fixup! fixup! release: create initial Windows installer build workflow

Replace Bash script (using `signtool`) for validating executables are
code-signed correctly with a PowerShell script (which instead uses the
`Get-AuthenticodeSignature` cmdlet).

The `signtool` is only available in the Windows SDK, which isn't always
installed on self-hosted runners (e.g., for ARM64), but PowerShell is
always available on our images.

Signed-off-by: Matthew John Cheetham <[email protected]>

Author: mjcheetham

.github/workflows/build-git-installers.yml

@@ -357,10 +357,21 @@ jobs:
           openssl dgst -sha256 artifacts/${{matrix.type.fileprefix}}-*.exe | sed "s/.* //" >artifacts/sha-256.txt
       - name: Verify that .exe files are code-signed
         if: env.DO_WIN_CODESIGN == 'true'
-        shell: bash
+        shell: pwsh
         run: |
-          PATH=$PATH:"/c/Program Files (x86)/Windows Kits/10/App Certification Kit/" \
-          signtool verify //pa artifacts/${{matrix.type.fileprefix}}-*.exe
+          $ret = 0
+          $files = Get-ChildItem -Path artifacts -Filter "${{matrix.type.fileprefix}}-*.exe"
+          foreach ($file in $files) {
+              $signature = Get-AuthenticodeSignature -FilePath $file.FullName
+              if ($signature.Status -eq 'Valid') {
+                  Write-Host "[ VALID ] $($file.FullName)"
+              } else {
+                  Write-Host "[INVALID] $($file.FullName)"
+                  Write-Host "  Message: $($signature.StatusMessage)"
+                  $ret = 1
+              }
+          }
+          exit $ret
       - name: Publish ${{matrix.type.name}}-${{matrix.arch.name}}
         uses: actions/upload-artifact@v4
         with: