Building a Cost-Effective Windows Code Signing Pipeline: Sectigo + Google Cloud KMS on GitHub Actions

Overview By combining a Sectigo code signing certificate with a Google Cloud KMS HSM, we built an environment that automatically signs Windows application binaries on GitHub Actions. By performing the signing operations on our own Google Cloud KMS, we avoid the per-signature usage-based billing burden and achieve a more flexible workflow. This article covers the background, architecture, and step-by-step setup instructions. System Architecture of the Code Signing Environment on GitHub Actions The signing environment built on the GitHub Actions Windows Runner is structured as shown below. The signing process with SignTool.exe is performed using the key stored on the HSM via the KMS CNG (Cryptography Next Generation) Provider supplied by Google. This allows the signing process to be executed securely without ever holding the private key on the GitHub Actions runner. Why We Chose Sectigo's Code Signing Certificate The reason is that it allows us to build a code signing environment without