Skip to content

ci: add Windows code signing to desktop release workflow#1

Merged
Radhikaa-chauhan merged 1 commit intomainfrom
feature/windows-code-signing-2
Feb 18, 2026
Merged

ci: add Windows code signing to desktop release workflow#1
Radhikaa-chauhan merged 1 commit intomainfrom
feature/windows-code-signing-2

Conversation

@Radhikaa-chauhan
Copy link
Owner

@Radhikaa-chauhan Radhikaa-chauhan commented Feb 18, 2026

Fixes CircuitVerse#636

Describe the changes you have made in this PR -

This PR adds Windows code signing support to the desktop release pipeline.

Key changes include:

  • Extended the Tauri desktop release GitHub Actions workflow to support Windows code signing.
  • Securely decodes the signing certificate from GitHub Secrets during CI runtime.
  • Uses signtool with SHA256 hashing and DigiCert timestamping to sign the generated Windows executable.
  • Ensures signing runs only on Windows runners, without affecting macOS or Linux builds.
  • Keeps certificates and sensitive files out of the repository by design.

These changes improve the security, trust, and distribution readiness of Windows desktop releases.

Screenshots of the UI changes (If any) -

N/A (No UI changes)

Code Understanding and AI Usage

Did you use AI assistance (ChatGPT, Claude, Copilot, etc.) to write any part of this code?

  • No, I wrote all the code myself
  • Yes, I used AI assistance (continue below)

Explain your implementation approach:

The goal was to ensure that Windows desktop binaries produced by the release pipeline are properly code-signed, preventing security warnings and improving user trust.

I chose to integrate code signing directly into the existing Tauri release workflow instead of creating a separate pipeline, so signing happens automatically during releases.

The implementation works as follows:

  • The Windows signing certificate is stored securely in GitHub Secrets in base64 format.
  • During the Windows CI job, the certificate is decoded at runtime using certutil.
  • After the Tauri build completes, the generated .exe is signed using signtool with SHA256 for both file digest and timestamp digest.
  • DigiCert’s public timestamp server is used to ensure the signature remains valid after certificate expiration.
  • All certificate artifacts are kept ephemeral and are never committed to the repository.

This approach keeps the pipeline secure, minimal, and platform-specific, while following best practices for Windows Authenticode signing.

Checklist before requesting a review

  • I have added proper PR title and linked to the issue
  • I have performed a self-review of my code
  • I can explain the purpose of every function, class, and logic block I added
  • I understand why my changes work and have tested them thoroughly
  • I have considered potential edge cases and how my code handles them
  • If it is a core feature, I have added thorough tests
  • My code follows the project's style guidelines and conventions

Note: Please check Allow edits from maintainers if you would like us to assist in the PR.

@Radhikaa-chauhan Radhikaa-chauhan merged commit 9c7e3b5 into main Feb 18, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Radhikaa-chauhan