From 03cb22c6574958b02d189a792b0e59cc64582135 Mon Sep 17 00:00:00 2001
From: Michael Suchacz <203725896+ibetitsmike@users.noreply.github.com>
Date: Tue, 9 Dec 2025 12:55:20 +0000
Subject: [PATCH 1/3] =?UTF-8?q?=F0=9F=A4=96=20fix:=20add=20debug=20logging?=
 =?UTF-8?q?=20to=20Windows=20sign=20script?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add console.log statements to diagnose why electron-builder
isn't calling the custom signing script during releases.

_Generated with mux_
---
 scripts/sign-windows.js | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/scripts/sign-windows.js b/scripts/sign-windows.js
index 6e1b5ebc5c..e9f002ed64 100644
--- a/scripts/sign-windows.js
+++ b/scripts/sign-windows.js
@@ -14,11 +14,14 @@
 const { execSync } = require("child_process");
 const path = require("path");
 
+console.log("🔐 sign-windows.js loaded");
+
 /**
  * @param {import("electron-builder").CustomWindowsSignTaskConfiguration} configuration
  * @returns {Promise<void>}
  */
 exports.default = async function sign(configuration) {
+  console.log("🔐 sign() function called for:", configuration.path);
   const filePath = configuration.path;
 
   // Check if signing is configured

From 9e9fa6da25c95c7c2748ecd6def21bcc2f2e7781 Mon Sep 17 00:00:00 2001
From: Michael Suchacz <203725896+ibetitsmike@users.noreply.github.com>
Date: Tue, 9 Dec 2025 13:00:03 +0000
Subject: [PATCH 2/3] =?UTF-8?q?=F0=9F=A4=96=20fix:=20add=20Windows=20code?=
 =?UTF-8?q?=20signing=20to=20PR=20workflow?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add EV code signing setup to the PR build-windows job so we can
test signing on PRs instead of only on releases.

_Generated with mux_
---
 .github/workflows/pr.yml | 49 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)

diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
index 649bea8fef..89e7dbb227 100644
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -287,6 +287,9 @@ jobs:
     needs: [changes]
     if: ${{ needs.changes.outputs.src == 'true' || needs.changes.outputs.config == 'true' }}
     runs-on: windows-latest
+    permissions:
+      contents: read
+      id-token: write # Required for GCP workload identity
     steps:
       - uses: actions/checkout@v4
         with:
@@ -301,7 +304,53 @@ jobs:
           bun --version
           magick --version | head -1
       - run: bun run build
+
+      # Setup Java for jsign (EV code signing with GCP KMS)
+      - name: Setup Java
+        uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
+        with:
+          distribution: "zulu"
+          java-version: "11.0"
+
+      - name: Authenticate to Google Cloud
+        id: gcloud_auth
+        if: ${{ vars.GCP_WORKLOAD_ID_PROVIDER != '' }}
+        uses: google-github-actions/auth@71f986410dfbc7added4569d411d040a91dc6935 # v2.1.8
+        with:
+          workload_identity_provider: ${{ vars.GCP_WORKLOAD_ID_PROVIDER }}
+          service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}
+          token_format: "access_token"
+
+      - name: Setup code signing
+        shell: pwsh
+        run: |
+          if (-not $env:EV_SIGNING_CERT) {
+            Write-Host "⚠️ No Windows code signing certificate provided - building unsigned"
+            exit 0
+          }
+
+          # Save EV certificate to temp file
+          $certPath = Join-Path $env:TEMP "ev_cert.pem"
+          Set-Content -Path $certPath -Value $env:EV_SIGNING_CERT
+          Add-Content -Path $env:GITHUB_ENV -Value "EV_CERTIFICATE_PATH=$certPath"
+
+          # Download jsign
+          $jsignPath = Join-Path $env:TEMP "jsign-6.0.jar"
+          Invoke-WebRequest -Uri "https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar" -OutFile $jsignPath
+          Add-Content -Path $env:GITHUB_ENV -Value "JSIGN_PATH=$jsignPath"
+
+          Write-Host "✅ Windows EV code signing configured"
+        env:
+          EV_SIGNING_CERT: ${{ secrets.EV_SIGNING_CERT }}
+
       - run: make dist-win
+        env:
+          # EV signing environment variables (used by custom sign script if configured)
+          EV_KEYSTORE: ${{ vars.EV_KEYSTORE }}
+          EV_KEY: ${{ vars.EV_KEY }}
+          EV_TSA_URL: ${{ vars.EV_TSA_URL }}
+          GCLOUD_ACCESS_TOKEN: ${{ steps.gcloud_auth.outputs.access_token }}
+
       - uses: actions/upload-artifact@v4
         with:
           name: build-windows

From c34197a952b78324492b06adf31345bd55057050 Mon Sep 17 00:00:00 2001
From: Michael Suchacz <203725896+ibetitsmike@users.noreply.github.com>
Date: Tue, 9 Dec 2025 13:13:27 +0000
Subject: [PATCH 3/3] =?UTF-8?q?=F0=9F=A4=96=20fix:=20remove=20signing=20fr?=
 =?UTF-8?q?om=20PR=20workflow?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signing works - confirmed on PR. Remove test setup.

_Generated with mux_
---
 .github/workflows/pr.yml | 49 ----------------------------------------
 1 file changed, 49 deletions(-)

diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
index 89e7dbb227..649bea8fef 100644
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -287,9 +287,6 @@ jobs:
     needs: [changes]
     if: ${{ needs.changes.outputs.src == 'true' || needs.changes.outputs.config == 'true' }}
     runs-on: windows-latest
-    permissions:
-      contents: read
-      id-token: write # Required for GCP workload identity
     steps:
       - uses: actions/checkout@v4
         with:
@@ -304,53 +301,7 @@ jobs:
           bun --version
           magick --version | head -1
       - run: bun run build
-
-      # Setup Java for jsign (EV code signing with GCP KMS)
-      - name: Setup Java
-        uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
-        with:
-          distribution: "zulu"
-          java-version: "11.0"
-
-      - name: Authenticate to Google Cloud
-        id: gcloud_auth
-        if: ${{ vars.GCP_WORKLOAD_ID_PROVIDER != '' }}
-        uses: google-github-actions/auth@71f986410dfbc7added4569d411d040a91dc6935 # v2.1.8
-        with:
-          workload_identity_provider: ${{ vars.GCP_WORKLOAD_ID_PROVIDER }}
-          service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}
-          token_format: "access_token"
-
-      - name: Setup code signing
-        shell: pwsh
-        run: |
-          if (-not $env:EV_SIGNING_CERT) {
-            Write-Host "⚠️ No Windows code signing certificate provided - building unsigned"
-            exit 0
-          }
-
-          # Save EV certificate to temp file
-          $certPath = Join-Path $env:TEMP "ev_cert.pem"
-          Set-Content -Path $certPath -Value $env:EV_SIGNING_CERT
-          Add-Content -Path $env:GITHUB_ENV -Value "EV_CERTIFICATE_PATH=$certPath"
-
-          # Download jsign
-          $jsignPath = Join-Path $env:TEMP "jsign-6.0.jar"
-          Invoke-WebRequest -Uri "https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar" -OutFile $jsignPath
-          Add-Content -Path $env:GITHUB_ENV -Value "JSIGN_PATH=$jsignPath"
-
-          Write-Host "✅ Windows EV code signing configured"
-        env:
-          EV_SIGNING_CERT: ${{ secrets.EV_SIGNING_CERT }}
-
       - run: make dist-win
-        env:
-          # EV signing environment variables (used by custom sign script if configured)
-          EV_KEYSTORE: ${{ vars.EV_KEYSTORE }}
-          EV_KEY: ${{ vars.EV_KEY }}
-          EV_TSA_URL: ${{ vars.EV_TSA_URL }}
-          GCLOUD_ACCESS_TOKEN: ${{ steps.gcloud_auth.outputs.access_token }}
-
       - uses: actions/upload-artifact@v4
         with:
           name: build-windows