#skip-bb

## Summary
- Replace DigiCert SSM-based code signing with Azure Trusted Signing for
Windows builds
- Add new `windowsSign.ts` configuration for Azure signing parameters
- Update release workflow to install Azure Trusted Signing CLI and
create metadata file
- Version bump to 0.36.0-beta.1 for testing the new signing workflow

## Test plan
- [ ] Trigger a release build and verify Windows binaries are signed
correctly
- [ ] Verify the signed executable passes Windows SmartScreen
verification

🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- devin-review-badge-begin -->

---

<a href="https://app.devin.ai/review/dyad-sh/dyad/pull/2429">
  <picture>
<source media="(prefers-color-scheme: dark)"
srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1">
<img
src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1"
alt="Open with Devin">
  </picture>
</a>
<!-- devin-review-badge-end -->



<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Switches Windows code signing from DigiCert SSM to Azure Trusted Signing
to simplify CI and reduce secret handling. Updates Forge config and
release workflow; bumps version to 0.36.0-beta.1 for testing.

- **Refactors**
- Added windowsSign.ts with Azure sign params (dlib + metadata),
SHA-256, and timestamp server.
  - Wired windowsSign into Electron Forge packager and MakerSquirrel.
- Release workflow installs Azure Trusted Signing via winget and writes
signing-metadata.json; removes DigiCert SSM steps.

- **Migration**
- Add AZURE_CODE_SIGNING_DLIB, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and
AZURE_TENANT_ID as CI secrets. The workflow sets AZURE_METADATA_JSON
automatically.
  - Run a release build and verify the signed EXE passes SmartScreen.

<sup>Written for commit 0d5b4d58940b59300796ea18e8c403bfcc25b30d.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>