Remove Windows PFX signing fallback#3407
Open
mokagio wants to merge 4 commits into
Open
Conversation
The Sectigo PFX cert expires 2026-07-05. Rather than wait for shipped-build confirmation of Azure Trusted Signing per app, the campaign owner decided to remove every remaining PFX fallback now. Azure Trusted Signing becomes the sole, unconditional Windows signing path: no `USE_PFX_CODE_SIGNING` switch, no PFX provisioning, no `certificateSubjectName`. --- Generated with the help of Claude Code, https://claude.ai/code Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Its value was verifying the Azure/PFX branch routed correctly. With PFX gone there is no branch — the test just string-matched the Makefile recipe against itself. The real regression (an unwired Azure sign hook shipping an unsigned installer) is caught by the Package on Windows job's `signtool verify`, and the arg logic by `azure-sign`'s own unit tests. --- Generated with the help of Claude Code, https://claude.ai/code Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR removes the remaining Windows PFX-signing fallback so Azure Trusted Signing is the only Windows code-signing mechanism used by the build/CI toolchain.
Changes:
- Removes the
USE_PFX_CODE_SIGNING/PFX fallback behavior from Windows packaging and CI. - Updates Windows build configuration to no longer reference
certificateSubjectNamefor PFX signing. - Simplifies Windows Buildkite steps to run only the Azure signing path and drops the legacy PFX validation job.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| scripts/package-win32.test.js | Removes the Jest test that asserted Makefile switching between Azure vs PFX signing modes. |
| scripts/azure-sign.cjs | Updates header comment to reflect Azure signing as the sole Windows signing path. |
| Makefile | Makes Azure win.sign callback wiring unconditional and removes the PFX conditional. |
| electron-builder.json | Removes certificateSubjectName (PFX-based signing configuration). |
| .buildkite/pipeline.yml | Removes the Windows “PFX code signing” packaging/validation job. |
| .buildkite/commands/package_windows.ps1 | Removes PFX setup/import logic; always configures Azure Trusted Signing and verifies signatures. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+142
to
146
| # Windows signing: Azure Artifact Signing via the win.sign callback. The Store AppX builds | ||
| # unsigned — `env -u` removes PFX cert vars so electron-builder skips its built-in /fd-less PFX | ||
| # call. The Store re-signs the AppX regardless. | ||
| WIN_NSIS_SIGN := -c.win.sign=./scripts/azure-sign.cjs | ||
| APPX_NO_SIGN := env -u CSC_LINK -u CSC_KEY_PASSWORD -u WIN_CSC_LINK -u WIN_CSC_KEY_PASSWORD |
Contributor
Author
There was a problem hiding this comment.
I considered when removing the test (notice it's in a dedicated commit). My thinking for removing was that a test in that fashion was not valuable because highly tied to implementation rather than behavior.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
mokagio
commented
Jul 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Remove PFX code signing fallback now that the Azure path is confirmed and the PFX certificate is expired. See https://linear.app/a8c/issue/AINFRA-2542.
AI-generated details
Fix
The Sectigo PFX cert expires 2026-07-05. Rather than wait for shipped-build confirmation of Azure Trusted Signing (this app's Azure default merged and has been validated on Buildkite), the campaign decided to remove every remaining PFX fallback now ahead of expiry.
Azure Trusted Signing becomes the sole, unconditional Windows signing path: no
USE_PFX_CODE_SIGNINGswitch, no PFX provisioning in Buildkite, nocertificateSubjectNameinelectron-builder.json.Part of the Windows Code Signing → Azure Trusted Signing campaign.
Test
make lintandmake testpass locally (0 lint errors, same pre-existing warnings; full Jest suite green).package-windowsBuildkite job packages and verifies the Azure-signed.exeviasigntool verify; the PFX validation job (package-windows-pfx) is removed.Release
These changes do not require release notes — CI/build tooling only, no app-facing behavior change.