Skip to content

Add Windows binary signing with Azure Trusted Signing#109

Draft
Amund211 with Copilot wants to merge 2 commits into
mainfrom
copilot/add-windows-binary-signing
Draft

Add Windows binary signing with Azure Trusted Signing#109
Amund211 with Copilot wants to merge 2 commits into
mainfrom
copilot/add-windows-binary-signing

Conversation

Copilot AI commented Jan 15, 2026

Copy link
Copy Markdown
Contributor

Implements code signing for Windows executables in the CI pipeline using Azure Trusted Signing with OIDC authentication.

Changes

  • Permissions: Added id-token: write for Azure OIDC authentication
  • Azure Login: Authenticates using federated credentials (client-id, tenant-id, subscription-id)
  • Signing: Signs Windows EXE with SHA256 digests and RFC3161 timestamping via Azure/trusted-signing-action@v0
  • Verification: Validates signature using signtool verify before artifact upload

Workflow Order

The signing steps execute after PyInstaller build but before artifact upload:

Build → Store binary → Azure login → Sign → Verify → Upload artifact

All three new steps are Windows-conditional (env.OS_NAME == 'windows').

Original prompt

Add windows binary signing to testing.yml

- name: Azure login (windows)
  if: env.OS_NAME == 'windows'
  uses: azure/login@v2
  with:
    client-id: ${{ secrets.AZURE_CLIENT_ID }}
    tenant-id: ${{ secrets.AZURE_TENANT_ID }}
    subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

- name: Sign Windows EXE (windows)
  if: env.OS_NAME == 'windows'
  uses: Azure/trusted-signing-action@v0
  with:
    endpoint: ${{ secrets.AZURE_CODESIGNING_ENDPOINT }}
    trusted-signing-account-name: ${{ secrets.AZURE_CODESIGNING_ACCOUNT_NAME }}
    certificate-profile-name: ${{ secrets.AZURE_CODESIGNING_CERT_PROFILE_NAME }}
    files: ${{ env.BUILD_RESULT_NAME }}
    file-digest: SHA256
    timestamp-rfc3161: http://timestamp.acs.microsoft.com
    timestamp-digest: SHA256
    description: Prism
    description-url: https://github.com/Amund211/prism

- name: Verify Windows EXE signature (windows)
  if: env.OS_NAME == 'windows'
  shell: pwsh
  run: |
    signtool verify /pa /tw /v "${{ env.BUILD_RESULT_NAME }}"

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Co-authored-by: Amund211 <14028449+Amund211@users.noreply.github.com>
Copilot AI changed the title [WIP] Add Windows binary signing to testing.yml Add Windows binary signing with Azure Trusted Signing Jan 15, 2026
Copilot AI requested a review from Amund211 January 15, 2026 21:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants