Sign the Windows installer with Azure Trusted Signing#45
Conversation
The windows.yml installer job now builds a signed installer whenever the AZURE_TENANT_ID/AZURE_CLIENT_ID/AZURE_CLIENT_SECRET repo secrets are available, and falls back to the unsigned build on fork PRs. Signing config lives in a separate electron-builder.windows-signed.yml overlay because electron-builder 26 hard-fails any build that has win.azureSignOptions without Azure credentials in the environment. A fail-closed CI step asserts Get-AuthenticodeSignature returns Valid whenever signing was requested. Azure-side setup (account, identity validation, cert profile, service principal, secrets) is documented in docs/windows-signing.md; the overlay's account/profile names must match what gets created there. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
Warning Review limit reached
Next review available in: 23 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (6)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
What
The
windows.ymlinstaller job now signs the Windows installer with Azure Trusted Signing whenever theAZURE_TENANT_ID/AZURE_CLIENT_ID/AZURE_CLIENT_SECRETrepo secrets are present, so testers stop hitting the SmartScreen "Unknown publisher" warning. Fork PRs (no secrets) keep building unsigned instead of failing.How
apps/desktop/electron-builder.windows-signed.yml— new overlay (extendsthe base config) holdingwin.azureSignOptions. It's a separate file on purpose: electron-builder 26 hard-fails any build that hasazureSignOptionsconfigured without Azure credentials in the environment, so the base config must stay credential-free for fork PRs and local boxes. Config resolution verified locally via app-builder-lib: the basewinblock (icon, dir/nsis targets, backend + ffmpeg extraResources) survives the merge.windows.yml— the installer job branches onAZURE_CLIENT_IDpresence (signed vs unsigned script), then a fail-closed step assertsGet-AuthenticodeSignaturereturnsValidwhenever signing was requested — a broken signature fails the job rather than shipping as an artifact.pnpm dist:desktop:windows:signed— signed variant of the Windows dist pipeline (same backend/ffmpeg/preflight steps, signed electron-builder config).docs/windows-signing.md— owner runbook for the Azure side: Trusted Signing account (West Europe / Basic), individual identity validation, Public Trust cert profile, CI service principal with the Certificate Profile Signer role, and the threegh secret setcommands.Not in this PR (blocked on the Azure account existing)
codeSigningAccountName/certificateProfileName/endpointassume the names suggested in the runbook — adjust if the created resources differ.publisherNamefor electron-updater signature verification — set once the cert is issued (TODO in the overlay), matters when the Windows auto-update feed ships.Verification
pnpm format:checkgreen.getConfig(merge preserves the basewinblock).🤖 Generated with Claude Code