Skip to content

add Windows code signing config to prevent antivirus false positives #15

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

add Windows code signing config to prevent antivirus false positives #15

wants to merge 1 commit into from

Conversation

@sahithvibudhi
Copy link
Owner

@sahithvibudhi sahithvibudhi commented Aug 5, 2025

  • Configure electron-builder with Windows signing options
  • Add GitHub Actions environment variables for certificate handling
  • Enable SHA256 signing with DigiCert timestamp server
  • Sign all DLLs to ensure complete coverage

Fixes #12

Setup Required:

To complete the code signing setup, the following steps are needed:

  1. Obtain a code signing certificate from a trusted Certificate Authority:

    • Option A: Azure Trusted Signing (recommended for US/Canada organizations)
    • Option B: Extended Validation (EV) certificate for immediate trust
    • Option C: Organization Validation (OV) certificate (builds trust over time)

  2. Convert certificate to base64 format: bash # For .pfx or .p12 files base64 -i certificate.pfx -o certificate_base64.txt

  3. Add GitHub repository secrets:

    • Go to Settings → Secrets and variables → Actions
    • Add WIN_CSC_LINK (base64-encoded certificate content)
    • Add WIN_CSC_KEY_PASSWORD (certificate password)

  4. Create a new release to test the signed build

Once configured, Windows Defender should no longer flag VibeTree as malware.

@sahithvibudhi
fix: add Windows code signing configuration to prevent antivirus fals…
3c5f3be 
…e positives

- Configure electron-builder with Windows signing options
- Add GitHub Actions environment variables for certificate handling
- Enable SHA256 signing with DigiCert timestamp server
- Sign all DLLs to ensure complete coverage

Fixes #12

## Setup Required:

To complete the code signing setup, the following steps are needed:

1. [ ] Obtain a code signing certificate from a trusted Certificate Authority:
   - Option A: Azure Trusted Signing (recommended for US/Canada organizations)
   - Option B: Extended Validation (EV) certificate for immediate trust
   - Option C: Organization Validation (OV) certificate (builds trust over time)

2. [ ] Convert certificate to base64 format:
   ```bash
   # For .pfx or .p12 files
   base64 -i certificate.pfx -o certificate_base64.txt
   ```

3. [ ] Add GitHub repository secrets:
   - Go to Settings → Secrets and variables → Actions
   - Add WIN_CSC_LINK (base64-encoded certificate content)
   - Add WIN_CSC_KEY_PASSWORD (certificate password)

4. [ ] Create a new release to test the signed build

Once configured, Windows Defender should no longer flag VibeTree as malware.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Windows Defender reporting malware in VibeTree-0.0.1-Setup.exe

2 participants

@sahithvibudhi