ci(windows): Authenticode-sign Traktor.exe and installer via SSL.com eSigner#54
Merged
Merged
Conversation
…eSigner Wires the SSL.com EV cert (order co-611l0tuqv0e) into release.yml's build-windows job using the sslcom/esigner-codesign action, pinned to b7f8ff3. Two sign steps run: 1. Traktor.exe before Inno Setup packages it, so SmartScreen sees the entry-point binary signed on first run after install. 2. The final installer after ISCC and BEFORE the WinSparkle Ed25519 step. WinSparkle hashes final bytes, so Authenticode must come first or existing 1.11.x installs would reject the update. Each sign step is followed by `signtool verify /pa /v` that fails the run if the signature didn't take. malware_block is set to 'true' so a flagged scan kills the release rather than producing a Servmask-signed malicious payload in a supply-chain compromise scenario. Secrets (ESIGNER_USERNAME, ESIGNER_PASSWORD, ESIGNER_CREDENTIAL_ID, ESIGNER_TOTP_SECRET) live in the release-signing GitHub Environment; the build-windows job declares environment: release-signing so other workflows cannot read them.
Contributor
Build Artifacts
Built from 576f8a6. Artifacts expire after 90 days. |
There was a problem hiding this comment.
Pull request overview
Updates the Windows release workflow to Authenticode-sign the Windows executable and installer using SSL.com eSigner, with secrets scoped to a dedicated GitHub Environment for safer release signing.
Changes:
- Adds
environment: release-signingto the Windows release job to scopeESIGNER_*secrets. - Authenticode-signs
build/Traktor.exebefore Inno Setup packaging, then signs the generated installer. - Adds post-sign
signtool verify /pa /vsteps to fail the workflow if signature verification fails.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+452
to
+465
| - name: Verify Traktor.exe signature | ||
| shell: pwsh | ||
| run: | | ||
| # signtool.exe ships with the Windows SDK on windows-2022 but | ||
| # isn't on PATH. Pick the newest x64 build under Windows Kits. | ||
| $signtool = Get-ChildItem "C:\Program Files (x86)\Windows Kits\10\bin" -Recurse -Filter signtool.exe -ErrorAction SilentlyContinue | | ||
| Where-Object { $_.DirectoryName -match '\\x64\\?$' } | | ||
| Sort-Object { [Version]($_.VersionInfo.FileVersion -replace '[^\d.].*$','') } -Descending | | ||
| Select-Object -First 1 -ExpandProperty FullName | ||
| if (-not $signtool) { throw "signtool.exe not found under Windows Kits" } | ||
| Write-Host "Using $signtool" | ||
| & $signtool verify /pa /v build\Traktor.exe | ||
| if ($LASTEXITCODE -ne 0) { throw "Signature verification failed for build\Traktor.exe" } | ||
|
|
Comment on lines
+452
to
+463
| - name: Verify Traktor.exe signature | ||
| shell: pwsh | ||
| run: | | ||
| # signtool.exe ships with the Windows SDK on windows-2022 but | ||
| # isn't on PATH. Pick the newest x64 build under Windows Kits. | ||
| $signtool = Get-ChildItem "C:\Program Files (x86)\Windows Kits\10\bin" -Recurse -Filter signtool.exe -ErrorAction SilentlyContinue | | ||
| Where-Object { $_.DirectoryName -match '\\x64\\?$' } | | ||
| Sort-Object { [Version]($_.VersionInfo.FileVersion -replace '[^\d.].*$','') } -Descending | | ||
| Select-Object -First 1 -ExpandProperty FullName | ||
| if (-not $signtool) { throw "signtool.exe not found under Windows Kits" } | ||
| Write-Host "Using $signtool" | ||
| & $signtool verify /pa /v build\Traktor.exe |
Addresses Copilot review on #54: - signtool verify /pa only checks chain validity, not which publisher issued the cert. Add a Get-AuthenticodeSignature assertion that the signer subject matches CN=Servmask Inc., so a swapped credential or unexpected cert fails the run instead of silently passing. - The "find newest signtool.exe" PowerShell snippet was duplicated in both verify steps. Factor it into a single Locate signtool step that exports SIGNTOOL_EXE to GITHUB_ENV for reuse.
developeritsme
approved these changes
May 22, 2026
4 tasks
yani-
added a commit
that referenced
this pull request
May 22, 2026
The signing pipeline merged in #54 only runs on tagged releases. Bumping to 1.11.2 so existing 1.11.x WinSparkle clients pull a Servmask Inc.-signed installer and replace the unsigned binary currently installed on disk. No code change in this commit; release-please picks up the fix: prefix and opens a Release PR for 1.11.2.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
co-611l0tuqv0e) into the Windows release job viasslcom/esigner-codesign@b7f8ff3.build/Traktor.exebefore Inno Setup packages it, and the final installer after ISCC. Authenticode runs BEFORE the WinSparkle Ed25519 step so existing 1.11.x installs don't reject the update.signtool verify /pa /vthat fails the run on mismatch.malware_block: 'true'is set so a flagged pre-sign scan kills the release rather than producing a Servmask-signed malicious payload in a supply-chain compromise scenario.ESIGNER_*secrets to the newrelease-signingGitHub Environment viaenvironment: release-signingon thebuild-windowsjob.Required setup (out of band, before merge)
In repo Settings -> Environments, create
release-signingand add these secrets:ESIGNER_USERNAME- SSL.com account usernameESIGNER_PASSWORD- SSL.com account passwordESIGNER_CREDENTIAL_ID- eSigner credential IDESIGNER_TOTP_SECRET- eSigner TOTP seed (saved during credential setup)Test plan
ESIGNER_*secrets exist in therelease-signingenvironment.release.ymlviaworkflow_dispatchto produce alatestbuild. Confirm:Servmask, Inc.appcast-windows.xml.Traktor-latest.exefrom the workflow artifacts. On a Windows host:Servmask, Inc.as signer for both the installer AND the extractedTraktor.exe.