Sign executable to get more trust and reduce the likelyness of virus scanners complaining#16
Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates the Windows packaging workflow to code-sign the generated kemforge.exe using Azure Trusted Signing, with the goal of improving reputation/trust and reducing antivirus false positives.
Changes:
- Added Azure authentication (
azure/login) to Windows packaging jobs that produce the standalone EXE. - Added Azure Trusted Signing steps to sign
kemforge.exein both the Chocolatey build and GitHub Release zip paths.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| files-folder: ${{ github.workspace }} | ||
| files-folder-filter: exe | ||
| file-digest: SHA256 | ||
| timestamp-rfc3161: http://timestamp.acs.microsoft.com |
There was a problem hiding this comment.
The RFC3161 timestamp URL is using plain HTTP. Use an HTTPS timestamp endpoint to avoid downgrade/MITM risks during timestamping.
| timestamp-rfc3161: http://timestamp.acs.microsoft.com | |
| timestamp-rfc3161: https://timestamp.acs.microsoft.com |
| - name: Azure Login | ||
| uses: azure/login@v2 | ||
| with: | ||
| creds: '{"clientId":"${{ secrets.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}' |
There was a problem hiding this comment.
These steps authenticate to Azure using a long-lived client secret. For GitHub Actions, prefer workload identity federation (OIDC) with azure/login (and grant only required permissions) to avoid storing a reusable secret and reduce blast radius if GitHub secrets are exposed.
| - name: Azure Login | ||
| uses: azure/login@v2 | ||
| with: | ||
| creds: '{"clientId":"${{ secrets.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}' | ||
|
|
||
| - name: Sign executable with Azure Trusted Signing |
There was a problem hiding this comment.
The Azure Login + signing steps run unconditionally in chocobuild. On pull_request runs from forks, repository secrets are not available, so this will fail the job and block CI. Consider guarding these steps (and/or using a fallback unsigned build) behind a condition such as inputs.publish_enabled == 'true' && github.ref_name == 'main' or checking that the required secrets are non-empty.
| - name: Azure Login | |
| uses: azure/login@v2 | |
| with: | |
| creds: '{"clientId":"${{ secrets.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}' | |
| - name: Sign executable with Azure Trusted Signing | |
| - name: Azure Login | |
| if: inputs.publish_enabled == 'true' && github.ref_name == 'main' | |
| uses: azure/login@v2 | |
| with: | |
| creds: '{"clientId":"${{ secrets.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}' | |
| - name: Sign executable with Azure Trusted Signing | |
| if: inputs.publish_enabled == 'true' && github.ref_name == 'main' |
| files-folder: ${{ github.workspace }} | ||
| files-folder-filter: exe | ||
| file-digest: SHA256 | ||
| timestamp-rfc3161: http://timestamp.acs.microsoft.com |
There was a problem hiding this comment.
The RFC3161 timestamp URL is using plain HTTP. Use an HTTPS timestamp endpoint to avoid downgrade/MITM risks during timestamping.
| timestamp-rfc3161: http://timestamp.acs.microsoft.com | |
| timestamp-rfc3161: https://timestamp.acs.microsoft.com |
| - name: Azure Login | ||
| uses: azure/login@v2 | ||
| with: | ||
| creds: '{"clientId":"${{ secrets.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}' |
There was a problem hiding this comment.
These steps authenticate to Azure using a long-lived client secret. For GitHub Actions, prefer workload identity federation (OIDC) with azure/login (and grant only required permissions) to avoid storing a reusable secret and reduce blast radius if GitHub secrets are exposed.
No description provided.