build(signing): sign Windows installers with self-signed certificate

CI Windows job now decodes a PFX from the WIN_CSC_LINK_BASE64 secret and
passes CSC_LINK + CSC_KEY_PASSWORD to electron-builder, so the NSIS
installer and zipped exe are Authenticode-signed. The step is gated on
the secret being present, so the workflow stays green if signing is
ever turned off.

Adds:
- scripts/generate-signing-cert.ps1: regenerate / rotate the cert
- build/Notepp-CodeSigning.cer: public cert, users can pre-trust it
- features/SIGNING.md: setup, rotation, and user-side trust runbook

SmartScreen still warns on first install (self-signed cert chain
doesn't reach a trusted CA), but the installer now shows the publisher
name, is tamper-evident, and motivated users can import the public
cert into Trusted Publishers to silence SmartScreen permanently.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: Yogesh Prajapati

.github/workflows/release.yml

@@ -88,12 +88,36 @@ jobs:
       - name: Build whiteboard iframe bundle
         run: npm run build:wb
 
+      # Decode the self-signed Windows code-signing PFX out of repo secrets
+      # so electron-builder can sign the NSIS installer + .exe. If the
+      # secret is missing the step is a no-op and the build ships unsigned
+      # — keeps the workflow green before the cert is provisioned.
+      # See scripts/generate-signing-cert.ps1 and features/SIGNING.md.
+      - name: Decode Windows signing certificate (Windows only)
+        if: matrix.os == 'windows-latest' && secrets.WIN_CSC_LINK_BASE64 != ''
+        shell: pwsh
+        env:
+          WIN_CSC_LINK_BASE64: ${{ secrets.WIN_CSC_LINK_BASE64 }}
+        run: |
+          $pfxPath = Join-Path $env:RUNNER_TEMP "notepp-codesign.pfx"
+          [System.IO.File]::WriteAllBytes(
+            $pfxPath,
+            [System.Convert]::FromBase64String($env:WIN_CSC_LINK_BASE64)
+          )
+          "CSC_LINK=$pfxPath" | Out-File -FilePath $env:GITHUB_ENV -Append -Encoding utf8
+          Write-Host "Decoded signing PFX to $pfxPath"
+
       - name: Build & publish installer (electron-builder publishes to GitHub release)
         run: npx electron-builder ${{ matrix.target_flag }} --publish always
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          # Skip Mac code-signing in CI — we ship unsigned builds for now.
-          # Users on macOS will need to right-click → Open the first time.
+          # Windows signing: CSC_LINK is set by the decode step above when
+          # WIN_CSC_LINK_BASE64 is configured. CSC_KEY_PASSWORD comes
+          # straight from the secret. If either is empty, electron-builder
+          # silently skips signing (= unsigned build, current behaviour).
+          CSC_KEY_PASSWORD: ${{ secrets.WIN_CSC_KEY_PASSWORD }}
+          # Skip Mac code-signing in CI — self-signed certs are useless on
+          # macOS (Gatekeeper requires an Apple Developer cert + notarization).
           CSC_IDENTITY_AUTO_DISCOVERY: false
 
       - name: Upload platform artifacts (for the release job)

.gitignore

@@ -14,3 +14,9 @@ src/excalidraw-fonts/
 
 .claude/
 
+# Code-signing private key — generated by scripts/generate-signing-cert.ps1.
+# The public .cer in build/ IS committed; the .pfx and anything else under
+# .signing/ MUST stay local.
+.signing/
+*.pfx
+

build/Notepp-CodeSigning.cer

@@ -0,0 +1,119 @@
+# Windows Code Signing (self-signed)
+
+Note++ Windows installers are signed in CI with a self-signed code-signing
+certificate. This document explains the one-time setup, how CI consumes the
+cert, and what users see.
+
+> Self-signed certs **do not** bypass SmartScreen — the cert chain doesn't
+> reach a trusted CA, so Windows still warns "unrecognized app". What signing
+> does buy you:
+>
+> - Installer shows **Yogesh Prajapati** as publisher instead of "Unknown
+>   publisher".
+> - Artifacts are tamper-evident — modification breaks the signature.
+> - Users who manually trust the public `.cer` (one-time import into Trusted
+>   Publishers) get zero SmartScreen prompts on future installs.
+> - When we eventually buy a real OV/EV cert, the wiring is already in place.
+
+---
+
+## Files in this repo
+
+| Path | Role | Committed? |
+|---|---|---|
+| `scripts/generate-signing-cert.ps1` | Creates a new self-signed cert, exports PFX + CER, prints CI secret values | Yes |
+| `build/Notepp-CodeSigning.cer` | Public certificate. Users can import this into Trusted Publishers to silence SmartScreen | Yes (after first run) |
+| `.signing/Notepp-CodeSigning.pfx` | **Private** key. Generated locally, never committed | No (`.gitignore`) |
+
+## One-time setup
+
+1. From a Windows PowerShell prompt at the repo root:
+
+   ```powershell
+   pwsh -File scripts/generate-signing-cert.ps1
+   ```
+
+   The script prompts for a PFX password, generates a 5-year SHA-256
+   code-signing cert in `Cert:\CurrentUser\My`, exports both the PFX and CER
+   to `.signing/`, and copies the public CER into `build/`.
+
+2. The script prints two values when it finishes. Add both as GitHub Actions
+   secrets at <https://github.com/YogeshPraj/Note-/settings/secrets/actions>:
+
+   | Secret name | Value |
+   |---|---|
+   | `WIN_CSC_LINK_BASE64` | Base64 of the PFX (printed by the script) |
+   | `WIN_CSC_KEY_PASSWORD` | The PFX password you chose |
+
+3. Commit the public cert and push:
+
+   ```bash
+   git add build/Notepp-CodeSigning.cer
+   git commit -m "build(signing): add public code-signing certificate"
+   git push
+   ```
+
+4. Tag a release (`vX.Y.Z`). The Windows runner decodes the PFX, electron-builder
+   sees `CSC_LINK` + `CSC_KEY_PASSWORD`, and signs `notepp-win-x64.exe`
+   automatically.
+
+## How CI consumes the cert
+
+`.github/workflows/release.yml`, Windows job:
+
+1. `Decode Windows signing certificate` step writes the base64 secret to a
+   `.pfx` under `$RUNNER_TEMP` and exports its path as `CSC_LINK` via
+   `$GITHUB_ENV`.
+2. The `electron-builder` step picks up `CSC_LINK` + `CSC_KEY_PASSWORD`
+   automatically — no `package.json` change required.
+3. If `WIN_CSC_LINK_BASE64` isn't set, the decode step is skipped and
+   electron-builder ships an unsigned build. The workflow stays green.
+
+macOS and Linux runners ignore these secrets — see "Why not Mac/Linux?" below.
+
+## Verifying a signed build
+
+After downloading `notepp-win-x64.exe` from a release:
+
+```powershell
+Get-AuthenticodeSignature .\notepp-win-x64.exe
+```
+
+`Status` should be `Valid`, signer should be `CN=Yogesh Prajapati`. (Windows
+will list it as `UnknownError` if the cert isn't yet in any trust store on
+the verifying machine — that's expected for self-signed.)
+
+## Users: silencing SmartScreen permanently (optional)
+
+A motivated user can pre-trust the cert once:
+
+1. Download `Notepp-CodeSigning.cer` from the repo's `build/` folder.
+2. Double-click → **Install Certificate** → **Local Machine** → **Place all
+   certificates in the following store** → **Trusted Publishers** → Finish.
+3. From then on, every signed Note++ installer launches without the
+   "Windows protected your PC" dialog.
+
+Document this in the GitHub release notes if you want users to discover it.
+
+## Rotating the cert
+
+The cert is valid for 5 years. To rotate:
+
+1. Re-run `scripts/generate-signing-cert.ps1` (it creates a brand-new cert).
+2. Update both GitHub secrets with the new values it prints.
+3. Replace `build/Notepp-CodeSigning.cer` with the new public cert and
+   commit.
+4. Note: `electron-updater` verifies that an update's signing publisher
+   matches the currently-installed publisher. As long as the new cert has
+   the same `CN`, auto-updates from old installs keep working.
+
+## Why not Mac/Linux?
+
+- **macOS** — Gatekeeper validates against an Apple-issued Developer ID cert
+  chain. A self-signed cert is no better than no cert; both produce the same
+  "unidentified developer" prompt. Mac signing requires a paid Apple
+  Developer account ($99/yr) + notarization.
+- **Linux** — `.deb` and AppImage don't have a desktop-level signing model
+  comparable to Authenticode. The closest equivalent is a detached GPG
+  signature alongside the artifact, which we can add later if there's
+  demand.

features/SIGNING.md

@@ -0,0 +1,104 @@
+# ---------------------------------------------------------------------------
+# generate-signing-cert.ps1
+#
+# Creates a self-signed code-signing certificate for Note++, exports it as
+# a password-protected PFX (private key, NEVER commit) and a CER (public,
+# safe to commit), and prints the values you need to upload as GitHub
+# Actions secrets so CI can sign Windows installers automatically.
+#
+# Run from PowerShell (no admin required for CurrentUser store):
+#   pwsh -File scripts/generate-signing-cert.ps1
+#
+# Optional parameters:
+#   -Subject       Common name on the cert. Defaults to "CN=Yogesh Prajapati".
+#   -OutDir        Where to write the .pfx + .cer. Defaults to ./.signing/.
+#   -ValidYears    Cert validity. Defaults to 5.
+#
+# After running:
+#   1. Commit build/Notepp-CodeSigning.cer (the public cert, copied by
+#      this script).
+#   2. In the GitHub repo: Settings -> Secrets and variables -> Actions
+#      -> New repository secret. Add the two secrets the script prints:
+#        WIN_CSC_LINK_BASE64    (base64 of the .pfx)
+#        WIN_CSC_KEY_PASSWORD   (the PFX password)
+#   3. Tag and push a release. The Windows runner will pick the secrets
+#      up automatically via release.yml.
+# ---------------------------------------------------------------------------
+
+[CmdletBinding()]
+param(
+  [string] $Subject = "CN=Yogesh Prajapati",
+  [string] $OutDir = (Join-Path $PSScriptRoot "..\.signing"),
+  [int]    $ValidYears = 5
+)
+
+$ErrorActionPreference = "Stop"
+
+$repoRoot = Resolve-Path (Join-Path $PSScriptRoot "..")
+$OutDir   = (Resolve-Path -LiteralPath (New-Item -ItemType Directory -Path $OutDir -Force)).Path
+$buildDir = Join-Path $repoRoot "build"
+if (-not (Test-Path $buildDir)) { New-Item -ItemType Directory -Path $buildDir | Out-Null }
+
+$pfxPath = Join-Path $OutDir "Notepp-CodeSigning.pfx"
+$cerPath = Join-Path $OutDir "Notepp-CodeSigning.cer"
+$cerRepo = Join-Path $buildDir "Notepp-CodeSigning.cer"
+
+Write-Host ""
+Write-Host "Generating self-signed code-signing certificate" -ForegroundColor Cyan
+Write-Host "  Subject     : $Subject"
+Write-Host "  Valid for   : $ValidYears years"
+Write-Host "  Output dir  : $OutDir"
+Write-Host ""
+
+$pwd = Read-Host -Prompt "Choose a PFX password (you will need this for the GitHub secret)" -AsSecureString
+if ($pwd.Length -eq 0) { throw "Password cannot be empty." }
+
+$cert = New-SelfSignedCertificate `
+  -Type CodeSigningCert `
+  -Subject $Subject `
+  -KeyUsage DigitalSignature `
+  -KeyAlgorithm RSA `
+  -KeyLength 3072 `
+  -HashAlgorithm SHA256 `
+  -CertStoreLocation "Cert:\CurrentUser\My" `
+  -NotAfter (Get-Date).AddYears($ValidYears) `
+  -FriendlyName "Note++ Code Signing"
+
+Write-Host "Created cert. Thumbprint: $($cert.Thumbprint)" -ForegroundColor Green
+
+Export-PfxCertificate -Cert $cert -FilePath $pfxPath -Password $pwd | Out-Null
+Export-Certificate    -Cert $cert -FilePath $cerPath | Out-Null
+Copy-Item -Path $cerPath -Destination $cerRepo -Force
+
+Write-Host ""
+Write-Host "Wrote:"
+Write-Host "  $pfxPath   (private key, DO NOT COMMIT)"
+Write-Host "  $cerPath   (public cert)"
+Write-Host "  $cerRepo   (public cert, copied into build/ for the repo)"
+Write-Host ""
+
+$pfxBytes = [System.IO.File]::ReadAllBytes($pfxPath)
+$b64      = [System.Convert]::ToBase64String($pfxBytes)
+
+$pwdPlain = [System.Net.NetworkCredential]::new("", $pwd).Password
+
+Write-Host "---------- GitHub Actions secrets ----------" -ForegroundColor Yellow
+Write-Host "Add these two repository secrets at:"
+Write-Host "  https://github.com/YogeshPraj/Note-/settings/secrets/actions"
+Write-Host ""
+Write-Host "Secret name : WIN_CSC_LINK_BASE64"
+Write-Host "Secret value:"
+Write-Host $b64
+Write-Host ""
+Write-Host "Secret name : WIN_CSC_KEY_PASSWORD"
+Write-Host "Secret value: $pwdPlain"
+Write-Host "--------------------------------------------"
+Write-Host ""
+Write-Host "Next steps:" -ForegroundColor Cyan
+Write-Host "  1. Add both secrets in the GitHub repo settings (link above)."
+Write-Host "  2. git add build/Notepp-CodeSigning.cer  &&  git commit"
+Write-Host "  3. Tag and push a release. The Windows runner will sign automatically."
+Write-Host ""
+Write-Host "Verify locally (optional):"
+Write-Host "  Get-AuthenticodeSignature path\to\notepp-win-x64.exe"
+Write-Host ""