Description
Sign the Windows executable with a code signing certificate to avoid Windows Defender / SmartScreen warnings and build user trust. Consider using SignPath or a similar CI-integrated signing service.
Acceptance Criteria
Implementation Guide
1. Certificate options
- SignPath.io: Free for open-source projects, integrates with GitHub Actions
- Self-signed + Windows SDK:
signtool.exe with a purchased code signing certificate
- Let's Encrypt: Not suitable for code signing (only TLS)
2. SignPath integration (recommended)
- Apply for free OSS plan at signpath.io
- Add a signing step to
.github/workflows/deploy.yml after the Windows build
- SignPath provides a GitHub Action:
SignPath/github-actions-sign@v1
- Store signing credentials as GitHub secrets
3. Alternative: signtool + purchased certificate
- Purchase an EV code signing certificate (e.g., from DigiCert, Sectigo)
- Store the certificate as a GitHub secret (base64-encoded .pfx)
- Add a step to deploy.yml:
signtool sign /f cert.pfx /p $password /tr http://timestamp.digicert.com wiredpanda.exe
Key files
.github/workflows/deploy.yml — Windows build and release step
Description
Sign the Windows executable with a code signing certificate to avoid Windows Defender / SmartScreen warnings and build user trust. Consider using SignPath or a similar CI-integrated signing service.
Acceptance Criteria
Implementation Guide
1. Certificate options
signtool.exewith a purchased code signing certificate2. SignPath integration (recommended)
.github/workflows/deploy.ymlafter the Windows buildSignPath/github-actions-sign@v13. Alternative: signtool + purchased certificate
signtool sign /f cert.pfx /p $password /tr http://timestamp.digicert.com wiredpanda.exeKey files
.github/workflows/deploy.yml— Windows build and release step