Code-signing for llvm-mingw release executables and .DLLs? #512
Description
With the increasing adoption of Windows “Smart App Control”, code-signing of all executables and DLLs is increasingly becoming a requirement in various contexts. (It is also useful to have additional ways of verifying critical components like the compiler and runtimes.)
While this isn’t as big an issue for most developer environments (which probably don’t have this feature enabled), some llvm-mingw project .DLL files may be redistributed with built applications as well (i.e. libc++.dll, libomp.dll, libunwind.dll, libwinpthread-1.dll, libclang_rt.*.dll). It would be fantastic if these could be code-signed before uploading to the release packages, and thus all applications redistributing those files would benefit.
It should be possible to sign up for a free code-signing certificate for this open-source project from the SignPath Foundation: https://signpath.org/ (And this also allows integration of code signing into the GitHub Actions workflow.) Once set up to sign the redistributable .DLLs, it should be easy to sign the compiler + build tool executables as well.
(Code signing can also help reduce false-positive AV detections on libc++.dll and other components.)