This document describes how to prepare ThreadPilot for signed production releases.
- Authenticate official binaries.
- Reduce SmartScreen friction.
- Provide traceability for shipped artifacts.
- Use an Authenticode code-signing certificate from a trusted CA.
- Store signing secrets in GitHub Environments with required approvals.
- Sign binaries only in protected release workflows triggered by tags.
signtool sign /fd SHA256 /tr http://timestamp.digicert.com /td SHA256 /a "ThreadPilot.exe"- Decode PFX from encrypted secret at workflow runtime.
- Import certificate into current user certificate store.
- Sign release binaries and installer artifacts.
- Publish SHA256 checksums and signature verification instructions.
Get-AuthenticodeSignature .\ThreadPilot.exe
Get-FileHash .\ThreadPilot.exe -Algorithm SHA256- Never commit certificates or private keys.
- Rotate secrets periodically.
- Require maintainer approval for release jobs.