build(windows): add signing with DigiCert KeyLocker (#676)

* feat: implement Windows code signing with DigiCert KeyLocker

- Add DigiCert KeyLocker integration using smctl for EV certificate signing
- Configure forge.config.ts with windowsSign hook function for app and installer
- Update CI/CD workflows to install and setup DigiCert KeyLocker tools
- Add environment variable handling for DigiCert authentication
- Update documentation with Windows signing requirements and secrets
- Add @electron/windows-sign dependency for Windows signing support

Eliminates SmartScreen warnings with EV code signing certificates.
Tested locally with successful signing of all executables and DLLs.

* refactor(ci): extract DigiCert KeyLocker setup into shared action

- Create shared Windows code signing action at .github/actions/setup-windows-codesign
- Replace duplicated DigiCert KeyLocker setup code in build-matrix and release workflows
- Improve maintainability by centralizing Windows signing configuration
- Follow existing pattern established by setup-macos-codesign action

* refactor(windows): switch to Electron Forge built-in signing with DigiCert KSP

- Replace direct smctl.exe calls with signWithParams using DigiCert KSP
- Remove duplicate hookFunction from MakerSquirrel installer config
- Use Electron Forge's built-in windowsSign with custom signtool parameters
- Simplify configuration by eliminating code duplication

Improves maintainability while keeping DigiCert KeyLocker integration.

* chore: format

* refactor: rollback to previous config

* fix: add timeouts and error handling to Windows code signing setup

- Switch from bash to PowerShell for better Windows MSI handling
- Add explicit timeouts for installation, KSP registration, and cert sync
- Add process management to kill hanging operations
- Improve logging and error reporting
- Use full paths for DigiCert tools

* chore: format

* feat: implement Windows code signing with DigiCert KeyLocker

- Add DigiCert KeyLocker integration for EV certificate signing
- Support signing both app executable and installer
- Add shared signing function to eliminate duplication
- Include signtool PATH setup for smctl compatibility
- Add GitHub Actions workflow support with timeouts
- Update documentation for required secrets

* chore: format

* refactor: adjust with postmake

* refactor: use an external util for windows signature

* chore: format

* fix: address copilot feedback

* chore: format

Author: samuv

.github/actions/setup-windows-codesign/action.yml

@@ -0,0 +1,99 @@
+name: 'Setup Windows Code Signing'
+description: 'Sets up DigiCert KeyLocker for Windows code signing'
+
+inputs:
+  sm-host:
+    description: 'DigiCert SigningManager host'
+    required: true
+  sm-api-key:
+    description: 'DigiCert SigningManager API key'
+    required: true
+  sm-client-cert-file-b64:
+    description: 'Base64 encoded client certificate file'
+    required: true
+  sm-client-cert-password:
+    description: 'Client certificate password'
+    required: true
+  sm-code-signing-cert-sha1-hash:
+    description: 'SHA1 hash of the code signing certificate'
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Setup DigiCert KeyLocker
+      if: runner.os == 'Windows'
+      shell: powershell
+      env:
+        SM_HOST: ${{ inputs.sm-host }}
+        SM_API_KEY: ${{ inputs.sm-api-key }}
+        SM_CLIENT_CERT_FILE_B64: ${{ inputs.sm-client-cert-file-b64 }}
+        SM_CLIENT_CERT_PASSWORD: ${{ inputs.sm-client-cert-password }}
+        SM_CODE_SIGNING_CERT_SHA1_HASH: ${{ inputs.sm-code-signing-cert-sha1-hash }}
+      run: |
+        Write-Host "Setting up DigiCert KeyLocker..."
+
+        # Setup certificate
+        Write-Host "Decoding certificate..."
+        $certBytes = [Convert]::FromBase64String($env:SM_CLIENT_CERT_FILE_B64)
+        $tempCertPath = Join-Path $env:TEMP "Certificate_pkcs12.p12"
+        [IO.File]::WriteAllBytes($tempCertPath, $certBytes)
+
+        # Set environment variables
+        Write-Host "Setting environment variables..."
+        echo "SM_HOST=$env:SM_HOST" >> $env:GITHUB_ENV
+        echo "SM_API_KEY=$env:SM_API_KEY" >> $env:GITHUB_ENV
+        echo "SM_CLIENT_CERT_FILE=$tempCertPath" >> $env:GITHUB_ENV
+        echo "SM_CLIENT_CERT_PASSWORD=$env:SM_CLIENT_CERT_PASSWORD" >> $env:GITHUB_ENV
+        echo "SM_CODE_SIGNING_CERT_SHA1_HASH=$env:SM_CODE_SIGNING_CERT_SHA1_HASH" >> $env:GITHUB_ENV
+
+        # Add Windows SDK tools to PATH (for signtool)
+        Write-Host "Adding Windows SDK tools to PATH..."
+        if (Test-Path "C:\Program Files (x86)\Windows Kits\10\App Certification Kit") {
+          echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $env:GITHUB_PATH
+        }
+        if (Test-Path "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools") {
+          echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $env:GITHUB_PATH
+        }
+
+        # Download DigiCert KeyLocker tools
+        Write-Host "Downloading DigiCert KeyLocker tools..."
+        $headers = @{"x-api-key" = $env:SM_API_KEY}
+        Invoke-WebRequest -Uri "https://one.digicert.com/signingmanager/api-ui/v1/releases/Keylockertools-windows-x64.msi/download" -Headers $headers -OutFile "Keylockertools-windows-x64.msi"
+
+        # Install with timeout
+        Write-Host "Installing DigiCert KeyLocker tools..."
+        $installTimeoutMs = 300000 # 5 minute timeout
+        $process = Start-Process -FilePath "msiexec.exe" -ArgumentList "/i", "Keylockertools-windows-x64.msi", "/quiet", "/qn", "/L*v", "install.log" -PassThru
+        if (-not $process.WaitForExit($installTimeoutMs)) {
+          $process.Kill()
+          throw "Installation timed out"
+        }
+        if ($process.ExitCode -ne 0) {
+          Get-Content "install.log" -ErrorAction SilentlyContinue
+          throw "Installation failed with exit code $($process.ExitCode)"
+        }
+
+        # Add DigiCert tools to PATH
+        Write-Host "Adding DigiCert tools to PATH..."
+        echo "C:\Program Files\DigiCert\DigiCert Keylocker Tools" >> $env:GITHUB_PATH
+
+        # Register KSP with timeout
+        Write-Host "Registering KSP..."
+        $process = Start-Process -FilePath "C:\Program Files\DigiCert\DigiCert Keylocker Tools\smksp_registrar.exe" -ArgumentList "register" -PassThru -NoNewWindow
+        $installTimeoutMs = 60000 # 1 minute timeout
+        if (-not $process.WaitForExit($installTimeoutMs)) {
+          $process.Kill()
+          throw "KSP registration timed out"
+        }
+
+        # Sync certificates with timeout
+        Write-Host "Synchronizing certificates..."
+        $process = Start-Process -FilePath "C:\Program Files\DigiCert\DigiCert Keylocker Tools\smksp_cert_sync.exe" -PassThru -NoNewWindow
+        $installTimeoutMs = 60000 # 2 minute timeout
+        if (-not $process.WaitForExit($installTimeoutMs)) {
+          $process.Kill()
+          throw "Certificate sync timed out"
+        }
+
+        Write-Host "DigiCert KeyLocker setup completed successfully!"

.github/workflows/_build-matrix.yml

@@ -41,6 +41,16 @@ jobs:
           apple-issuer-id: ${{ secrets.APPLE_ISSUER_ID }}
           apple-key-id: ${{ secrets.APPLE_KEY_ID }}
 
+      - name: Setup Windows code signing
+        uses: ./.github/actions/setup-windows-codesign
+        if: runner.os == 'Windows'
+        with:
+          sm-host: ${{ secrets.SM_HOST }}
+          sm-api-key: ${{ secrets.SM_API_KEY }}
+          sm-client-cert-file-b64: ${{ secrets.SM_CLIENT_CERT_FILE_B64 }}
+          sm-client-cert-password: ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
+          sm-code-signing-cert-sha1-hash: ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}
+
       - name: Install Flatpak tool-chain (Linux only)
         if: runner.os == 'Linux'
         run: |

.github/workflows/on-release.yml

@@ -72,6 +72,16 @@ jobs:
           apple-issuer-id: ${{ secrets.APPLE_ISSUER_ID }}
           apple-key-id: ${{ secrets.APPLE_KEY_ID }}
 
+      - name: Setup Windows code signing
+        uses: ./.github/actions/setup-windows-codesign
+        if: runner.os == 'Windows'
+        with:
+          sm-host: ${{ secrets.SM_HOST }}
+          sm-api-key: ${{ secrets.SM_API_KEY }}
+          sm-client-cert-file-b64: ${{ secrets.SM_CLIENT_CERT_FILE_B64 }}
+          sm-client-cert-password: ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
+          sm-code-signing-cert-sha1-hash: ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}
+
       - name: Install Flatpak tool-chain (Linux only)
         if: runner.os == 'Linux'
         run: |

docs/README.md

@@ -104,10 +104,13 @@ it as `VITE_API_URL` in the `.env` file (locally) or in the CI environment.
 
 ## Code signing
 
-> **Note:** Currently supports macOS only. Windows code signing is WIP.
+Supports both macOS and Windows code signing. macOS uses Apple certificates,
+Windows uses DigiCert KeyLocker for EV certificates.
 
 ### Local development
 
+#### macOS
+
 Optional: Set `MAC_DEVELOPER_IDENTITY` in `.env` to use a specific certificate:
 
 ```text
@@ -118,6 +121,8 @@ Local signing is not required for development.
 
 ### CI/CD
 
+#### macOS Signing
+
 Requires these GitHub secrets:
 
 - `APPLE_CERTIFICATE` - Base64 encoded .p12 certificate
@@ -127,7 +132,19 @@ Requires these GitHub secrets:
 - `APPLE_ISSUER_ID` - Apple API Issuer ID
 - `APPLE_KEY_ID` - Apple API Key ID
 
-CI auto-detects the certificate. Apps are signed and notarized automatically.
+#### Windows Signing (DigiCert KeyLocker)
+
+Requires these GitHub secrets for EV certificate signing:
+
+- `SM_HOST` - DigiCert KeyLocker host URL
+- `SM_API_KEY` - DigiCert KeyLocker API key
+- `SM_CLIENT_CERT_FILE_B64` - Base64 encoded client certificate (.p12)
+- `SM_CLIENT_CERT_PASSWORD` - Client certificate password
+- `SM_CODE_SIGNING_CERT_SHA1_HASH` - SHA1 fingerprint of the code signing
+  certificate
+
+CI auto-detects the certificates. Apps are signed automatically during the build
+process.
 
 ## ESLint configuration
 

forge.config.ts

@@ -45,6 +45,14 @@ const config: ForgeConfig = {
       ? { identity: process.env.MAC_DEVELOPER_IDENTITY }
       : {}, // Auto-detect certificates
 
+    // Windows Code Signing Configuration - DigiCert KeyLocker
+    windowsSign:
+      process.env.SM_HOST && process.env.SM_API_KEY
+        ? {
+            hookModulePath: './utils/digicert-hook.js',
+          }
+        : undefined,
+
     // MacOS Notarization Configuration
     osxNotarize: (() => {
       // Prefer Apple API Key method
@@ -94,6 +102,13 @@ const config: ForgeConfig = {
       authors: 'Stacklok',
       exe: 'ToolHive.exe',
       name: 'ToolHive',
+      // Use DigiCert KeyLocker for signing the installer
+      windowsSign:
+        process.env.SM_HOST && process.env.SM_API_KEY
+          ? {
+              hookModulePath: './utils/digicert-hook.js',
+            }
+          : undefined,
     }),
     new MakerDMGWithArch(
       {

utils/digicert-hook.js

@@ -0,0 +1,43 @@
+/**
+ * DigiCert KeyLocker signing hook for @electron/windows-sign
+ * This module exports a function that signs files using DigiCert smctl.exe
+ */
+
+const { execSync } = require('child_process')
+
+/**
+ * Signs a file using DigiCert KeyLocker
+ * @param {string} filePath - Absolute path to the file to sign
+ * @returns {Promise<void>}
+ */
+async function signWithDigiCert(filePath) {
+  console.log(`Signing ${filePath} using DigiCert KeyLocker...`)
+
+  const fingerprint = process.env.SM_CODE_SIGNING_CERT_SHA1_HASH
+  if (!fingerprint) {
+    throw new Error(
+      'SM_CODE_SIGNING_CERT_SHA1_HASH environment variable is required'
+    )
+  }
+
+  const signCommand = [
+    '"C:\\Program Files\\DigiCert\\DigiCert Keylocker Tools\\smctl.exe"',
+    'sign',
+    '--fingerprint',
+    fingerprint,
+    '--input',
+    `"${filePath}"`,
+  ].join(' ')
+
+  console.log(`Executing: ${signCommand}`)
+
+  try {
+    execSync(signCommand, { stdio: 'inherit' })
+    console.log(`Successfully signed ${filePath}`)
+  } catch (error) {
+    console.error(`Failed to sign ${filePath}:`, error.message || error)
+    throw error
+  }
+}
+
+module.exports = signWithDigiCert