Code sign GitLab Runner Windows executables

Overview

The Windows multirunner executables, that are available here are not digitally signed. Because of that Windows does not trust them and can block them when downloaded by Internet Explorer or Edge.

Windows executables downloaded from Internet should be always signed.

Proposal

Buy a certificate from a trusted CA such as https://www.digicert.com/code-signing/ which was suggested in #2483 (comment 31521028). At the moment GitLab.com seems to be using a certificate from Sectigo which they also offer a code signing product https://sectigo.com/signing-certificates/code-signing
Use SignTool to sign the certificates

For development and testing we can use a tool such as MakeCert and Cert2SPC for development and testing before buying the actual cert

Edited Jul 10, 2020 by Darren Eastman