Skip to content

ci: add Windows Authenticode signing to release pipeline#244

Open
Theosakamg wants to merge 1 commit into
mainfrom
feature/windows-code-signing
Open

ci: add Windows Authenticode signing to release pipeline#244
Theosakamg wants to merge 1 commit into
mainfrom
feature/windows-code-signing

Conversation

@Theosakamg

Copy link
Copy Markdown
Contributor

Summary

Add Windows Authenticode code signing to the release pipeline. Binaries are signed on ubuntu-latest using osslsigncode (Linux-native Authenticode signer), mirroring the existing macOS rcodesign pattern. The inline signing logic (macOS + Windows) is extracted into two reusable composite actions to keep release.yml maintainable.

Type of Change

  • Bug fix
  • New feature
  • Refactor (no functional change)
  • Documentation
  • Chore / dependency update

Related Issues

< Link every issue this PR closes or relates to. -->

Closes #

Changes

New composite actions

  • .github/actions/sign-windows/action.yml — installs osslsigncode via APT, signs the .exe with SHA-256 + DigiCert RFC 3161 timestamp, verifies the signature in-place
  • .github/actions/sign-macos/action.yml — extracts the existing rcodesign install / sign / notarize / verify steps

Modified

  • .github/workflows/release.yml — replaces ~100 lines of inline signing with two uses: calls; signing is gated on semver tags only

New GitHub secrets required (manual step)

Secret Value
WINDOWS_CERTIFICATE base64 -w 0 cert.pfx
WINDOWS_CERTIFICATE_PASSWORD password for the .pfx

Checklist

  • make lint passes — gofmt formatting + go vet clean
  • make build passes on Linux and macOS
  • make test-ci passes — unit tests with race detector
  • make coverage-ci run (if this PR adds or changes covered code)
  • Every new function has at least one slog.Debug / slog.DebugContext call
  • Documentation updated if user-facing behaviour changed
  • No secrets or credentials are exposed in logs or config snippets

- Extract macOS sign+notarize logic into composite action sign-macos
- Add Windows Authenticode signing via composite action sign-windows
- sign-windows: uses osslsigncode on ubuntu-latest (no Windows runner needed),
  signs with SHA-256 + DigiCert RFC 3161 timestamp, verifies in-place
- sign-macos: extracts existing rcodesign install/sign/notarize/verify steps
- release.yml: replace ~100 inline signing lines with two 'uses:' calls
- Signing is gated on semver tags only; PRs cross-compile unsigned

New secrets required (GitHub → Settings → Secrets):
  WINDOWS_CERTIFICATE         (base64-encoded .pfx)
  WINDOWS_CERTIFICATE_PASSWORD
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant