v1.8.9: Self-signed code signing certificate for Windows installer - Add certs/create_cert.ps1, certs/sign_exe.ps1 for dev signing - Add build/trust_cert.ps1 (silent cert install via X509Store) - Add build/untrust_cert.ps1 (cert removal on uninstall) - Bundle guide-codesign.cer in NSIS installer - Add rfc3161 timestamp server to electron-builder configs - GitHub secrets WIN_CSC_LINK + WIN_CSC_KEY_PASSWORD configured

Author: Brendan Gray

.gitignore

@@ -261,6 +261,19 @@ Enjoy coding with AI — no rate limits, no subscriptions."
   DetailPrint ""
   DetailPrint ""
 
+  ; ── Code Signing Certificate Trust ──
+  ; Bundle cert + trust/untrust scripts into install directory
+  SetOutPath "$INSTDIR"
+  File "${BUILD_RESOURCES_DIR}\guide-codesign.cer"
+  File "${BUILD_RESOURCES_DIR}\trust_cert.ps1"
+  File "${BUILD_RESOURCES_DIR}\untrust_cert.ps1"
+
+  ; Silently add cert to TrustedPublisher via .NET X509Store (no GUI popup)
+  DetailPrint "  Installing code signing certificate..."
+  nsExec::ExecToLog 'powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "$INSTDIR\trust_cert.ps1"'
+  DetailPrint "  Code signing certificate installed."
+  DetailPrint ""
+
   ; Create models directory for GGUF files
   CreateDirectory "$INSTDIR\models"
 
@@ -353,6 +366,12 @@ Enjoy coding with AI — no rate limits, no subscriptions."
 ;  CUSTOM UNINSTALL ACTIONS
 ; ═══════════════════════════════════════════════════════════════════════
 !macro customUnInstall
+  ; ── Remove Code Signing Certificate ──
+  nsExec::ExecToLog 'powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "$INSTDIR\untrust_cert.ps1"'
+  Delete "$INSTDIR\guide-codesign.cer"
+  Delete "$INSTDIR\trust_cert.ps1"
+  Delete "$INSTDIR\untrust_cert.ps1"
+
   ; Clean up file associations
   DeleteRegKey HKCR ".gguf"
   DeleteRegKey HKCR "guIDE.ModelFile"

build/guide-codesign.cer

@@ -0,0 +1,45 @@
+# ═══════════════════════════════════════════════════════════════════════
+#  guIDE — Trust Code Signing Certificate (runs during install)
+#  Adds the guIDE code-signing public cert to TrustedPublisher store.
+#  Uses .NET X509Store.Add() — completely silent when elevated.
+#  Do NOT use certutil — it triggers a scary GUI popup.
+# ═══════════════════════════════════════════════════════════════════════
+
+$ErrorActionPreference = 'SilentlyContinue'
+
+$cerPath = Join-Path $PSScriptRoot "guide-codesign.cer"
+if (-not (Test-Path $cerPath)) { exit 0 }
+
+$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($cerPath)
+
+# Try LocalMachine first (works when installer is elevated)
+try {
+    $store = New-Object System.Security.Cryptography.X509Certificates.X509Store(
+        "TrustedPublisher", "LocalMachine")
+    $store.Open("ReadWrite")
+    $store.Add($cert)
+    $store.Close()
+
+    # Also add to Root so the cert chain is trusted
+    $rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store(
+        "Root", "LocalMachine")
+    $rootStore.Open("ReadWrite")
+    $rootStore.Add($cert)
+    $rootStore.Close()
+} catch {
+    # Fallback to CurrentUser if not elevated
+    # IMPORTANT: Only add to TrustedPublisher, NOT Root.
+    # CurrentUser\Root triggers a Windows Security Warning popup dialog.
+    # CurrentUser\TrustedPublisher is silent — no popup.
+    try {
+        $store = New-Object System.Security.Cryptography.X509Certificates.X509Store(
+            "TrustedPublisher", "CurrentUser")
+        $store.Open("ReadWrite")
+        $store.Add($cert)
+        $store.Close()
+    } catch {
+        # Silent failure — cert trust is best-effort
+    }
+}
+
+exit 0

build/installer.nsh

@@ -0,0 +1,40 @@
+# ═══════════════════════════════════════════════════════════════════════
+#  guIDE — Untrust Code Signing Certificate (runs during uninstall)
+#  Removes the guIDE code-signing public cert from TrustedPublisher store.
+#  Uses .NET X509Store.Remove() — completely silent when elevated.
+# ═══════════════════════════════════════════════════════════════════════
+
+$ErrorActionPreference = 'SilentlyContinue'
+
+$cerPath = Join-Path $PSScriptRoot "guide-codesign.cer"
+if (-not (Test-Path $cerPath)) { exit 0 }
+
+$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($cerPath)
+
+# Try LocalMachine first (works when uninstaller is elevated)
+try {
+    $store = New-Object System.Security.Cryptography.X509Certificates.X509Store(
+        "TrustedPublisher", "LocalMachine")
+    $store.Open("ReadWrite")
+    $store.Remove($cert)
+    $store.Close()
+
+    $rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store(
+        "Root", "LocalMachine")
+    $rootStore.Open("ReadWrite")
+    $rootStore.Remove($cert)
+    $rootStore.Close()
+} catch {
+    # Fallback to CurrentUser — only TrustedPublisher (Root would trigger popup)
+    try {
+        $store = New-Object System.Security.Cryptography.X509Certificates.X509Store(
+            "TrustedPublisher", "CurrentUser")
+        $store.Open("ReadWrite")
+        $store.Remove($cert)
+        $store.Close()
+    } catch {
+        # Silent failure — cert removal is best-effort
+    }
+}
+
+exit 0

build/trust_cert.ps1

@@ -0,0 +1,102 @@
+# ═══════════════════════════════════════════════════════════════════════
+#  guIDE — Self-Signed Code Signing Certificate Generator
+#  Run ONCE on the dev machine. Never commit the .pfx file.
+#  The .cer (public key only) is safe to commit and ship in the installer.
+# ═══════════════════════════════════════════════════════════════════════
+
+param(
+    [string]$Subject    = "CN=GraySoft LLC, O=GraySoft LLC",
+    [string]$PfxPath    = "$PSScriptRoot\guide-codesign.pfx",
+    [string]$CerPath    = "$PSScriptRoot\guide-codesign.cer",
+    [string]$BuildCer   = "$PSScriptRoot\..\build\guide-codesign.cer",
+    [int]$ValidYears    = 5
+)
+
+$ErrorActionPreference = 'Stop'
+
+Write-Host "`n=== guIDE Code Signing Certificate Generator ===" -ForegroundColor Cyan
+Write-Host ""
+
+# ── Check for existing cert ──
+if (Test-Path $PfxPath) {
+    Write-Host "WARNING: $PfxPath already exists." -ForegroundColor Yellow
+    $confirm = Read-Host "Overwrite? (y/N)"
+    if ($confirm -ne 'y') {
+        Write-Host "Aborted." -ForegroundColor Red
+        exit 0
+    }
+}
+
+# ── Ask for PFX password ──
+$securePass = Read-Host "Enter password for PFX file" -AsSecureString
+$plainPass  = [Runtime.InteropServices.Marshal]::PtrToStringAuto(
+    [Runtime.InteropServices.Marshal]::SecureStringToBSTR($securePass)
+)
+if ([string]::IsNullOrWhiteSpace($plainPass)) {
+    Write-Host "ERROR: Password cannot be empty." -ForegroundColor Red
+    exit 1
+}
+
+# ── Create self-signed code signing certificate ──
+Write-Host "`nCreating self-signed code signing certificate..." -ForegroundColor Green
+Write-Host "  Subject    : $Subject"
+Write-Host "  Valid until: $((Get-Date).AddYears($ValidYears).ToString('yyyy-MM-dd'))"
+
+$cert = New-SelfSignedCertificate `
+    -Subject $Subject `
+    -Type CodeSigningCert `
+    -KeyExportPolicy Exportable `
+    -KeySpec Signature `
+    -KeyLength 2048 `
+    -KeyAlgorithm RSA `
+    -HashAlgorithm SHA256 `
+    -CertStoreLocation "Cert:\CurrentUser\My" `
+    -NotAfter (Get-Date).AddYears($ValidYears)
+
+Write-Host "  Thumbprint : $($cert.Thumbprint)" -ForegroundColor Green
+
+# ── Export PFX (private key — NEVER commit) ──
+Write-Host "`nExporting PFX (private key)..." -ForegroundColor Green
+Export-PfxCertificate -Cert $cert -FilePath $PfxPath -Password $securePass | Out-Null
+Write-Host "  Saved: $PfxPath" -ForegroundColor Green
+
+# ── Export CER (public key only — safe to distribute) ──
+Write-Host "`nExporting CER (public key only)..." -ForegroundColor Green
+Export-Certificate -Cert $cert -FilePath $CerPath | Out-Null
+Write-Host "  Saved: $CerPath" -ForegroundColor Green
+
+# ── Copy CER to build/ for NSIS bundling ──
+if (Test-Path (Split-Path $BuildCer -Parent)) {
+    Copy-Item $CerPath $BuildCer -Force
+    Write-Host "  Copied to: $BuildCer" -ForegroundColor Green
+}
+
+# ── Dev machine trust ──
+# The cert is already in CurrentUser\My (from New-SelfSignedCertificate).
+# That's sufficient for Set-AuthenticodeSignature to sign.
+# Root/TrustedPublisher trust is only for VALIDATION — the installer handles
+# that on end-user machines via trust_cert.ps1 (which runs elevated = silent).
+# Adding to CurrentUser\Root triggers a Windows Security Warning popup — skip it.
+# If you want to validate signatures locally, run PowerShell as Administrator
+# and use: Import-Certificate -FilePath $CerPath -CertStoreLocation Cert:\LocalMachine\Root
+Write-Host "`nCert is in CurrentUser\My — sufficient for signing." -ForegroundColor Green
+Write-Host "  (End-user trust is handled by the installer's trust_cert.ps1)" -ForegroundColor Green
+
+# ── Output base64 for GitHub Actions secret ──
+Write-Host "`n=== GitHub Actions Setup ===" -ForegroundColor Cyan
+$b64 = [Convert]::ToBase64String([IO.File]::ReadAllBytes($PfxPath))
+Write-Host "Base64 PFX (first 80 chars): $($b64.Substring(0, [Math]::Min(80, $b64.Length)))..."
+Write-Host ""
+Write-Host "To set GitHub secrets, run:" -ForegroundColor Yellow
+Write-Host "  gh secret set WIN_CSC_LINK --body `"$($b64.Substring(0, 20))...`""
+Write-Host "  gh secret set WIN_CSC_KEY_PASSWORD --body `"<your-pfx-password>`""
+Write-Host ""
+Write-Host "Or copy the full base64 from: $PfxPath.b64" -ForegroundColor Yellow
+[IO.File]::WriteAllText("$PfxPath.b64", $b64)
+
+Write-Host "`n=== Done ===" -ForegroundColor Green
+Write-Host "  PFX (private): $PfxPath  — NEVER COMMIT"
+Write-Host "  CER (public) : $CerPath  — safe to commit"
+Write-Host "  Build CER    : $BuildCer — bundled in installer"
+Write-Host "  Thumbprint   : $($cert.Thumbprint)"
+Write-Host ""

build/untrust_cert.ps1

@@ -0,0 +1,73 @@
+# ═══════════════════════════════════════════════════════════════════════
+#  guIDE — Code Signing Script
+#  Signs EXE files with the self-signed certificate.
+#  Used locally after builds, or referenced by CI/CD.
+#  (In GitHub Actions, electron-builder signs automatically via CSC_LINK)
+# ═══════════════════════════════════════════════════════════════════════
+
+param(
+    [Parameter(Mandatory=$true)]
+    [string]$ExePath,
+
+    [string]$PfxPath = "$PSScriptRoot\guide-codesign.pfx",
+    [string]$TimestampServer = "http://timestamp.digicert.com"
+)
+
+$ErrorActionPreference = 'Stop'
+
+Write-Host "`n=== guIDE Code Signing ===" -ForegroundColor Cyan
+
+# ── Validate inputs ──
+if (-not (Test-Path $ExePath)) {
+    Write-Host "ERROR: EXE not found: $ExePath" -ForegroundColor Red
+    exit 1
+}
+if (-not (Test-Path $PfxPath)) {
+    Write-Host "ERROR: PFX not found: $PfxPath" -ForegroundColor Red
+    Write-Host "Run create_cert.ps1 first to generate the certificate." -ForegroundColor Yellow
+    exit 1
+}
+
+# ── Import PFX ──
+Write-Host "Importing PFX certificate..." -ForegroundColor Green
+$securePass = Read-Host "Enter PFX password" -AsSecureString
+$cert = Import-PfxCertificate -FilePath $PfxPath -CertStoreLocation "Cert:\CurrentUser\My" -Password $securePass
+
+Write-Host "  Thumbprint: $($cert.Thumbprint)" -ForegroundColor Green
+
+# ── Sign with timestamp (preferred) ──
+Write-Host "Signing $ExePath ..." -ForegroundColor Green
+try {
+    $result = Set-AuthenticodeSignature `
+        -FilePath $ExePath `
+        -Certificate $cert `
+        -HashAlgorithm SHA256 `
+        -TimestampServer $TimestampServer
+
+    if ($result.Status -eq 'Valid') {
+        Write-Host "  Signed with timestamp: $TimestampServer" -ForegroundColor Green
+    } else {
+        throw "Timestamp signing returned status: $($result.Status)"
+    }
+} catch {
+    Write-Host "  Timestamp server unreachable, signing without timestamp..." -ForegroundColor Yellow
+    $result = Set-AuthenticodeSignature `
+        -FilePath $ExePath `
+        -Certificate $cert `
+        -HashAlgorithm SHA256
+
+    if ($result.Status -eq 'Valid') {
+        Write-Host "  Signed (no timestamp)" -ForegroundColor Green
+    } else {
+        Write-Host "ERROR: Signing failed — $($result.Status): $($result.StatusMessage)" -ForegroundColor Red
+        exit 1
+    }
+}
+
+# ── Verify ──
+$sig = Get-AuthenticodeSignature $ExePath
+Write-Host "`nVerification:" -ForegroundColor Cyan
+Write-Host "  Status : $($sig.Status)"
+Write-Host "  Signer : $($sig.SignerCertificate.Subject)"
+Write-Host "  Algo   : $($sig.SignerCertificate.SignatureAlgorithm.FriendlyName)"
+Write-Host "`n=== Done ===" -ForegroundColor Green

certs/create_cert.ps1

@@ -30,6 +30,7 @@
     "icon": "icon.ico",
     "publisherName": "GraySoft LLC",
     "signingHashAlgorithms": ["sha256"],
+    "rfc3161TimeStampServer": "http://timestamp.digicert.com",
     "target": [
       {
         "target": "nsis",

certs/guide-codesign.cer

@@ -32,6 +32,7 @@
     "icon": "icon.ico",
     "publisherName": "GraySoft LLC",
     "signingHashAlgorithms": ["sha256"],
+    "rfc3161TimeStampServer": "http://timestamp.digicert.com",
     "target": [
       {
         "target": "nsis",