fix(win): подписание Authenticode + дымовые тесты Win10/Win11 [GH#266

## Что это ## Резюме (RU) fix(win): подписание Authenticode + дымовые тесты Win10/Win11 \[GH#266 — закрыт, требует решения\] *Полный перевод тела — в работе. Английский оригинал ниже.* --- # Original (EN) ## Objective Add Windows Authenticode code-signing to the installer and validate on Win10 + Win11 via smoke tests. ## Source Links * GitHub PR: [https://github.com/agisota/rox.one/pull/266]() (CLOSED by agisota 2026-05-20T02:26Z — not merged) * Branch: fix/multiplatform-win-authenticode * Repo: [https://github.com/agisota/rox.one]() ## Current State PR closed without merge. Win installers currently unsigned (beta warning shown). Decision pending: reopen, new PR, or drop scope. ## Requirements * Functional: .exe installer signed with EV certificate; SmartScreen warning suppressed * Non-functional: signing happens in CI secrets, not in repo; cert stored in GitHub Actions secret ## Specification * electron-builder: win.certificateFile from CI secret WINDOWS_CERT * CI: codesign step using osslsigncode or Azure Trusted Signing * Smoke: Win10/Win11 VMs launch signed installer without SmartScreen block ## Acceptance Criteria * Given signed installer, When run on Win10/Win11, Then no SmartScreen warning * Given CI, When signing step runs, Then certificate sourced from secret only (never committed) * Given unsigned build path, When non-signing CI runs, Then build succeeds with beta-warning flag ## Test Plan * Win10 VM smoke: install + launch * Win11 VM smoke: install + launch * Security: trufflehog scan confirms cert not in repo ## Expected Result Windows users receive signed installer; trust chain established. ## Dependencies * Requires: EV certificate procurement (external blocker) * Parallel: PZD-11 (Linux packages), PZD-12 (NixOS) ## Implementation Plan (Next Steps) 1. Decide: reopen PR #266, create new PR, or defer to v1.2.0 2. Procure EV certificate if proceeding 3. Implement Azure Trusted Signing or osslsigncode in CI 4. Run Win10/Win11 smoke matrix ## Merge Plan Not merged. Decision required before proceeding. ## Status / Priority / Estimate Backlog | Low | M ## Verification Evidence * PR #266 closed 2026-05-20T02:26Z by agisota — no merge commit * Current state: unsigned Win beta builds ## Update Log * 2026-05-20: PR #266 closed without merge. Moved to Backlog pending EV cert decision. ## Статус Это задача из текущего backlog'а ROX.ONE (Linear). Текущий статус в Linear: `Бэклог — Backlog`. Метки: —. ## 🔗 Linear - [PZD-47](https://linear.app/kuhjie/issue/PZD-47/fixwin-podpisanie-authenticode-dymovye-testy-win10win11-gh266-zakryt) — backing ticket - Parent epic: [PZD-119](https://linear.app/kuhjie/issue/PZD-119)