[Article] How to code sign Windows installers with an EV cert in the cloud

There didn’t seem to be a solid description anywhere on how to do Windows EV code signing in CI, so I wrote this up:

A JUCE example on GitHub Actions is here:


Thanks for this. Very useful to know.


I like how you’re writing “Things get a bit hairy now.” in step 7, when I was already nauseous, haha.
It is unexplainable to me why it is so unbearably complicated to simply sign an application on windows.

Thank you for taking the time to battle through this!

1 Like

Thanks a lot! I love your articles and the delightful style you put into them.

1 Like

Glad it was helpful. I’ve benefitted a lot from your fantastic open source work (gin, etc), so thank YOU!

Ha, maybe I played the drama up a bit… The main issue was the lack of documentation/evidence of anyone succeeding in the real world. It the end, it’s not too bad, just hundreds of dollars, weeks of waiting, and then some copy and pasting :sweat_smile:.

Thanks Mathieu, I appreciate it!

1 Like

Hi sudara,

May I ask how to sign up for an GCC account? I check the website but there is only login.

I believe you only get a GlobalSign account after making a purchase and successfully passing their manual validation process.

1 Like

Thanks a lot. I’m also stuck at step 7 too. This is my first time using GitHub Actions. Do I need to run all commands in GitHub Actions instead of local machine?

It turns out that for step 7, the signtool could be run on local windows machine too if CI/CD is not required.

  1. install dotnet framework
  2. run “dotnet tool install --global AzureSignTool”
  3. run “AzureSignTool sign -kvu “${{ secrets.AZURE_KEY_VAULT_URI }}” -kvi “${{ secrets.AZURE_CLIENT_ID }}” -kvt “${{ secrets.AZURE_TENANT_ID }}”-kvs “${{ secrets.AZURE_CLIENT_SECRET }}” -kvc ${{ secrets.AZURE_CERT_NAME }} -tr http://timestamp.digicert.com -v yourInstaller.exe”

Has anybody found a way to apply the required pace signature for aax with an cloud EV cert?