chore: add code signing certificate details for Windows build

[minijus]

Part of #2543

Pull Requests attempts to add environment options required to build signed Windows executable.

Core Cypress team should:

• acquire code signing certificate
• update environment with new details
• verify that PR builds and produces signed executable (branch should be moved to cypress project?)

[cypress-bot]

Thanks for taking the time to open a PR!

• Create a Draft Pull Request if your PR is not ready for review. Mark the PR as Ready for Review when you're ready for a Cypress team member to review the PR.
• Become familiar with the Code Review Checklist for guidelines on coding standards and what needs to be done before a PR can be merged.

[jennifer-shehane]

@minijus What is the actual experience when trying to install Cypress on a Windows machine that requires code signing? I'm curious to see how this is directly affecting people with these settings. Do you see an error during install? Is it a strange state the app gets in?

[minijus]

@minijus What is the actual experience when trying to install Cypress on a Windows machine that requires code signing? I'm curious to see how this is directly affecting people with these settings. Do you see an error during install? Is it a strange state the app gets in?

In organisations that control what can be launched on Windows there are different ways to control allowed list of applications:

• Signed executables can be added to allowed list of applications simply by trusting application name + signature data. This approach does not require maintenance and also allows to run different versions of executable.
• Executables could be hashed. This approach allows to run non-signed executables, but requires hashing each executable and maintaining the list of hashes for each executable change (each version).

Answering your questions - there is no error during installation as technically there is no installation, it is just download of executable. However, launching cypress ($(npm bin)/cypress open) fails because it is not allowed by system administrator. Having code signed executable is a prerequisite to have convenient way to allow running cypress executable.

[jennifer-shehane]

However, launching cypress ($(npm bin)/cypress open) fails because it is not allowed by system administrator.

What does this look like exactly? Are there errors when it is opened? Is the app in a state that is unusual? I want to be able to recognize this state, in case people don't understand that the Cypress executable is blocked and can't express that this is the problem with opening Cypress.

[minijus]

The error is not descriptive and normally it would be really difficult to troubleshoot it. Knowing that your organisation allows only listed executables to run helps :) Once this particular executable was listed as allowed (by hashing the file) the error was gone and cypress launched just fine.

[jennifer-shehane]

@minijus Thanks for providing this, it will help us in assessing prioritizing work for this issue.

[flotwig]

@minijus As an update, I am working on obtaining a code signing certificate, once I have that I will fork your PR so that we can run the full Cypress CI pipeline (w/ secrets) against it and ensure that the distributables are signed.

[flotwig]

@minijus the changes seem to be working, I opened #16946 (so as to have access to secret env var) with the aim of getting merged into the next release. In that PR I've attached screenshots of the signing working. Thanks again for your work on this.