Skip to content

feat: add code signing for Go binaries#3491

Draft
zackverham wants to merge 3 commits intomainfrom
feat/code-signing-3484
Draft

feat: add code signing for Go binaries#3491
zackverham wants to merge 3 commits intomainfrom
feat/code-signing-3484

Conversation

@zackverham
Copy link
Collaborator

@zackverham zackverham commented Feb 11, 2026

Add signing workflow for Windows, macOS, and Linux binaries to address antivirus false positives (Norton quarantining Publisher).

Signing approach:

  • Windows: Authenticode via osslsigncode with timestamping
  • macOS: codesign with Developer ID and hardened runtime
  • Linux: GPG detached signatures (.sig files)

Updated workflows to include signing step:

  • main.yaml
  • nightly.yaml
  • publish.yaml
  • pull-request.yaml
  • release.yaml

Required secrets:

  • WINDOWS_SIGNING_CERT / WINDOWS_SIGNING_CERT_PASSWORD
  • MACOS_SIGNING_CERT / MACOS_SIGNING_CERT_PASSWORD
  • LINUX_SIGNING_KEY / LINUX_SIGNING_KEY_PASSPHRASE

Fixes #3484

Intent

Type of Change

    • Bug Fix
    • New Feature
    • Breaking Change
    • Documentation
    • Refactor
    • Tooling

Approach

User Impact

Automated Tests

Directions for Reviewers

Checklist

  • I have updated the root CHANGELOG.md to cover notable changes.

zackverham and others added 3 commits February 11, 2026 14:58
@zackverham @claude
feat: add code signing for Go binaries
6385de4 
Add signing workflow for Windows, macOS, and Linux binaries to address
antivirus false positives (Norton quarantining Publisher).

Signing approach:
- Windows: Authenticode via osslsigncode with timestamping
- macOS: codesign with Developer ID and hardened runtime
- Linux: GPG detached signatures (.sig files)

Updated workflows to include signing step:
- main.yaml
- nightly.yaml
- publish.yaml
- pull-request.yaml
- release.yaml

Required secrets:
- WINDOWS_SIGNING_CERT / WINDOWS_SIGNING_CERT_PASSWORD
- MACOS_SIGNING_CERT / MACOS_SIGNING_CERT_PASSWORD
- LINUX_SIGNING_KEY / LINUX_SIGNING_KEY_PASSPHRASE

Fixes #3484

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@zackverham
Merge branch 'main' into feat/code-signing-3484
c27bb58
@zackverham
Merge branch 'main' into feat/code-signing-3484
283be62
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Positron gets Quarantined by Norton Security

1 participant

@zackverham