Skip to content

chore: sign Windows binary with DigiCert EV certificate#51

Merged
mickvandijke merged 1 commit intomainfrom
chore-sign_windows_binary
Mar 31, 2026
Merged

chore: sign Windows binary with DigiCert EV certificate#51
mickvandijke merged 1 commit intomainfrom
chore-sign_windows_binary

Conversation

@jacderida
Copy link
Copy Markdown
Collaborator

@jacderida jacderida commented Mar 30, 2026

Summary

  • Adds a sign-windows job to the release workflow that signs ant-node.exe with our DigiCert EV code-signing certificate via DigiCert SSM
  • The sign job now depends on sign-windows and swaps the unsigned Windows archive for the signed one before post-quantum signing and checksums
  • Release notes updated to mention DigiCert EV signing for Windows

Ported from the working implementation in ant-client.

Test plan

  • Merge to main
  • Trigger Release workflow manually with dry_run: true and a version like v0.5.0-rc.0
  • Verify sign-windows job passes (smctl healthcheck, signing, Authenticode verification)
  • Verify sign job replaces unsigned archive and produces correct checksums

Required secrets (already configured)

SM_HOST, SM_API_KEY, SM_CLIENT_CERT_B64, SM_CLIENT_CERT_PASSWORD, SM_KEYPAIR_ALIAS

🤖 Generated with Claude Code

Copilot AI review requested due to automatic review settings March 30, 2026 22:16
Copilot AI reviewed Mar 30, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds Windows Authenticode signing to the release pipeline by introducing a dedicated sign-windows job that signs ant-node.exe via DigiCert SSM, then swaps the Windows archive before the existing post-quantum signing + checksum steps.

Changes:

  • Add a sign-windows job (Windows runner) to extract, sign, verify, and repackage the Windows binary.
  • Update the sign job to depend on sign-windows and replace the unsigned Windows ZIP with the signed ZIP prior to PQ signing/checksums.
  • Update GitHub Release notes to mention DigiCert EV signing for Windows.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot AI review requested due to automatic review settings March 30, 2026 22:52
@jacderida jacderida force-pushed the chore-sign_windows_binary branch from cc6ca2e to 6801d2f Compare March 30, 2026 22:52
Copilot AI reviewed Mar 30, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@jacderida jacderida force-pushed the chore-sign_windows_binary branch from 6801d2f to 097b81d Compare March 30, 2026 23:01
Copilot AI review requested due to automatic review settings March 30, 2026 23:07
Copilot AI reviewed Mar 30, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 6 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@jacderida @claude
chore: sign Windows binary with DigiCert EV certificate
e9acf60 
Add a sign-windows job to the release workflow that signs ant-node.exe
using DigiCert SSM before the post-quantum signing step. The signed
binary is repackaged into the release archive. Mirrors the approach
used in ant-client.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jacderida jacderida force-pushed the chore-sign_windows_binary branch from cc0c2d8 to e9acf60 Compare March 30, 2026 23:28
Copilot AI review requested due to automatic review settings March 30, 2026 23:29
Copilot AI reviewed Mar 30, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@jacderida jacderida force-pushed the chore-sign_windows_binary branch from ca427c0 to e9acf60 Compare March 31, 2026 00:01
@mickvandijke mickvandijke merged commit ca47dc7 into main Mar 31, 2026
35 checks passed
@mickvandijke mickvandijke deleted the chore-sign_windows_binary branch March 31, 2026 07:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@mickvandijke mickvandijke mickvandijke approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jacderida @mickvandijke