At Keytos, our mission is to create a more secure world by making cryptographic products easier to use. We have taken great steps at securing our customers by creating: EZSSH to help secure SSH endpoints, and EZGIT, the first SSH CA for GitHub. When creating the client for these two amazing products, we notice that there was no easy way to Sign your code in a proper CI/CD pipeline in GitHub Actions. If not fixed, having to sign the code in one of our PAWs (you can learn how we secure our infrastructure) would break our customer commitment of minimizing human touches to production.
Using the open-source community, we found some almost working code signing actions that needed a few changes to make it production ready and secure enough to meet our standards. After making those tweaks, we started using it as our code-signing tool for windows and was integrated into our CI/CD pipeline.
After internally testing it for a few months and finding any issue that users might encounter, we are happy to announce our open-source GitHub action for code-signing: https://github.com/marketplace/actions/code-sign-a-file-in-windows-using-pfx-certificate. We hope this makes it easier for every organization in the world to code-sign the code, bringing us one step closer to a more secure internet.