Sign Windows binaries with Azure Trusted Signing.

Signed-off-by: Anders Kaseorg <anders@zulip.com>

package.json

@@ -120,7 +120,11 @@
         }
       ],
       "icon": "build/icon.ico",
-      "publisherName": "Kandra Labs, Inc."
+      "publisherName": "Kandra Labs, Inc.",
+      "sign": "./scripts/win-sign.js",
+      "signingHashAlgorithms": [
+        "sha256"
+      ]
     },
     "msi": {
       "artifactName": "${productName}-${version}-${arch}.${ext}"
@@ -308,6 +312,7 @@
       },
       {
         "files": [
+          "scripts/win-sign.js",
           "tests/**/*.js"
         ],
         "parserOptions": {

scripts/win-sign.js

@@ -0,0 +1,20 @@
+"use strict";
+
+const childProcess = require("node:child_process");
+const {promisify} = require("node:util");
+
+const exec = promisify(childProcess.exec);
+
+exports.default = async ({path, hash}) => {
+  await exec(
+    `powershell.exe Invoke-TrustedSigning \
+-Endpoint https://eus.codesigning.azure.net/ \
+-CodeSigningAccountName kandralabs \
+-CertificateProfileName kandralabs \
+-Files '${path}' \
+-FileDigest '${hash}' \
+-TimestampRfc3161 http://timestamp.acs.microsoft.com \
+-TimestampDigest '${hash}'`,
+    {stdio: "inherit"},
+  );
+};