Skip to content

Remove Windows PFX signing fallback#3407

Open
mokagio wants to merge 4 commits into
trunkfrom
mokagio/remove-pfx-fallback
Open

Remove Windows PFX signing fallback#3407
mokagio wants to merge 4 commits into
trunkfrom
mokagio/remove-pfx-fallback

Conversation

@mokagio

@mokagio mokagio commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Remove PFX code signing fallback now that the Azure path is confirmed and the PFX certificate is expired. See https://linear.app/a8c/issue/AINFRA-2542.

AI-generated details

Fix

The Sectigo PFX cert expires 2026-07-05. Rather than wait for shipped-build confirmation of Azure Trusted Signing (this app's Azure default merged and has been validated on Buildkite), the campaign decided to remove every remaining PFX fallback now ahead of expiry.

Azure Trusted Signing becomes the sole, unconditional Windows signing path: no USE_PFX_CODE_SIGNING switch, no PFX provisioning in Buildkite, no certificateSubjectName in electron-builder.json.

Part of the Windows Code Signing → Azure Trusted Signing campaign.

Test

  1. make lint and make test pass locally (0 lint errors, same pre-existing warnings; full Jest suite green).
  2. CI: the package-windows Buildkite job packages and verifies the Azure-signed .exe via signtool verify; the PFX validation job (package-windows-pfx) is removed.

Release

These changes do not require release notes — CI/build tooling only, no app-facing behavior change.

The Sectigo PFX cert expires 2026-07-05. Rather than wait for
shipped-build confirmation of Azure Trusted Signing per app, the
campaign owner decided to remove every remaining PFX fallback now.
Azure Trusted Signing becomes the sole, unconditional Windows signing
path: no `USE_PFX_CODE_SIGNING` switch, no PFX provisioning, no
`certificateSubjectName`.

---

Generated with the help of Claude Code, https://claude.ai/code

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
@mokagio mokagio self-assigned this Jul 4, 2026
Its value was verifying the Azure/PFX branch routed correctly. With PFX
gone there is no branch — the test just string-matched the Makefile
recipe against itself. The real regression (an unwired Azure sign hook
shipping an unsigned installer) is caught by the Package on Windows job's
`signtool verify`, and the arg logic by `azure-sign`'s own unit tests.

---

Generated with the help of Claude Code, https://claude.ai/code

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@mokagio mokagio marked this pull request as ready for review July 6, 2026 01:54
@mokagio mokagio requested a review from a team as a code owner July 6, 2026 01:54
Copilot AI review requested due to automatic review settings July 6, 2026 01:54
@mokagio mokagio enabled auto-merge July 6, 2026 01:54

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR removes the remaining Windows PFX-signing fallback so Azure Trusted Signing is the only Windows code-signing mechanism used by the build/CI toolchain.

Changes:

  • Removes the USE_PFX_CODE_SIGNING/PFX fallback behavior from Windows packaging and CI.
  • Updates Windows build configuration to no longer reference certificateSubjectName for PFX signing.
  • Simplifies Windows Buildkite steps to run only the Azure signing path and drops the legacy PFX validation job.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
scripts/package-win32.test.js Removes the Jest test that asserted Makefile switching between Azure vs PFX signing modes.
scripts/azure-sign.cjs Updates header comment to reflect Azure signing as the sole Windows signing path.
Makefile Makes Azure win.sign callback wiring unconditional and removes the PFX conditional.
electron-builder.json Removes certificateSubjectName (PFX-based signing configuration).
.buildkite/pipeline.yml Removes the Windows “PFX code signing” packaging/validation job.
.buildkite/commands/package_windows.ps1 Removes PFX setup/import logic; always configures Azure Trusted Signing and verifies signatures.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .buildkite/commands/package_windows.ps1
Comment thread Makefile
Comment on lines +142 to 146
# Windows signing: Azure Artifact Signing via the win.sign callback. The Store AppX builds
# unsigned — `env -u` removes PFX cert vars so electron-builder skips its built-in /fd-less PFX
# call. The Store re-signs the AppX regardless.
WIN_NSIS_SIGN := -c.win.sign=./scripts/azure-sign.cjs
APPX_NO_SIGN := env -u CSC_LINK -u CSC_KEY_PASSWORD -u WIN_CSC_LINK -u WIN_CSC_KEY_PASSWORD

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I considered when removing the test (notice it's in a dedicated commit). My thinking for removing was that a test in that fashion was not valuable because highly tied to implementation rather than behavior.

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Comment thread Makefile Outdated
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants