feat: add Windows code signing infrastructure (bd-14v0)

Implements Authenticode signing for Windows binaries to reduce AV false positives. Changes: - Add scripts/sign-windows.sh for osslsigncode-based signing - Update .goreleaser.yml with post-build signing hook - Update release.yml to install osslsigncode and pass secrets - Update docs/ANTIVIRUS.md with signing verification instructions - Update scripts/README.md with signing script documentation The signing is gracefully degraded - releases continue without signing if the certificate secrets are not configured. Required secrets for signing: - WINDOWS_SIGNING_CERT_PFX_BASE64: base64-encoded PFX certificate - WINDOWS_SIGNING_CERT_PASSWORD: certificate password 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-23 23:54:34 -08:00
parent edc6eae82c
commit 3c786f2333
5 changed files with 214 additions and 9 deletions
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -93,6 +93,11 @@ builds:
      - -X main.Commit={{.Commit}}
      - -X main.Branch={{.Branch}}
      - -buildmode=exe
+    hooks:
+      post:
+        # Sign Windows executable with Authenticode certificate
+        # Requires WINDOWS_SIGNING_CERT_PFX_BASE64 and WINDOWS_SIGNING_CERT_PASSWORD secrets
+        - ./scripts/sign-windows.sh "{{ .Path }}"

 archives:
  - id: bd-archive