cargo-code-sign 0.2.0

Sign Rust binaries after cargo build (macOS codesign, Windows signtool)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

# cargo-code-sign

A Cargo subcommand that automatically signs binaries after building.

## Usage

```sh
cargo install cargo-code-sign
cargo code-sign build --release
```

Or, wrap Cargo:

```sh
CARGO=cargo-code-sign
cargo build --release
```

## Signing identities

See the [`native-code-sign`](../native-code-sign/) configuration for [macOS](../native-code-sign/README.md#macos) and [Windows](../native-code-sign/README.md#windows).

No signing is performed on Linux — using `cargo code-sign` is a no-op.

### Configuration

- `CARGO_CODE_SIGN_TEST_BINARIES`: Set to `1` to also sign test binaries (default: disabled)
- `CARGO_CODE_SIGN_SKIP`: Set to `1` to skip signing entirely and pass all arguments directly to inner cargo
- `CARGO_CODE_SIGN_CARGO`: Path to the inner `cargo` command (see [Nested cargo wrappers](#nested-cargo-wrappers); default: `CARGO` env var, then `cargo`)

## Cross-compiles

Code signing is not supported during cross-compiles, as we require native tools to perform code
signing.

## Target files

Executable and library artifacts are signed by default. This does not include internal artifacts like
proc macros or build scripts.

Test binaries are not signed by default, but can be enabled with `CARGO_CODE_SIGN_TEST_BINARIES=1`.

## Nested cargo wrappers

When nesting multiple cargo wrappers, the `CARGO_CODE_SIGN_CARGO` variable can be used to configure
the inner `cargo` command invoked by `cargo-code-sign` as `cargo` will update the `CARGO` variable.