<!-- CURSOR_SUMMARY -->
> [!NOTE]
> Moves Windows code signing to a Forge `postMake` hook and removes the
previous MakerSquirrel hook.
> 
> - Adds `postMake` to iterate `makeResults` and sign Windows `.exe`
artifacts via `signtool` using `SM_CODE_SIGNING_CERT_SHA1_HASH`
> - Introduces `signWindowsExecutable` and `SIGNTOOL_PATH` in
`forge.config.ts`; logs and skips when env var is absent
> - Simplifies `MakerSquirrel` config (removes `windowsSign`) and
deletes `scripts/windows-sign-hook.js`
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
50432058855cce4a688a4be81fb692e705c6db71. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

<!-- This is an auto-generated description by cubic. -->
## Summary by cubic
Moved Windows code signing to Electron Forge’s postMake hook and now
sign all .exe artifacts (installer and Setup.exe) on win32 builds. This
ensures consistent signing across architectures and removes the custom
MakerSquirrel hook.

- **Refactors**
- Sign Windows artifacts in postMake using DigiCert’s signtool bundled
with electron-winstaller.
- Removed MakerSquirrel windowsSign config and
scripts/windows-sign-hook.js.
- Signing runs only when SM_CODE_SIGNING_CERT_SHA1_HASH is set;
otherwise it logs and skips.

<sup>Written for commit 50432058855cce4a688a4be81fb692e705c6db71.
Summary will update automatically on new commits.</sup>

<!-- End of auto-generated description by cubic. -->

<!-- greptile_comment -->

<h3>Greptile Summary</h3>


Refactored Windows code signing from MakerSquirrel's `hookModulePath`
approach to Electron Forge's `postMake` hook, consolidating signing
logic directly in `forge.config.ts`.

**Key Changes:**
- Moved signing logic from `scripts/windows-sign-hook.js` to `postMake`
hook in `forge.config.ts`
- Changed signing scope from only `dyad.exe` to all `.exe` files
(Squirrel installer and Setup.exe)
- Removed cert hash redaction from logging that was present in the
previous implementation
- Simplified to use TypeScript instead of CommonJS module

**Behavioral Changes:**
- The PR reverses commit 9107ec7c which specifically restricted signing
to only `dyad.exe` to "avoid signing other files and prevent CI signing
errors"
- Comment on line 138 indicates signing all `.exe` files is intentional,
but this should be verified against the reasoning in the earlier commit

<h3>Confidence Score: 3/5</h3>


- This PR refactors code signing with a significant behavioral change
that needs verification
- The refactoring itself is clean and consolidates signing logic
appropriately, but it introduces two concerns: (1) expands signing from
just `dyad.exe` to all `.exe` files, reversing a previous intentional
restriction, and (2) removes cert hash redaction from logs. The
intentionality of signing all executables should be confirmed.
- Verify `forge.config.ts` line 139 behavior matches intent - signing
all .exe files vs only dyad.exe

<h3>Important Files Changed</h3>




| Filename | Overview |
|----------|----------|
| forge.config.ts | Moved Windows signing from MakerSquirrel hook to
postMake hook, now signs all .exe files instead of just dyad.exe,
removed cert hash redaction from logs |
| scripts/windows-sign-hook.js | Deleted file - signing logic moved to
forge.config.ts postMake hook |

</details>



<h3>Sequence Diagram</h3>

```mermaid
sequenceDiagram
    participant Forge as Electron Forge
    participant PM as postMake Hook
    participant Sign as signWindowsExecutable()
    participant ST as signtool.exe
    participant DC as DigiCert Timestamp

    Forge->>Forge: Run makers (MakerSquirrel, etc)
    Forge->>PM: Call postMake with makeResults
    
    loop For each result in makeResults
        PM->>PM: Check if platform === "win32"
        alt Windows platform
            PM->>PM: Log "Processing Windows artifacts"
            loop For each artifact
                PM->>PM: Check if filename ends with .exe
                alt Is .exe file
                    PM->>Sign: signWindowsExecutable(artifact)
                    Sign->>Sign: Check SM_CODE_SIGNING_CERT_SHA1_HASH env var
                    alt Cert hash not set
                        Sign->>PM: Return (skip signing)
                    else Cert hash set
                        Sign->>Sign: Build signtool command with cert hash
                        Sign->>ST: execSync signtool.exe sign /sha1 [hash] [params] [file]
                        ST->>DC: Request timestamp from timestamp.digicert.com
                        DC->>ST: Return timestamp
                        alt Signing successful
                            ST->>Sign: Success
                            Sign->>PM: Log "Signing successful"
                        else Signing failed
                            ST->>Sign: Error
                            Sign->>PM: Throw error
                        end
                    end
                end
            end
        end
    end
    
    PM->>Forge: Return makeResults
```

<!-- greptile_other_comments_section -->

<!-- /greptile_comment -->