To Compile the Powershell script into an EXE

Run powershell as administrator, then run
<code>
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
Import-Module PS2EXE
ps2exe -inputfile 'YourScript.ps1' -outputfile 'YourScript.exe'
</code>
To add an icon
<code>
ps2exe -inputfile 'YourScript.ps1' -outputfile 'YourScript.exe' -iconfile 'YourIcon.ico'
</code>
To run as an GUI (no console)
<code>
ps2exe -inputfile 'YourScript.ps1' -outputfile 'YourScript.exe' -noConsole
</code>

To sign the binary, I followed the steps in the following docs:
  * [[https://melatonin.dev/blog/code-signing-on-windows-with-azure-trusted-signing/]]
  * [[https://github.com/koaladsp/KoalaDocs/blob/master/azure-code-signing-for-plugin-developers.md#232-preparing-signtoolexe]]

Signing Command once everything is set up:
<code>
& "C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64\signtool.exe" sign /v /debug /fd SHA256 /tr "http://timestamp.acs.microsoft.com" /td SHA256 /dlib "C:\Users\PRIPYAT\Desktop\Sign\Microsoft.Trusted.Signing.Client.1.0.60\bin\x64\Azure.CodeSigning.Dlib.dll" /dmdf "U:\Ken\Embrient\GMS\ESP32C3 Firmware GMS\Holycrapitworks_ST7565_LOX_ESP32C3_copy_20241201\build\esp32.esp32.XIAO_ESP32C3\metadata.json" FlashGMS.exe
</code>

The key is to get the following metadata correct and log into azure with the correct credentials

metadata.json
<code>
 {
 	"Endpoint": "https://eus.codesigning.azure.net/", 
 	"CodeSigningAccountName": "Embrient", 
 	"CertificateProfileName": "EmbrientPT"
 } 
</code>

The CodeSigningAccountName is the TrustedSigningAccount in the Azure Dashboard

{{:codesigningaccountname.png?600|}}

The CertificateProfileName is the relevant entry in your CertificateProfile

{{:certificateprofile.png?600|}}

To set up azure CLI environment for signing, from powershell run:
<code>
az login
</code>

e.g.

<code>
PS C:\WINDOWS\system32> az login
Select the account you want to log in with. For more information on login with Azure CLI, see https://go.microsoft.com/fwlink/?linkid=2271136

Retrieving tenants and subscriptions for the selection...

[Tenant and subscription selection]

No     Subscription name      Subscription ID                       Tenant
-----  ---------------------  ------------------------------------  -----------------
[1] *  Azure subscription 1   xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx  Default Directory
[2]    Code Signing Embrient  xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx  Default Directory

The default is marked with an *; the default tenant is 'Default Directory' and subscription is 'Azure subscription 1' (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx).

Select a subscription and tenant (Type a number or Enter for no changes):</code>


Next set up for code signing via the command

<code>
az ad sp create --id cf2ab426-f71a-4b61-bb8a-9e505b85bc2e
</code>
<code>
az ad app permission grant --id cf2ab426-f71a-4b61-bb8a-9e505b85bc2e --api 00000003-0000-0000-c000-000000000000 --scope User.Read
</code>

<kbd>Q</kbd>