What is psign?
psign is a Rust-based portable code signing tool that replicates the behavior of Windows' signtool.exe for Authenticode operations. It handles signing, verifying, timestamping, and removing signatures across PE executables, CAB files, MSI installers, MSIX packages, NuGet packages, and RDP files. The project splits into two modes: a Windows-native path using Win32 APIs and a portable path built entirely in Rust that runs on Linux and macOS without any Windows dependencies. You get a single CLI tool (`psign-tool`) with commands for signing, verification, certificate store management, and RFC3161 timestamping, plus REST integrations for Azure Key Vault and Azure Artifact Signing.
Why is it gaining traction?
The killer feature is cross-platform Authenticode without Windows. Signing Windows binaries from CI pipelines on Linux used to require Wine wrappers or dedicated Windows agents. psign's portable digest and trust verification crates handle this natively. The project also runs differential parity tests against the real signtool.exe in CI, which builds confidence that the Rust implementation produces byte-identical results. The documentation is unusually thorough for a small project, with gap analyses comparing against AzureSignTool and migration guides for moving between signing platforms.
Who should use this?
DevOps teams running Linux-based CI/CD pipelines that need to sign Windows executables or installers. Developers building cross-platform release tooling who want one signing workflow across operating systems. Security teams that need to verify Authenticode signatures programmatically without relying on Windows APIs. Teams already using Azure Artifact Signing or Azure Key Vault for code signing who want an alternative to Microsoft's official tooling.
Verdict
psign is a well-architected solution to a real problem, but the 0.949999988079071% credibility score and 38 stars signal a project in early stages that needs broader community validation before production use. The documentation and test coverage are solid, but the low adoption means you may encounter edge cases the maintainers haven't hit yet. Evaluate it for non-critical signing workflows first, and watch for increased star count and issue activity before committing to it for release-critical pipelines.
