v0.6.0 — Signing-Focused Scope

Pure Rust
Code Signing

Authenticode, PKCS#7/CMS, and RFC 3161 timestamping in a single static binary. No OpenSSL. No C dependencies. Just Rust.

Download Binary View Source
6 Formats
5 Algorithms
REST API
Pure Rust
Capabilities

Everything you need to sign

A complete code signing solution from Authenticode to post-quantum, delivered as a single zero-dependency binary.

Authenticode Signing

Full PE, CAB, and MSI signing with embedded signatures. Compatible with Windows signtool verification and SmartScreen.

PKCS#7 / CMS

Detached and embedded PKCS#7 signatures with full ASN.1 builder. SignedData, DigestedData, and ESS signed-attribute support.

RFC 3161 Timestamping

Client and built-in TSA server. Prove code was signed before certificate expiry.

Post-Quantum (ML-DSA)

Forward-looking ML-DSA lattice signatures alongside RSA, ECDSA P-256/P-384, and Ed25519. Ready for the quantum era.

PowerShell SIP

Sign and verify PowerShell scripts with Subject Interface Package (SIP) support. Drop-in replacement for Set-AuthenticodeSignature.

REST API + LDAP Auth

Run as a web service with LDAP/AD authentication, audit logging, and rate limiting. Enterprise-ready signing infrastructure.

In Action

Sign in seconds

Simple CLI, powerful results. One binary handles signing, verification, and timestamping.

pki-sign — terminal
# Sign a Windows executable > pki-sign sign app.exe --pfx cert.pfx ✓ Loaded PFX (RSA 2048, CN=My Org) ✓ Authenticode signed (SHA-256) ✓ Timestamped (RFC 3161) # Verify the signature > pki-sign verify app.exe ✓ Valid Authenticode signature ✓ Certificate chain verified ✓ Timestamp verified (2026-03-16T09:14:22Z) # Sign a CAB archive with ECDSA > pki-sign sign package.cab --key ec-p256.pem --cert signing.crt ✓ Loaded ECDSA P-256 key ✓ CAB signed (SHA-256) ✓ Timestamped (RFC 3161) # Run as a signing service > pki-sign serve --bind 0.0.0.0:8443 --ldap ldap://dc.corp.local ▸ Listening on https://0.0.0.0:8443 ▸ LDAP auth: dc.corp.local ▸ Audit log: /var/log/pki-sign/audit.json
Watch the live demos
Under the Hood

Clean architecture

28 source files, modular design. Every component is isolated, testable, and auditable.

crates/pki-sign/src/
pe/ parser.rs — PE format parser authenticode.rs — Authenticode digest + verification embed.rs — Signature embedding into PE sections pkcs7/ asn1.rs — ASN.1 DER encoding/decoding builder.rs — PKCS#7 SignedData construction digested.rs — CMS DigestedData ess.rs — Enhanced Security Services web/ handlers.rs — HTTP request handlers middleware.rs — Auth, rate-limit, logging middleware ldap.rs — LDAP/Active Directory authentication audit.rs — Structured audit event logging signer.rs — Core signing engine verifier.rs — Signature verification timestamp.rs — RFC 3161 timestamp client tsa_server.rs — Built-in TSA HTTP server cab.rs — CAB archive signing msi.rs — MSI installer signing powershell.rs — PowerShell SIP signing config.rs — Configuration + CLI parsing error.rs — Error types (thiserror)
Endpoints

REST API

Run as a centralized signing service. Authenticate via LDAP, sign over HTTPS, audit everything.

POST
/api/v1/sign
Embedded Authenticode sign. Accepts PE/CAB/MSI/PowerShell upload, returns the signed artifact.
POST
/api/v1/sign-detached
Arbitrary-file detached CMS SignedData. Wrap any payload for transport + later verification.
POST
/api/v1/sign-batch
Batch sign multiple files in one ZIP upload. Returns a ZIP of signed artifacts + a CSV summary.
POST
/api/v1/verify
Verify an embedded-signed binary. Returns signature details, certificate chain, and timestamp status.
POST
/api/v1/verify-detached
Verify a detached CMS SignedData envelope against an original payload.
GET
/api/v1/health
Liveness check. Returns 200 OK when the service is up.
GET
/api/v1/status
Service status. Uptime, loaded certificates, signing statistics.
GET
/api/v1/certificate
Public certificate info for the active signer (subject, issuer, SKI, expiry).
POST
/api/v1/report-issue
Open a GitHub issue from the web UI (admin-authenticated, via configured GH token).
GET
/admin/certs
Admin: list available signing certificates. Shows subject, issuer, algorithm, expiration.
GET
/admin/audit
Admin: query audit log. Filter by user, action, time range. Returns structured JSON events.
POST
/admin/reload
Admin: hot-reload config + trust store without a restart.

RFC 3161 timestamping is exposed as a separate binding via pki-sign tsa serve (DER over HTTP). See the TSA section for details.

Getting Started

Requirements

Minimal dependencies by design. One binary, zero runtime requirements.

Static Binary

Single musl-linked binary. No shared libraries, no OpenSSL, no runtime dependencies. Just copy and run.

Build from Source

Rust 1.75+ and Cargo. Clone the repo, cargo build --release, done.

Apache 2.0 License

Use it in proprietary projects, embed it in your pipeline, fork it freely. Patent grant included.

Start signing today

Download the binary, import your PFX, and sign your first executable in under a minute.

Download v0.6.0 View on GitHub