[PR #1209] [CLOSED] RFC: Codesigning windows builds #3594

New Issue

GiteaMirror · 2026-02-28T20:43:57-06:00

GiteaMirror commented

2026-02-28 20:43:57 -06:00

📋 Pull Request Information

Original PR: https://github.com/actualbudget/actual/pull/1209
Author: @Shazib
Created: 6/27/2023
Status: ❌ Closed

Base: master ← Head: codesigning-windows

📝 Commits (7)

7d9cbd8 Attempt to add codesigning to windows electron
53e3877 Merge branch 'actualbudget:master' into master
5efbe3c Bump electron package version to match
6893e4f Add Release Notes
669b41c Merge branch 'actualbudget:master' into master
6d3c6b5 Merge branch 'actualbudget:master' into master3
9e2459f Rename 1191.md to 1209.md

📊 Changes

3 files changed (+25 additions, -3 deletions)

View changed files

📝 .github/workflows/build.yml (+18 -2)
📝 packages/desktop-electron/package.json (+1 -1)
➕ upcoming-release-notes/1209.md (+6 -0)

📄 Description

Sorry I accidentally closed the PR so opening again.

Changes Made

Adding code-signing to windows builds.

This is all handled by electron-builder so all we need to do is supply it with the certificate details. There are two new github org secrets that need to be set before it will work. I am just using a locally generated certificate for now.

The new secrets are WIN_CERT_BASE64 and WIN_CERT_PASS

I will remove the workflow_dispatch: before this PR is merged, its just there for testing atm.

Slightly related, the version number in desktop-electron/package.json is out of sync, so whatever process updates this perhaps needs a review.

Getting a Certificate

Option 1: Generate our own certificate.

Free adn easy but won't be recognised by windows

Option 2: Purchase a Certificate

Will be recognised by windows
More complicated

Steps:

We need to set up a cloud based HSM (hardware security module) to store the cert. This requirement came into force May of this year as far as I can tell and cert authorities will only send youa cert on a hardware token or add it to your HSM.
Buy a cert. There are lots of websites that sell codesigning certs, the cheapest i've seen is here for $149/year.

We can use a cloud based HSM, for example Azure Key Vault
Azure offers $200 in free credit. I'm not sure how long this would last. Presumably we can use an unverified cert for dev builds and only fetch the offical one for release builds.
You upload and store the certificate in azure and its accessed via this github action

One thing i'm a little unclear about is how we would tranfer the certificate from the seller to the HSM, given they won't just send you the file. I have seen this but I can't test it without actually buying a cert. Azure is partnered with digicert etc for eliminating this issue but the certificates from them are much more expensive.

I am currently deploying an azure keyvault to try it out and will report back...There is also an AWS HSM.

In terms of financing this, I have not seen any links for donating etc, but would be happy to contribute.

Windows Store

I think none of the above is needed if we publish directly to the microsoft store, as they re-sign things with a microsoft certificate, we just have to sign with a cert, that we upload to our MS Developer account so they can verify who submitted the app.

I can't test this thoroughly because whilst I have a MS Dev account you need to provide a url to a website, a url to the exe, a privacy policy, etc, so I dont have a good 'test' app to run through the process.

I can try actually deploying the current actualbudget there if people want.

This does have the caveat that people downloading directly from the github release won't get the 'officially' signed version.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/actualbudget/actual/pull/1209 **Author:** [@Shazib](https://github.com/Shazib) **Created:** 6/27/2023 **Status:** ❌ Closed **Base:** `master` ← **Head:** `codesigning-windows` --- ### 📝 Commits (7) - [`7d9cbd8`](https://github.com/actualbudget/actual/commit/7d9cbd88320d66a4f6e0d29a283350e22bbcb3ba) Attempt to add codesigning to windows electron - [`53e3877`](https://github.com/actualbudget/actual/commit/53e38770253f4e39f851fe291d377f5d8b9e4602) Merge branch 'actualbudget:master' into master - [`5efbe3c`](https://github.com/actualbudget/actual/commit/5efbe3c1e3df34c07542270081139a74d3975c70) Bump electron package version to match - [`6893e4f`](https://github.com/actualbudget/actual/commit/6893e4f49783c7e99dddcde8a3e392725a36cc8c) Add Release Notes - [`669b41c`](https://github.com/actualbudget/actual/commit/669b41cfceddbcb9f72b7b8fdeb2b6a545dd9470) Merge branch 'actualbudget:master' into master - [`6d3c6b5`](https://github.com/actualbudget/actual/commit/6d3c6b55dc50e3ee22917e8677e0ed82910ece95) Merge branch 'actualbudget:master' into master3 - [`9e2459f`](https://github.com/actualbudget/actual/commit/9e2459f5cfb82c59e8c3eedb7dc14fffb326d685) Rename 1191.md to 1209.md ### 📊 Changes **3 files changed** (+25 additions, -3 deletions) <details> <summary>View changed files</summary> 📝 `.github/workflows/build.yml` (+18 -2) 📝 `packages/desktop-electron/package.json` (+1 -1) ➕ `upcoming-release-notes/1209.md` (+6 -0) </details> ### 📄 Description Sorry I accidentally closed the PR so opening again. ### Changes Made Adding code-signing to windows builds. This is all handled by [electron-builder](https://www.electron.build/code-signing.html) so all we need to do is supply it with the certificate details. There are two new github org secrets that need to be set before it will work. I am just using a locally generated certificate for now. The new secrets are WIN_CERT_BASE64 and WIN_CERT_PASS I will remove the `workflow_dispatch:` before this PR is merged, its just there for testing atm. Slightly related, the version number in `desktop-electron/package.json` is out of sync, so whatever process updates this perhaps needs a review. ### Getting a Certificate Option 1: Generate our own certificate. - Free adn easy but won't be recognised by windows Option 2: Purchase a Certificate - Will be recognised by windows - More complicated Steps: 1. We need to set up a cloud based HSM (hardware security module) to store the cert. This requirement came into force May of this year as far as I can tell and cert authorities will only send youa cert on a hardware token or add it to your HSM. 2. Buy a cert. There are lots of websites that sell codesigning certs, the cheapest i've seen is [here](https://cheapsslsecurity.com/fastssl/code-signing-certificate.html?gad=1) for $149/year. - We can use a cloud based HSM, for example [Azure Key Vault](https://azure.microsoft.com/en-gb/products/key-vault) - Azure offers $200 in free credit. I'm not sure how long this would last. Presumably we can use an unverified cert for dev builds and only fetch the offical one for release builds. - You upload and store the certificate in azure and its accessed via this [github action](https://github.com/Azure/cli) One thing i'm a little unclear about is how we would tranfer the certificate from the seller to the HSM, given they won't just send you the file. I have seen [this](https://learn.microsoft.com/en-us/azure/key-vault/certificates/certificate-scenarios#creating-a-certificate-with-a-ca-not-partnered-with-key-vault) but I can't test it without actually buying a cert. Azure is partnered with digicert etc for eliminating this issue but the certificates from them are much more expensive. I am currently deploying an azure keyvault to try it out and will report back...There is also an AWS HSM. In terms of financing this, I have not seen any links for donating etc, but would be happy to contribute. ### Windows Store I _think_ none of the above is needed if we publish directly to the microsoft store, as they re-sign things with a microsoft certificate, we just have to sign with _a_ cert, that we upload to our MS Developer account so they can verify who submitted the app. I can't test this thoroughly because whilst I have a MS Dev account you need to provide a url to a website, a url to the exe, a privacy policy, etc, so I dont have a good 'test' app to run through the process. I can try actually deploying the current actualbudget there if people want. This does have the caveat that people downloading directly from the github release won't get the 'officially' signed version. ![image](https://github.com/actualbudget/actual/assets/4405777/d576da6e-dc0f-4e26-a076-a2be12b32705) --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-02-28 20:43:57 -06:00

GiteaMirror closed this issue

2026-02-28 20:43:57 -06:00

GiteaMirror referenced this issue

2026-02-28 21:03:35 -06:00

[PR #3594] [MERGED] fix size comparison workflow #4943

Sign in to join this conversation.

Branches Tags

master

claude/fix-simplefin-ssrf-T31gX

claude/release-notes-validation-X7rvR

matiss/7155

claude/fix-simplefin-batch-sync-O8LcD

ai/custom-theme-dual-prefs

matiss/fix-6804

add-claude-github-actions-1772738270730

claude/analyze-internal-errors-4k6O2

react-query-rules

react-query-useSchedules

matiss/separate-lint-format

dependabot/npm_and_yarn/ajv-6.14.0

cursor/sync-performance-notification-9899

react-query-prefs

matiss/chunked-sync-and-progress-ux

v26.2.1

copilot/sub-pr-6880

fix-react-query-clear-on-close-budget

copilot/sub-pr-6140

feat/auto-note

feat/scoped-bank-sync

cursor/desktop-transactions-react-table-1d0c

fix-exhaustive-deps-App

copilot/fix-find-replace-bug

release/v26.2.0-pre

matiss/browser-tests

mobile-fix-drag-and-drop-across-groups

budget-table-v2

PayeeAutocomplete2

pglite

bugfix/plugins/fix-plugins-sw

feat/plugins/plugins-core-package

prerelease

matiss/unicode-minus-fix

cursor/fix-actual-github-issue-6206-gemini-3-pro-preview-9c37

TransactionFormPage

cursor/implement-mortgage-and-loan-account-type-78ca

tests-update-fill-with-pressSequentially

mobile/link-modal

deps/25.11

cursor/fix-update-vrt-apply-ci-job-dispatch-b324

sync-server-plugins

cursor/propose-patch-for-github-issue-5680-2a18

fix/compiler-preserve-inner-dollar-escapes

cursor/analyze-actual-budget-issue-and-propose-fix-5b70

coderabbitai/docstrings/0c070e5

cursor/add-wip-prefix-and-comment-to-prs-d78d

jfdoming/08-21-auto-focus-on-navigate-in-all-browsers

show-totals-on-mobile-budget-banners

allow-child-transactions-make-transfer

mobile-calculator-keyboard

payee-geolocation

enhance/restore_scroll_position

dm-fix-second-click-on-mobile-new-transaction-2

scrollToLocationBudget

alert-autofix-38

tsconfig-composite

mobile-fix-uncategorized-transactions-on-tracking-budgets

server-budget-handlers

fix-sql-injection-in-cleanup-template

non-chrome-draggable-workaround

mobile-budget-page-swipe-navigation

ts-db-all

stable

dark-theme-with-brand-colors

fix-mobile-delete-group

ts-db-select

UnderKoen/reconcile-context-menu

master-before-server-merge

v25.2.1

ts-runQuery

rename-redux-hooks

UnderKoen/3557-persist-state-in-history

remove-redux-CLOSE_BUDGET

fix-exhaustive-deps-errors-FinancesApp

redux-toolkit-createSlice-backup

accounts-function-component

ts-useSplitsExpanded

loot-core-server-package

useTransactios-in-TransactionEdit

react-aria-input

move-redux-to-desktop-client

QueryState-type

fix-themes-applied-late

mobile-vrts

revert-3295-spendingCardFix

react-aria-button-4

split-payee-on-mobile

twk3/pin-apis-crdt

notes-tag-autocomplete

ts-LoadBackup

dnd-kit

package-upgrades

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/actual#3594