johno/beads
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add Windows code signing infrastructure (bd-14v0)

Browse Source 
Implements Authenticode signing for Windows binaries to reduce AV false positives.

Changes:
- Add scripts/sign-windows.sh for osslsigncode-based signing
- Update .goreleaser.yml with post-build signing hook
- Update release.yml to install osslsigncode and pass secrets
- Update docs/ANTIVIRUS.md with signing verification instructions
- Update scripts/README.md with signing script documentation

The signing is gracefully degraded - releases continue without signing
if the certificate secrets are not configured.

Required secrets for signing:
- WINDOWS_SIGNING_CERT_PFX_BASE64: base64-encoded PFX certificate
- WINDOWS_SIGNING_CERT_PASSWORD: certificate password

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Steve Yegge
2025-12-23 23:54:34 -08:00
parent edc6eae82c
commit 3c786f2333
5 changed files with 214 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
docs/ANTIVIRUS.md
View File

@@ -101,13 +101,34 @@ ldflags:
These flags are already applied in the official builds.
### Code Signing (Future)
### Code Signing
Future releases may include Windows code signing to improve trust scores with antivirus vendors. Code signing:
Windows releases are signed with an Authenticode certificate when available. Code signing:
- Reduces false positive rates over time
- Builds reputation with SmartScreen/antivirus vendors
- Provides tamper verification
**Verify a signed binary (Windows PowerShell):**
```powershell
# Check if the binary is signed
Get-AuthenticodeSignature .\bd.exe
# Expected output for signed binary:
# SignerCertificate: [Certificate details]
# Status: Valid
```
**Verify a signed binary (Linux/macOS with osslsigncode):**
```bash
# Install osslsigncode if not available
# Ubuntu/Debian: apt-get install osslsigncode
# macOS: brew install osslsigncode
osslsigncode verify -in bd.exe
```
**Note:** Code signing requires an EV (Extended Validation) certificate, which involves a verification process. If a release is not signed, it means the certificate was not available at build time. Follow the checksum verification steps above to verify authenticity.
### Alternative Build Methods
Some users report success with:
@@ -136,12 +157,16 @@ The issue isn't specific to beads' code - it's a characteristic of Go binaries i
### Will this be fixed in future releases?
We're working on:
- Submitting beads to antivirus vendor whitelists
- Adding code signing for Windows releases
- Continuing to use build optimizations
We've implemented:
- **Code signing infrastructure** for Windows releases (requires EV certificate)
- **Build optimizations** to reduce heuristic triggers
- **Documentation** for users to add exclusions and report false positives
However, false positives may still occur with new releases until reputation is established.
Still in progress:
- Acquiring an EV code signing certificate
- Submitting beads to antivirus vendor whitelists
False positives may still occur with new releases until the certificate builds reputation with antivirus vendors. This typically takes several months of consistent signed releases.
### Should I disable my antivirus?