feat(ci): add Windows code signing with SSL.com eSigner

.github/workflows/stable-windows.yml

@@ -214,6 +214,45 @@ jobs:
         run: ./build/windows/package.sh
         if: env.SHOULD_BUILD == 'yes'
 
+      - name: Prepare application binaries for signing
+        run: |
+          mkdir -p app_signing_input app_signing_output
+          find VSCode-win32-${{ matrix.vscode_arch }} -type f \( -name "*.exe" -o -name "*.dll" \) | while read f; do
+            newname=$(echo "$f" | tr '/' '_')
+            cp "$f" "app_signing_input/$newname"
+            echo "$newname|$f" >> app_signing_map.txt
+          done
+          echo "Files to sign:"
+          ls -la app_signing_input/
+        if: env.SHOULD_BUILD == 'yes' && (env.SHOULD_DEPLOY == 'yes' || github.event.inputs.generate_assets == 'true')
+        shell: bash
+
+      - name: Sign application binaries with SSL.com eSigner
+        uses: sslcom/esigner-codesign@develop
+        with:
+          command: batch_sign
+          username: ${{ secrets.ES_USERNAME }}
+          password: ${{ secrets.ES_PASSWORD }}
+          credential_id: ${{ secrets.ES_CREDENTIAL_ID }}
+          totp_secret: ${{ secrets.ES_TOTP_SECRET }}
+          dir_path: ${GITHUB_WORKSPACE}/app_signing_input
+          output_path: ${GITHUB_WORKSPACE}/app_signing_output
+          environment_name: PROD
+          override: true
+          malware_block: true
+          clean_logs: true
+        if: env.SHOULD_BUILD == 'yes' && (env.SHOULD_DEPLOY == 'yes' || github.event.inputs.generate_assets == 'true')
+
+      - name: Restore signed application binaries
+        run: |
+          while IFS='|' read -r newname origpath; do
+            cp "app_signing_output/$newname" "$origpath"
+          done < app_signing_map.txt
+          rm -rf app_signing_input app_signing_output app_signing_map.txt
+          echo "Signed binaries restored to VSCode-win32-${{ matrix.vscode_arch }}/"
+        if: env.SHOULD_BUILD == 'yes' && (env.SHOULD_DEPLOY == 'yes' || github.event.inputs.generate_assets == 'true')
+        shell: bash
+
       - name: Prepare assets
         run: ./prepare_assets.sh
         if: env.SHOULD_BUILD == 'yes' && (env.SHOULD_DEPLOY == 'yes' || github.event.inputs.generate_assets == 'true')
@@ -229,20 +268,35 @@ jobs:
           retention-days: 1
         if: env.SHOULD_BUILD == 'yes' && (env.SHOULD_DEPLOY == 'yes' || github.event.inputs.generate_assets == 'true')
 
-      # - name: Signing
-      #   uses: signpath/github-action-submit-signing-request@v1
-      #   with:
-      #     api-token: ${{ secrets.SIGNPATH_API_TOKEN }}
-      #     organization-id: ${{ secrets.SIGNPATH_ORGANIZATION_ID }}
-      #     project-slug: ${{ secrets.SIGNPATH_PROJECT_SLUG }}
-      #     signing-policy-slug: ${{ secrets.SIGNPATH_POLICY_SLUG }}
-      #     github-artifact-id: ${{ steps.upload-unsigned-artifacts.outputs.artifact-id }}
-      #     artifact-configuration-slug: ${{ matrix.vscode_arch }}
-      #     wait-for-completion: true
-      #     # 3h to manually approve the request
-      #     wait-for-completion-timeout-in-seconds: 10800
-      #     output-artifact-directory: assets/
-      #   if: env.SHOULD_BUILD == 'yes' && (env.SHOULD_DEPLOY == 'yes' || github.event.inputs.generate_assets == 'true')
+      - name: Prepare files for signing
+        run: |
+          mkdir -p signing_input signing_output
+          mv assets/*.exe signing_input/ || true
+          mv assets/*.msi signing_input/ || true
+        if: env.SHOULD_BUILD == 'yes' && (env.SHOULD_DEPLOY == 'yes' || github.event.inputs.generate_assets == 'true')
+
+      - name: Sign Windows Artifacts with SSL.com eSigner
+        uses: sslcom/esigner-codesign@develop
+        with:
+          command: batch_sign
+          username: ${{ secrets.ES_USERNAME }}
+          password: ${{ secrets.ES_PASSWORD }}
+          credential_id: ${{ secrets.ES_CREDENTIAL_ID }}
+          totp_secret: ${{ secrets.ES_TOTP_SECRET }}
+          dir_path: ${GITHUB_WORKSPACE}/signing_input
+          output_path: ${GITHUB_WORKSPACE}/signing_output
+          environment_name: PROD
+          override: true
+          malware_block: true
+          clean_logs: true
+        if: env.SHOULD_BUILD == 'yes' && (env.SHOULD_DEPLOY == 'yes' || github.event.inputs.generate_assets == 'true')
+
+      - name: Move signed files back
+        run: |
+          mv signing_output/*.exe assets/ || true
+          mv signing_output/*.msi assets/ || true
+          rm -rf signing_input signing_output
+        if: env.SHOULD_BUILD == 'yes' && (env.SHOULD_DEPLOY == 'yes' || github.event.inputs.generate_assets == 'true')
 
       - name: Prepare checksums
         run: ./prepare_checksums.sh

CLAUDE.md

@@ -231,6 +231,13 @@ When merging upstream, these are our key customizations that must be preserved:
    - `patches/user/microphone.patch` - Codex-specific
    - Minor modifications to other patches for branding
 
+6. **Windows Code Signing** (`.github/workflows/stable-windows.yml`)
+   - SSL.com eSigner integration for code signing
+   - Signs application binaries (.exe, .dll) before packaging
+   - Signs installer packages (.exe, .msi) after packaging
+   - Required secrets: `ES_USERNAME`, `ES_PASSWORD`, `ES_CREDENTIAL_ID`, `ES_TOTP_SECRET`
+   - **Must preserve**: The signing steps between "Build" and "Prepare assets", and after "Upload unsigned artifacts"
+
 ### Merge Strategy
 
 #### Option A: Incremental Merge (Recommended for small gaps)
@@ -308,6 +315,7 @@ When upstream updates patches that we've also modified:
 | File/Area | Typical Resolution |
 |-----------|-------------------|
 | `.github/workflows/*.yml` | Keep our simplified versions, cherry-pick important CI fixes |
+| `.github/workflows/stable-windows.yml` | **Preserve code signing steps** - keep SSL.com eSigner integration intact |
 | `patches/*.patch` | Take upstream's version, verify our branding placeholders work |
 | `prepare_vscode.sh` | Keep our branding URLs/names, adopt new build logic |
 | `build/windows/msi/` | Keep our `codex.*` files, apply equivalent changes from `vscodium.*` |