feat: add Windows code signing infrastructure (bd-14v0)

Implements Authenticode signing for Windows binaries to reduce AV false positives. Changes: - Add scripts/sign-windows.sh for osslsigncode-based signing - Update .goreleaser.yml with post-build signing hook - Update release.yml to install osslsigncode and pass secrets - Update docs/ANTIVIRUS.md with signing verification instructions - Update scripts/README.md with signing script documentation The signing is gracefully degraded - releases continue without signing if the certificate secrets are not configured. Required secrets for signing: - WINDOWS_SIGNING_CERT_PFX_BASE64: base64-encoded PFX certificate - WINDOWS_SIGNING_CERT_PASSWORD: certificate password 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-23 23:54:34 -08:00
parent edc6eae82c
commit 3c786f2333
5 changed files with 214 additions and 9 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -26,10 +26,10 @@ jobs:
        with:
          go-version: '1.23'

-      - name: Install cross-compilation toolchains
+      - name: Install cross-compilation toolchains and signing tools
        run: |
          sudo apt-get update
-          sudo apt-get install -y gcc-mingw-w64-x86-64 gcc-aarch64-linux-gnu
+          sudo apt-get install -y gcc-mingw-w64-x86-64 gcc-aarch64-linux-gnu osslsigncode

      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v6
@@ -39,6 +39,9 @@ jobs:
          args: release --clean
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # Windows code signing (optional - signing is skipped if not set)
+          WINDOWS_SIGNING_CERT_PFX_BASE64: ${{ secrets.WINDOWS_SIGNING_CERT_PFX_BASE64 }}
+          WINDOWS_SIGNING_CERT_PASSWORD: ${{ secrets.WINDOWS_SIGNING_CERT_PASSWORD }}

  publish-pypi:
    runs-on: ubuntu-latest