Problem
Downloaded installers and executables show a Windows SmartScreen / Defender warning ("Windows protected your PC") because the binaries are unsigned and have no reputation with Microsoft yet. Users have to click More info → Run anyway to proceed, which erodes trust for new users.
Solution: Azure Trusted Signing
The release workflow already has signing steps ready — they are conditional on GitHub secrets being set, so they are currently skipped.
Cost: ~$9.99/month via Azure Trusted Signing (cheapest CA option, no hardware token required, SmartScreen trusts it on day one).
One-time Azure setup (~10 min)
- Create a Trusted Signing account in the Azure portal
- Create a Certificate Profile (Subject CN:
umage.ai)
- Create an App Registration → note Tenant ID, Client ID, generate a Client Secret
- Assign the app the Trusted Signing Certificate Profile Signer role
GitHub secrets to add
Go to Settings → Secrets and variables → Actions and add:
| Secret |
Value |
AZURE_TENANT_ID |
From App Registration |
AZURE_CLIENT_ID |
From App Registration |
AZURE_CLIENT_SECRET |
Generated secret |
AZURE_SIGNING_ENDPOINT |
e.g. https://eus.codesigning.azure.net/ |
AZURE_SIGNING_ACCOUNT |
Your Trusted Signing account name |
AZURE_SIGNING_PROFILE |
Your certificate profile name |
Once these secrets are in place, the next tagged release will automatically sign both the .exe and .msi before packaging.
Alternatives
- SignPath.io — free for open-source projects, but requires manual approval and is slower to set up
- OV/EV certificate (DigiCert, Sectigo) — $100–500/year; EV gives instant SmartScreen reputation but requires a hardware token
Notes
- The workflow changes are already merged — no code work needed, only Azure/GitHub configuration
- Without signing, users can still install by clicking More info → Run anyway; this is just a trust/UX improvement
🤖 Generated with Claude Code
Problem
Downloaded installers and executables show a Windows SmartScreen / Defender warning ("Windows protected your PC") because the binaries are unsigned and have no reputation with Microsoft yet. Users have to click More info → Run anyway to proceed, which erodes trust for new users.
Solution: Azure Trusted Signing
The release workflow already has signing steps ready — they are conditional on GitHub secrets being set, so they are currently skipped.
Cost: ~$9.99/month via Azure Trusted Signing (cheapest CA option, no hardware token required, SmartScreen trusts it on day one).
One-time Azure setup (~10 min)
umage.ai)GitHub secrets to add
Go to Settings → Secrets and variables → Actions and add:
AZURE_TENANT_IDAZURE_CLIENT_IDAZURE_CLIENT_SECRETAZURE_SIGNING_ENDPOINThttps://eus.codesigning.azure.net/AZURE_SIGNING_ACCOUNTAZURE_SIGNING_PROFILEOnce these secrets are in place, the next tagged release will automatically sign both the
.exeand.msibefore packaging.Alternatives
Notes
🤖 Generated with Claude Code