Add Windows Authenticode signing support for bundle publishing#444
Merged
Add Windows Authenticode signing support for bundle publishing#444
Conversation
Add optional inputs for configuring Windows code signing via environment variables. When win_signing_certificate is provided, the base64-encoded PFX is decoded to a temp file and JDEPLOY_WIN_* env vars are set for the packaging steps. Certificate is cleaned up after the action completes. https://claude.ai/code/session_01911Jm72yb9Ph2WK9nP36hC
Add win_signing_keystore_type and win_signing_pkcs11_config inputs to support HSM-based Authenticode signing in addition to local PFX certificates. The setup step now triggers when either win_signing_certificate or win_signing_pkcs11_config is provided. https://claude.ai/code/session_01911Jm72yb9Ph2WK9nP36hC
Document all action inputs, usage examples for PFX and PKCS#11/HSM signing, and security notes for handling certificates in CI. https://claude.ai/code/session_01911Jm72yb9Ph2WK9nP36hC
PublishBundleService.buildBundles() was calling Bundler.runit() directly to create pre-built bundles, bypassing the Authenticode signing in PackageService. At install time, the pre-built bundle replaced the locally-built exe, resulting in an unsigned app on the user's machine. Inject WindowsSigningService and WindowsSigningConfigFactory into PublishBundleService and sign Windows exe files after building and before wrapping into tar.gz archives. https://claude.ai/code/session_01911Jm72yb9Ph2WK9nP36hC
Add 5 unit tests to PublishBundleServiceTest: - Signs Windows exe bundles when signing is configured - Does not sign non-Windows bundles - Skips signing when no config is present - Signs both GUI and CLI Windows bundles - Continues on signing failure (non-fatal) Add 2 mock network integration tests to BundlePublishMockNetworkTest: - Full prepare flow signs Windows exe in pre-built bundles - Full prepare flow skips signing when not configured These tests use a real PublishBundleService with mocked signing services and mocked Bundler.runit() to verify the fix for unsigned pre-built Windows bundles. https://claude.ai/code/session_01911Jm72yb9Ph2WK9nP36hC
…nature jsign 7.0 stripped self-signed certificates from the PKCS7 certificate store embedded in the Authenticode signature. This caused Windows to report "certificate for the signer is invalid or not found" because the signer's certificate was missing from the signature, even though the signature itself was correctly applied. jsign 7.3 includes the fix: "Self-signed certificates are no longer removed from the certificate store embedded in the signature." https://claude.ai/code/session_01911Jm72yb9Ph2WK9nP36hC
The mock-network-tests workflow built shared and installer modules individually but never installed the parent POM into the local Maven repo. When the installer module resolved jdeploy-shared as a dependency, Maven couldn't find jdeploy-parent:pom:1.0-SNAPSHOT. Add `mvn -N install` step to install the parent POM first. https://claude.ai/code/session_01911Jm72yb9Ph2WK9nP36hC
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds comprehensive Windows Authenticode code signing support to jDeploy's bundle publishing workflow. Windows executables can now be automatically signed during the publish process using certificates stored locally or on hardware security modules (HSMs).
Key Changes
PublishBundleService: Integrated Windows signing into the bundle build pipeline
WindowsSigningServiceandWindowsSigningConfigFactorydependenciessignWindowsExeIfConfigured()after building Windows exe bundles (both GUI and CLI variants)GitHub Action Integration (
action.yml):JDEPLOY_WIN_*)Documentation (
windows-authenticode-signing.md):Test Coverage:
BundlePublishMockNetworkTest:PublishBundleServiceTest:Implementation Details
WindowsSigningConfigFactory.createFromEnvironment()returns a non-null config.exefiles are signed; other bundle formats are skipped${{ runner.temp }}https://claude.ai/code/session_01911Jm72yb9Ph2WK9nP36hC