Implement automated code signing of final exe included in package

[connorhsm]

This issue is all but resolved.

After some months of shopping around, I've settled on a "cloud based" Certum Open Source code signing certificate.

Unfortunately, with this certificate, the process of signing can not be automated with a GitHub action as originally thought. Please do correct me if you have a solution to do this, though.

Also open to other relatively inexpensive certificates that could be automated with a GitHub action.

Manual signing presents challenges for us in coordinating our usually fast-paced release process, with having to coordinate between several timezones and busy schedules.

Currently proposed solution:

• Kripts builds clients according to existing workflow, drafts a GitHub release and uploads client packages, marking Windows as unsigned.
• I'll download the Windows package, unpackage, sign executable and repackage.
• I'll upload new Windows package marked as signed and hiding or deleting the unsigned package.
• Whoever dares, updates server and publishes GitHub release.

This does not currently take into account automatic updates and whether they include a specific exe that also needs to be signed, we currently do not make use of this feature but intend to in future.

[connorhsm]

I have been slowly progressing this in https://github.com/connorhsm/OneLife/ where I am aiming to use https://github.com/connorhsm/build-tools/ to automatically build clients following a GitHub release.

Roughly, one workflow would be triggered by the release, building the executables and packages, and uploading to the release. There would then be manual intervention to download, sign and upload the Windows executable, which would then trigger the second workflow.

The second workflow would then include the executable into the final package, generate update bundles, clean up any additional assets and potentially push the download links to the download server.