Remove Windows PFX signing fallback#3638
Conversation
Azure Trusted Signing has been validated in shipped builds (v1.8.2, v1.9.0) and was already the only path CI ever took — `USE_AZURE_TRUSTED_SIGNING` was hardcoded to `1` in both pipelines, so the PFX branches were dead fallback. `windowsSign.ts` now gates on `CI && win32` rather than the env var, since the config is loaded by Forge on every platform and an unconditional Azure config would throw on Mac/Linux CI where the Azure env vars are absent. --- Generated with the help of Claude Code, https://claude.com/claude-code Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR removes the legacy Windows PFX signing fallback and makes Azure Trusted Signing the only intended signing path for Studio Windows build artifacts.
Changes:
- Removes
USE_AZURE_TRUSTED_SIGNINGfrom Buildkite Windows build jobs. - Updates the Windows build script to always run Azure signing setup.
- Removes PFX fallback branches from Forge/Squirrel and AppX packaging paths.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
.buildkite/pipeline.yml |
Removes the Azure signing feature flag from Windows dev builds. |
.buildkite/release-build-and-distribute.yml |
Removes the Azure signing feature flag from Windows release builds. |
.buildkite/commands/build-for-windows.ps1 |
Always initializes Azure Trusted Signing before building Windows artifacts. |
apps/studio/windowsSign.ts |
Switches signing activation from an env flag to Windows CI detection. |
apps/studio/forge.config.ts |
Removes Squirrel PFX signing fallback and only passes Azure signing config when present. |
scripts/package-appx.mjs |
Removes AppX PFX fallback and always signs sideload AppX output with Azure signing. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if ( ! process.env.CI || process.platform !== 'win32' ) { | ||
| return undefined; | ||
| } | ||
|
|
||
| if ( ! process.env.AZURE_CODE_SIGNING_DLIB || ! process.env.AZURE_METADATA_JSON || ! process.env.SIGNTOOL_PATH ) { |
There was a problem hiding this comment.
Good catch — confirmed. The Windows E2E job (run-e2e-tests.sh) runs electron-forge package for an intentionally-unsigned bundle and never runs setup_azure_trusted_signing.ps1, so a CI && win32 gate would have thrown at config import there.
Digging in, USE_AZURE_TRUSTED_SIGNING turned out to be load-bearing rather than redundant: it's the "sign this build" signal that the make jobs set and E2E leaves unset. So I've kept it as the gate (in windowsSign.ts and the pipelines) and removed only the dead PFX fallback branches. Addressed in 7dea0c6.
Posted by Claude (Opus 4.8) on behalf of @mokagio with approval.
`USE_AZURE_TRUSTED_SIGNING` is the signal that a build should be signed, not a redundant flag: it is set on the `make` build jobs and left unset on the Windows E2E job, which runs `electron-forge package` to produce an unsigned bundle. Removing it (and gating signing on `CI && win32` instead) would throw at config import on that E2E job and would leave the real build jobs producing unsigned installers. Retain the env var and the gate; remove only the dead PFX fallback branches. Surfaced by Copilot review on the PR. --- Generated with the help of Claude Code, https://claude.com/claude-code Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
📊 Performance Test ResultsComparing 7dea0c6 vs trunk app-size
site-editor
site-startup
Results are median values from multiple test runs. Legend: 🟢 Improvement (faster) | 🔴 Regression (slower) | ⚪ No change (<50ms diff) |
Related issues
Follow-up to the Studio Azure Trusted Signing migration (AINFRA-2233): removing the PFX fallback now that Azure signing is confirmed in shipped builds.
How AI was used in this PR
Drafted with Claude Code (Opus 4.8). I reviewed the full diff, ran the type checker and lint, and verified the pipeline/PowerShell/JS syntax locally; the Windows signing path itself only runs on CI.
Proposed Changes
Studio's Windows build kept a PFX certificate as a fallback behind the
USE_AZURE_TRUSTED_SIGNINGswitch. Azure Trusted Signing has shipped successfully (v1.8.2, v1.9.0) and CI hardcoded the switch to1everywhere, so the PFX branches were dead code. This removes them and makes Azure the only Windows signing path.windowsSign.tsnow gates onCI && process.platform === 'win32'instead of the env var, so the Forge config — loaded on every platform — stays inert on Mac/Linux instead of throwing where the Azure env vars are absent.Testing Instructions
studio-setup.exe/.appxartifacts (this is where the signing path actually executes).npm run typecheckandnpx eslint apps/studio/windowsSign.ts apps/studio/forge.config.ts scripts/package-appx.mjspass.