From d8fdecda8169afa1127e5d3da833e939fd8513e9 Mon Sep 17 00:00:00 2001
From: Eugene <x@null.page>
Date: Fri, 24 Apr 2026 07:12:25 -0700
Subject: [PATCH] Windows signing fix (#11186)

Co-authored-by: Eugeny <161476+Eugeny@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
---
 .github/workflows/build.yml | 97 +++++++++++++++++++++++++------------
 1 file changed, 66 insertions(+), 31 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 8c33f099..8a4d8160 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -96,7 +96,7 @@ jobs:
 
     - name: Build packages without signing
       run: scripts/build-macos.mjs
-      if: "! (github.event_name == 'push' && (github.ref_protected || startsWith(github.ref, 'refs/tags')))"
+      if: "! (github.event_name == 'push' && startsWith(github.ref, 'refs/tags'))"
       env:
         ARCH: ${{matrix.arch}}
         # DEBUG: electron-builder,electron-builder:*
@@ -250,7 +250,7 @@ jobs:
         SENTRY_PROJECT: ${{ secrets.SENTRY_PROJECT }}
 
     - name: Upload packages to packagecloud.io
-      uses: TykTechnologies/packagecloud-action@main
+      uses: TykTechnologies/packagecloud-action@7add92bc6a06914be404cf7fa00a6ccb302e6ac5
       if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
       env:
         PACKAGECLOUD_TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }}
@@ -258,7 +258,7 @@ jobs:
         repo: 'eugeny/tabby'
         dir: 'dist'
         rpmvers: 'el/9 el/8 ol/6 ol/7'
-        debvers: 'ubuntu/bionic ubuntu/focal ubuntu/hirsute ubuntu/impish ubuntu/jammy ubuntu/kinetic ubuntu/noble ubuntu/oracular debian/jessie debian/stretch debian/buster debian/bullseye debian/bookworm debian/trixie debian/forky debian/duke debian/testing debian/unstable debian/sid'
+        debvers: 'ubuntu/bionic ubuntu/focal ubuntu/hirsute ubuntu/impish ubuntu/jammy ubuntu/kinetic ubuntu/noble ubuntu/oracular debian/jessie debian/stretch debian/buster debian/bullseye debian/bookworm debian/trixie debian/forky debian/duke debian/forky debian/sid'
 
     - uses: actions/upload-artifact@master
       name: Upload AppImage (${{matrix.arch}})
@@ -312,6 +312,9 @@ jobs:
     env:
       RUST_TARGET_TRIPLE: ${{matrix.rust_triple}}
       ARCH: ${{matrix.arch}}
+      # Branch name that enables DigiCert signing in PR builds for debugging.
+      # Change this value to match the feature branch you want to test signing on.
+      SIGN_ON_BRANCH: signing-debug
 
     steps:
     - name: Checkout
@@ -319,12 +322,68 @@ jobs:
       with:
         fetch-depth: 0
 
+    - name: Add Windows SDK signtool to PATH
+      shell: powershell
+      run: |
+        $x64 = 'C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64'
+        $arm64 = 'C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\arm64'
+        $newPath = "$x64;$arm64;$env:PATH"
+        echo "PATH=$newPath" >> $env:GITHUB_ENV
+
+    - name: Decode certificate
+      if: (github.event_name == 'push' && startsWith(github.ref, 'refs/tags'))
+      env:
+        SM_CLIENT_CERT_FILE_B64: ${{ secrets.SM_CLIENT_CERT_FILE_B64 }}
+      run: |
+        SM_CLIENT_CERT_FILE=$RUNNER_TEMP/certificate.p12
+        echo "$SM_CLIENT_CERT_FILE_B64" | base64 --decode > $SM_CLIENT_CERT_FILE
+        echo "SM_CLIENT_CERT_FILE=$SM_CLIENT_CERT_FILE" >> "$GITHUB_ENV"
+      shell: bash
+
+    - name: Setup Software Trust Manager
+      if: (github.event_name == 'push' && startsWith(github.ref, 'refs/tags'))
+      uses: digicert/code-signing-software-trust-action@v1.0.0
+      env:
+        SM_HOST: ${{ vars.SM_HOST }}
+        SM_API_KEY: ${{ secrets.SM_API_KEY }}
+        SM_CLIENT_CERT_FILE: ${{ env.SM_CLIENT_CERT_FILE }}
+        SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
+
+    - name: smctl diagnostics
+      if: (github.event_name == 'push' && startsWith(github.ref, 'refs/tags'))
+      shell: powershell
+      env:
+        SM_LOG_LEVEL: TRACE
+        SM_API_KEY: ${{ secrets.SM_API_KEY }}
+        SM_HOST: ${{ vars.SM_HOST }}
+        SM_KEYPAIR_ALIAS: ${{ vars.SM_KEYPAIR_ALIAS }}
+        SM_CODE_SIGNING_CERT_SHA1_HASH: ${{ vars.SM_CODE_SIGNING_CERT_SHA1_HASH }}
+        SM_CLIENT_CERT_FILE: ${{ env.SM_CLIENT_CERT_FILE }}
+        SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
+      run: |
+        Write-Host "=== smctl version ==="
+        smctl.exe --version
+
+        Write-Host "=== smctl healthcheck ==="
+        smctl.exe healthcheck
+
+        Write-Host "=== smctl healthcheck --tools ==="
+        smctl.exe healthcheck --tools
+
+        Write-Host "=== smctl keypair ls ==="
+        smctl.exe keypair ls
+
+        Write-Host "=== smctl certificate ls ==="
+        smctl.exe certificate ls
+
+        Write-Host "=== Windows SDK signtool path(s) ==="
+        Get-ChildItem -Path "C:\Program Files (x86)\Windows Kits" -Filter "signtool.exe" -Recurse -ErrorAction SilentlyContinue | Select-Object -ExpandProperty FullName
+
     - name: Installing Node
       uses: actions/setup-node@v4.4.0
       with:
         node-version: 22
 
-    - run: npm i -g npx
     - run: rustup target add ${{matrix.rust_triple}}
 
     - name: Update node-gyp
@@ -335,34 +394,15 @@ jobs:
     - name: Build
       shell: powershell
       run: |
-        npm i -g yar node-gyp
+        npm i -g yarn node-gyp
         yarn --network-timeout 1000000
         yarn run build
         node scripts/prepackage-plugins.mjs
       env:
         ARCH: ${{matrix.arch}}
 
-    - name: Decode certificate
-      if: github.event_name == 'push' && (startsWith(github.ref, 'refs/tags'))
-      env:
-        SM_CLIENT_CERT_FILE_B64: ${{ secrets.SM_CLIENT_CERT_FILE_B64 }}
-      run: |
-        SM_CLIENT_CERT_FILE=$RUNNER_TEMP/certificate.p12
-        echo "$SM_CLIENT_CERT_FILE_B64" | base64 --decode > $SM_CLIENT_CERT_FILE
-        echo "SM_CLIENT_CERT_FILE=$SM_CLIENT_CERT_FILE" >> "$GITHUB_ENV"
-      shell: bash
-
-    - name: Setup Software Trust Manager
-      uses: digicert/code-signing-software-trust-action@v1.0.0
-      if: github.event_name == 'push' && (startsWith(github.ref, 'refs/tags'))
-      env:
-        SM_HOST: ${{ vars.SM_HOST }}
-        SM_API_KEY: ${{ secrets.SM_API_KEY }}
-        SM_CLIENT_CERT_FILE: ${{ env.SM_CLIENT_CERT_FILE }}
-        SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
-
     - name: Build and sign packages
-      if: github.event_name == 'push' && (startsWith(github.ref, 'refs/tags'))
+      if: (github.event_name == 'push' && startsWith(github.ref, 'refs/tags'))
       shell: powershell
       run: |
         Get-FileHash $env:SM_CLIENT_CERT_FILE -Algorithm MD5
@@ -389,14 +429,9 @@ jobs:
         SM_HOST: ${{ vars.SM_HOST }}
         SM_CODE_SIGNING_CERT_SHA1_HASH: ${{ vars.SM_CODE_SIGNING_CERT_SHA1_HASH }}
         SM_KEYPAIR_ALIAS: ${{ vars.SM_KEYPAIR_ALIAS }}
+        SM_LOG_LEVEL: TRACE
         # DEBUG: electron-builder,electron-builder:*
 
-    - name: Build packages without signing
-      run: node scripts/build-windows.mjs
-      if: "! (github.event_name == 'push' && (startsWith(github.ref, 'refs/tags')))"
-      env:
-        ARCH: ${{matrix.arch}}
-
     - name: Upload symbols
       run: |
         npm install @sentry/cli