diff --git a/pkgs/development/python-modules/signify/certificate-expiration-date.patch b/pkgs/development/python-modules/signify/certificate-expiration-date.patch
new file mode 100644
index 000000000000..6554211a4bc7
--- /dev/null
+++ b/pkgs/development/python-modules/signify/certificate-expiration-date.patch
@@ -0,0 +1,18 @@
+diff --git a/tests/test_authenticode.py b/tests/test_authenticode.py
+index 7e2c709..2f27e09 100644
+--- a/tests/test_authenticode.py
++++ b/tests/test_authenticode.py
+@@ -153,10 +153,12 @@ class AuthenticodeParserTestCase(unittest.TestCase):
+         """this certificate is revoked"""
+         with open(str(root_dir / "test_data" / "jameslth"), "rb") as f:
+             pefile = SignedPEFile(f)
+-            pefile.verify()
++            pefile.verify(verification_context_kwargs=
++                          {'timestamp': datetime.datetime(2021, 1, 1, tzinfo=datetime.timezone.utc)})
+
+     def test_jameslth_revoked(self):
+         """this certificate is revoked"""
++        # TODO: this certificate is now expired, so it will not show up as valid anyway
+         with open(str(root_dir / "test_data" / "jameslth"), "rb") as f:
+             pefile = SignedPEFile(f)
+             with self.assertRaises(VerificationError):
diff --git a/pkgs/development/python-modules/signify/default.nix b/pkgs/development/python-modules/signify/default.nix
new file mode 100644
index 000000000000..be0623b1b73b
--- /dev/null
+++ b/pkgs/development/python-modules/signify/default.nix
@@ -0,0 +1,36 @@
+{ lib, buildPythonPackage, fetchFromGitHub, pythonOlder, pytestCheckHook
+, certvalidator, pyasn1, pyasn1-modules
+}:
+
+buildPythonPackage rec {
+  pname = "signify";
+  version = "0.3.0";
+  disabled = pythonOlder "3.5";
+
+  src = fetchFromGitHub {
+    owner = "ralphje";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-JxQECpwHhPm8TCVW/bCnEpu5I/WETyZVBx29SQE4NmE=";
+  };
+  patches = [
+    # Upstream patch is available here:
+    #  https://github.com/ralphje/signify/commit/8c345be954e898a317825bb450bed5ba0304b2b5.patch
+    # But update a couple other things and dont apply cleanly. This is an extract of the part
+    # we care about and breaks the tests after 2021-03-01
+    ./certificate-expiration-date.patch
+  ];
+
+  propagatedBuildInputs = [ certvalidator pyasn1 pyasn1-modules ];
+
+  checkInputs = [ pytestCheckHook ];
+  pytestFlagsArray = [ "-v" ];
+  pythonImportsCheck = [ "signify" ];
+
+  meta = with lib; {
+    homepage = "https://github.com/ralphje/signify";
+    description = "library that verifies PE Authenticode-signed binaries";
+    license = licenses.mit;
+    maintainers = with maintainers; [ baloo ];
+  };
+}
diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix
index 52a91a62846b..1000a64b5e25 100644
--- a/pkgs/top-level/python-packages.nix
+++ b/pkgs/top-level/python-packages.nix
@@ -7368,6 +7368,8 @@ in {
 
   singledispatch = callPackage ../development/python-modules/singledispatch { };
 
+  signify = callPackage ../development/python-modules/signify { };
+
   sip = callPackage ../development/python-modules/sip { };
 
   sip_5 = callPackage ../development/python-modules/sip/5.x.nix { };