source with cargo build, which is the Rust package manager. There is also a dotnet tool package on NuGet.org called Devolutions.Psign.Tool, so on a machine with the .NET SDK installed (version 10 or newer) you can install or run psign-tool with a single dotnet tool install command. Native binaries are published for Windows, Linux, and macOS on both x64 and arm64. The README points to a script and a roadmap document for Linux contributors.
psign also keeps its own file-based certificate store under ~/.psign/cert-store for portable workflows, using Windows-style SHA-1 thumbprints as file names so it can be addressed in the same way as the native Windows certificate store. The README is heavy on flags, feature gates, and cross-references to other markdown files (gap analysis, migration notes from AzureSignTool, Linux signing pipelines), which gives a clear sense that the project is aimed at people who already work with code signing on Windows and want a portable alternative.
Where it fits
- Drop psign into a Windows CI job as a signtool replacement and have parity tests prove the signatures match.
- Sign PE executables, MSI installers, and CAB archives from Linux or macOS without touching a Windows VM.
- Pull a signing certificate from Azure Key Vault or Azure Artifact Signing over REST and use it from a portable Rust binary.
- Migrate an existing AzureSignTool pipeline to psign by following the migration notes referenced in the README.