Skip to content

feat(ci): add Windows code signing with SSL.com eSigner#21

Merged
andrewhertog merged 4 commits intomasterfrom
feature/windows-code-signing
Feb 16, 2026
Merged

feat(ci): add Windows code signing with SSL.com eSigner#21
andrewhertog merged 4 commits intomasterfrom
feature/windows-code-signing

Conversation

@andrewhertog
Copy link

@andrewhertog andrewhertog commented Feb 16, 2026
edited
Loading

Summary

  • Add code signing for Windows builds using SSL.com's eSigner cloud signing service
  • Sign all application binaries (.exe, .dll) before packaging into installers
  • Sign installer packages (.exe, .msi) after packaging
  • Use batch_sign with malware scanning enabled (required by SSL.com)

Required GitHub Secrets

Configure these in repository settings:

  • ES_USERNAME - SSL.com account email
  • ES_PASSWORD - SSL.com account password
  • ES_CREDENTIAL_ID - Certificate credential ID from eSigner
  • ES_TOTP_SECRET - TOTP secret for automated signing

How It Works

  1. After build completes, all .exe and .dll files in VSCode-win32-{arch}/ are collected
  2. Files are signed using SSL.com eSigner (with malware scan)
  3. Signed binaries are restored to original locations
  4. prepare_assets.sh packages the signed binaries into installers
  5. Installer packages (.exe, .msi) are also signed

Test Plan

  • Verified signing step completes successfully in CI
  • Verified installer shows publisher name (Frontier R&D Ltd.) in SmartScreen
  • Verified installed application executables are signed

Notes

SmartScreen may still show warnings for new certificates until reputation builds. This is expected for OV (Organization Validation) certificates.
Screenshot 2026-02-16 at 2 00 39 PM
Screenshot 2026-02-16 at 2 00 58 PM

🤖 Generated with Claude Code

andrewhertog and others added 4 commits February 13, 2026 10:08
@andrewhertog
Merge pull request VSCodium#24 from andrewhertog/update/1.108
d350e10 
feat: update to VSCodium 1.108.1
@andrewhertog @claude
feat(ci): add Windows code signing with SSL.com eSigner
e035647 
Add code signing for Windows builds using SSL.com's eSigner cloud
signing service.

Changes:
- Sign all application binaries (.exe, .dll) before packaging
- Sign installer packages (.exe, .msi) after packaging
- Use batch_sign with malware scanning enabled
- Separate input/output directories for CodeSignTool compatibility

Required GitHub secrets:
- ES_USERNAME: SSL.com account email
- ES_PASSWORD: SSL.com account password
- ES_CREDENTIAL_ID: Certificate credential ID from eSigner
- ES_TOTP_SECRET: TOTP secret for automated signing

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@andrewhertog @claude
docs: add Windows code signing to customizations list
41bce72 
Document the SSL.com eSigner code signing integration as a
Codex-specific customization that must be preserved when
syncing with upstream VSCodium.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@andrewhertog
Merge branch 'master' into feature/windows-code-signing
a57de9f
@andrewhertog andrewhertog merged commit 3da950e into master Feb 16, 2026
26 of 27 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@andrewhertog

Comments