Skip to content

ci: Sign Windows release artifacts#112

Open
MichalBerner wants to merge 1 commit intomainfrom
feature/75-exe-for-windows-is-not-digitally-signed
Open

ci: Sign Windows release artifacts#112
MichalBerner wants to merge 1 commit intomainfrom
feature/75-exe-for-windows-is-not-digitally-signed

Conversation

@MichalBerner
Copy link
Copy Markdown

@MichalBerner MichalBerner commented May 4, 2026

Signs Windows release executables before packaging so published .zip artifacts contain Authenticode-signed binaries.

The release workflow now separates raw binary builds from packaging, uploads unsigned build outputs, signs Windows .exe files with Azure Artifact Signing through GitHub Actions OIDC, verifies the resulting signatures, then packages the signed artifacts and generates checksums from the final archives. scripts/build.sh can now skip packaging via SKIP_PACKAGE=1, while the new scripts/package.sh owns archive and checksum creation. RELEASING.md documents the required release-signing environment, Azure secrets, workflow variables, and certificate profile role.

Resolves #75

Remarks

  • The workflow signs only Windows executables; macOS and Linux packaging behavior is unchanged.
  • Checksums are generated after signing and packaging, so they describe the release artifacts users download.
  • The release workflow still only runs on v* tag pushes.

Review focus:

  • .github/workflows/release.yml - build/sign/package job split and Azure signing setup
  • scripts/build.sh and scripts/package.sh - packaging split and checksum generation
  • RELEASING.md - required release-signing setup documentation

@MichalBerner
ci: Sign Windows release artifacts
8965989 
Split release builds from packaging so Windows executables can be signed
before archives and checksums are created.

The release workflow now builds raw binaries, signs Windows artifacts with
Azure Artifact Signing via GitHub Actions OIDC, verifies Authenticode
signatures, packages the signed binaries, and publishes checksums for the
final archives.

Document the required release-signing environment, Azure secrets, workflow
variables, and certificate profile role.
@MichalBerner MichalBerner requested review from alexrinass and Copilot May 4, 2026 09:06
@MichalBerner MichalBerner linked an issue May 4, 2026 that may be closed by this pull request
Exe for windows is not digitally signed #75
Open
Copilot AI reviewed May 4, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the release pipeline to Authenticode-sign Windows executables before packaging, so published .zip artifacts contain signed binaries and checksums can be produced from the final release archives.

Changes:

  • Split release workflow into build → Windows signing (Azure OIDC) → package/release stages.
  • Split packaging/checksum generation out of scripts/build.sh into a new scripts/package.sh (with SKIP_PACKAGE=1 support).
  • Document the required release-signing GitHub environment and Azure configuration in RELEASING.md.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.

File Description
.github/workflows/release.yml Separates build/sign/package jobs; adds Azure Artifact Signing + signature verification before creating release artifacts.
scripts/build.sh Adds strict bash mode and delegates packaging to scripts/package.sh, with optional SKIP_PACKAGE=1.
scripts/package.sh New script to create archives and generate checksums after packaging.
RELEASING.md Documents Windows signing setup (environment, secrets/vars, federated credential subject) and updates the release checklist/process.

Comment thread scripts/package.sh
Comment thread scripts/package.sh
(cd "$BUILD_DIR" && zip "${PACKAGE_NAME}-${VERSION}-windows-amd64.zip" "${BINARY_NAME}-${VERSION}-windows-amd64.exe")
(cd "$BUILD_DIR" && zip "${PACKAGE_NAME}-${VERSION}-windows-386.zip" "${BINARY_NAME}-${VERSION}-windows-386.exe")
else
echo "Warning: zip command not found, skipping Windows archives"
Comment thread .github/workflows/release.yml
Comment thread .github/workflows/release.yml
Comment on lines 1 to +14
name: Release

on:
push:
tags:
- 'v*'

jobs:
build:
name: Build and Release
name: Build binaries
runs-on: ubuntu-latest

permissions:
contents: read

Comment thread .github/workflows/release.yml
Comment on lines 9 to +12
build:
name: Build and Release
name: Build binaries
runs-on: ubuntu-latest

permissions:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@alexrinass alexrinass Awaiting requested review from alexrinass

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Exe for windows is not digitally signed

2 participants

@MichalBerner