Skip to content

set up windows code signing #5

Description

@draylegend

Context

Electrobun (v1.18.1) has no Windows code-signing support — confirmed against the docs and build.win config schema: unlike build.mac (which has codesign/notarize fields and ELECTROBUN_DEVELOPER_ID/ELECTROBUN_TEAMID env vars), build.win only supports icon, bundleCEF, defaultRenderer, chromiumFlags. There's no cert/thumbprint config field and no signing step in the build pipeline for Windows.

Right now the app ships as an unsigned Setup.exe/.zip via GitHub Releases (see #3), which triggers a Windows SmartScreen warning for downloaders. Deferred intentionally until there's budget/need for a certificate.

What's needed

  • Get a code-signing certificate — options to evaluate: Azure Trusted Signing (cheapest, no hardware token, works well in CI), or a traditional purchased OV/EV cert
  • Add a signtool sign /fd sha256 /tr <timestamp-url> /td sha256 build\stable-win-x64\letora-Setup.exe step to the release CI workflow, after electrobun build --env=stable and before the artifacts are uploaded
  • Store the cert/credentials as GitHub Actions secrets
  • Re-run signing on the extracted installer's inner .exe if Setup.exe alone isn't sufficient (Electrobun's Windows installer is a self-extracting exe wrapping a separate .tar.zst archive — worth checking whether SmartScreen reputation applies to the extractor exe, the eventual installed binaries, or both)

Scope

Windows only. Not blocking GitHub Releases distribution (#3) — unsigned is acceptable for now.

Metadata

Metadata

Assignees

No one assigned

    Labels

    featNew feature or request

    Projects

    Status
    Backlog

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions