Skip to content

Windows code signing (Authenticode) for release binaries #55

Description

@yves-vogl

The Windows release binaries (VST3 + Standalone) are currently unsigned — users see SmartScreen warnings on first run. The macOS signing pipeline (Developer ID + notarization, org-secret based) is being set up separately and does not cover Windows.

To resolve, this repo (in line with the whole suite) needs:

  • An Authenticode code-signing certificate (OV or EV; options: Certum Open Source, SSL.com, or Azure Trusted Signing) — one org-wide cert, stored like the Apple secrets as org-level GitHub Actions secrets.
  • A signing step in .github/workflows/release.yml's Windows job (signtool on the runner or osslsigncode cross-signing), signing both the .vst3 binary and the Standalone .exe with a timestamp server.
  • Release-notes update once shipped (drop the unsigned-Windows warning).

Suite-wide task — implement once in the shared template, then roll out. Tracked per-repo for milestone completeness.

Metadata

Metadata

Assignees

No one assigned

    Labels

    ciCI / CD workflowpriority: lowLow priorityreleaseRelease, signing, packaging

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions