PKCS7SignatureBuilder now supports new option NoCerts when signing

src/cryptography/hazmat/backends/openssl/backend.py

@@ -2719,6 +2719,10 @@ def pkcs7_sign(self, builder, encoding, options):
             signer_flags |= self._lib.PKCS7_NOSMIMECAP
         elif pkcs7.PKCS7Options.NoAttributes in options:
             signer_flags |= self._lib.PKCS7_NOATTR
+
+        if pkcs7.PKCS7Options.NoCerts in options:
+            signer_flags |= self._lib.PKCS7_NOCERTS
+
         for certificate, private_key, hash_algorithm in builder._signers:
             md = self._evp_md_non_null_from_algorithm(hash_algorithm)
             p7signerinfo = self._lib.PKCS7_sign_add_signer(

src/cryptography/hazmat/primitives/serialization/pkcs7.py

@@ -120,3 +120,4 @@ class PKCS7Options(Enum):
     DetachedSignature = "Don't embed data in the PKCS7 structure"
     NoCapabilities = "Don't embed SMIME capabilities"
     NoAttributes = "Don't embed authenticatedAttributes"
+    NoCerts = "Don't embed signer certificate"

tests/hazmat/primitives/test_pkcs7.py

@@ -535,6 +535,23 @@ def test_sign_no_attributes(self, backend):
             backend,
         )
 
+    def test_sign_no_certs(self, backend):
+        data = b"hello world"
+        cert, key = _load_cert_key()
+        builder = (
+            pkcs7.PKCS7SignatureBuilder()
+            .set_data(data)
+            .add_signer(cert, key, hashes.SHA256())
+        )
+
+        options = []
+        sig_with_cert = builder.sign(serialization.Encoding.DER, options)
+        assert sig_with_cert.count(cert.public_bytes(serialization.Encoding.DER)) == 1
+
+        options = [pkcs7.PKCS7Options.NoCerts]
+        sig_without_cert = builder.sign(serialization.Encoding.DER, options)
+        assert sig_without_cert.count(cert.public_bytes(serialization.Encoding.DER)) == 0
+
     def test_multiple_signers(self, backend):
         data = b"hello world"
         cert, key = _load_cert_key()