chore: sign Windows binary with DigiCert EV certificate#51
Merged
mickvandijke merged 1 commit intomainfrom Mar 31, 2026
Merged
Conversation
There was a problem hiding this comment.
Pull request overview
Adds Windows Authenticode signing to the release pipeline by introducing a dedicated sign-windows job that signs ant-node.exe via DigiCert SSM, then swaps the Windows archive before the existing post-quantum signing + checksum steps.
Changes:
- Add a
sign-windowsjob (Windows runner) to extract, sign, verify, and repackage the Windows binary. - Update the
signjob to depend onsign-windowsand replace the unsigned Windows ZIP with the signed ZIP prior to PQ signing/checksums. - Update GitHub Release notes to mention DigiCert EV signing for Windows.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
jacderida
force-pushed
the
chore-sign_windows_binary
branch
from
cc6ca2e to
6801d2f
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
jacderida
force-pushed
the
chore-sign_windows_binary
branch
from
6801d2f to
097b81d
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 6 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Add a sign-windows job to the release workflow that signs ant-node.exe using DigiCert SSM before the post-quantum signing step. The signed binary is repackaged into the release archive. Mirrors the approach used in ant-client. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
jacderida
force-pushed
the
chore-sign_windows_binary
branch
from
cc0c2d8 to
e9acf60
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
jacderida
force-pushed
the
chore-sign_windows_binary
branch
from
ca427c0 to
e9acf60
Compare
mickvandijke
approved these changes
Mar 31, 2026
mickvandijke
added a commit
that referenced
this pull request
Apr 1, 2026
Add unit and e2e tests covering the remaining Section 18 scenarios: Unit tests (32 new): - Quorum: #4 fail→abandoned, #16 timeout→inconclusive, #27 single-round dual-evidence, #28 dynamic threshold undersized, #33 batched per-key, #34 partial response unresolved, #42 quorum-derived paid-list auth - Admission: #5 unauthorized peer, #7 out-of-range rejected - Config: #18 invalid config rejected, #26 dynamic paid threshold - Scheduling: #8 dedup safety, #8 replica/paid collapse - Neighbor sync: #35 round-robin cooldown skip, #36 cycle completion, #38 snapshot stability mid-join, #39 unreachable removal + slot fill, #40 cooldown peer removed, #41 cycle termination guarantee, consecutive rounds, cycle preserves sync times - Pruning: #50 hysteresis prevents premature delete, #51 timestamp reset on heal, #52 paid/record timestamps independent, #23 entry removal - Audit: #19/#53 partial failure mixed responsibility, #54 all pass, #55 empty failure discard, #56 repair opportunity filter, response count validation, digest uses full record bytes - Types: #13 bootstrap drain, repair opportunity edge cases, terminal state variants - Bootstrap claims: #46 first-seen recorded, #49 cleared on normal E2e tests (4 new): - #2 fresh offer with empty PoP rejected - #5/#37 neighbor sync request returns response - #11 audit challenge multi-key (present + absent) - Fetch not-found for non-existent key Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
mickvandijke
added a commit
that referenced
this pull request
Apr 1, 2026
Add unit and e2e tests covering the remaining Section 18 scenarios: Unit tests (32 new): - Quorum: #4 fail→abandoned, #16 timeout→inconclusive, #27 single-round dual-evidence, #28 dynamic threshold undersized, #33 batched per-key, #34 partial response unresolved, #42 quorum-derived paid-list auth - Admission: #5 unauthorized peer, #7 out-of-range rejected - Config: #18 invalid config rejected, #26 dynamic paid threshold - Scheduling: #8 dedup safety, #8 replica/paid collapse - Neighbor sync: #35 round-robin cooldown skip, #36 cycle completion, #38 snapshot stability mid-join, #39 unreachable removal + slot fill, #40 cooldown peer removed, #41 cycle termination guarantee, consecutive rounds, cycle preserves sync times - Pruning: #50 hysteresis prevents premature delete, #51 timestamp reset on heal, #52 paid/record timestamps independent, #23 entry removal - Audit: #19/#53 partial failure mixed responsibility, #54 all pass, #55 empty failure discard, #56 repair opportunity filter, response count validation, digest uses full record bytes - Types: #13 bootstrap drain, repair opportunity edge cases, terminal state variants - Bootstrap claims: #46 first-seen recorded, #49 cleared on normal E2e tests (4 new): - #2 fresh offer with empty PoP rejected - #5/#37 neighbor sync request returns response - #11 audit challenge multi-key (present + absent) - Fetch not-found for non-existent key Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
sign-windowsjob to the release workflow that signsant-node.exewith our DigiCert EV code-signing certificate via DigiCert SSMsignjob now depends onsign-windowsand swaps the unsigned Windows archive for the signed one before post-quantum signing and checksumsPorted from the working implementation in
ant-client.Test plan
dry_run: trueand a version likev0.5.0-rc.0sign-windowsjob passes (smctl healthcheck, signing, Authenticode verification)signjob replaces unsigned archive and produces correct checksumsRequired secrets (already configured)
SM_HOST,SM_API_KEY,SM_CLIENT_CERT_B64,SM_CLIENT_CERT_PASSWORD,SM_KEYPAIR_ALIAS🤖 Generated with Claude Code