Skip to content

Commit c3762a6

Browse files
committed
migrate to SignPath GitHub Action for signing
Replace PowerShell module-based signing with the official SignPath GitHub Action. Each executable now follows Upload → Sign → Verify pattern with fail-fast verification.
1 parent b418ada commit c3762a6

1 file changed

Lines changed: 98 additions & 54 deletions

File tree

.github/workflows/release.yml

Lines changed: 98 additions & 54 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,9 @@ on:
55

66
permissions:
77
contents: read
8+
actions: read # Required by SignPath action to read job details
9+
id-token: write # Optional: For OIDC authentication (future enhancement)
10+
attestations: write # Optional: For build provenance attestations (future enhancement)
811

912
jobs:
1013
build:
@@ -71,67 +74,108 @@ jobs:
7174
--self-contained `
7275
/p:DebugType=embedded
7376
74-
# Install SignPath PowerShell module
75-
- name: Install SignPath Module
76-
shell: pwsh
77-
run: Install-Module -Name SignPath -Force -Scope CurrentUser
77+
# Sign the executables using SignPath GitHub Action
78+
# Main App Signing: Upload → Sign → Verify
79+
- name: Upload Unsigned Main App for Signing
80+
id: upload-main-app
81+
uses: actions/upload-artifact@v4
82+
with:
83+
name: unsigned-main-app
84+
path: publish\app\Wabbajack.exe
85+
retention-days: 1
7886

79-
# Sign the executables using SignPath PowerShell module
80-
- name: Sign Wabbajack.exe (Main App)
81-
shell: pwsh
82-
env:
83-
SIGNPATH_API_TOKEN: ${{ secrets.SIGNPATH_API_KEY }}
84-
SIGNPATH_ORG_ID: ${{ secrets.SIGNPATH_ORG_ID }}
85-
run: |
86-
Submit-SigningRequest `
87-
-InputArtifactPath "publish\app\Wabbajack.exe" `
88-
-ApiToken $env:SIGNPATH_API_TOKEN `
89-
-OrganizationId $env:SIGNPATH_ORG_ID `
90-
-ProjectSlug "wabbajack" `
91-
-SigningPolicySlug "test-signing" `
92-
-OutputArtifactPath "publish\app\Wabbajack.exe" `
93-
-WaitForCompletion `
94-
-Force
95-
96-
- name: Sign wabbajack-cli.exe
87+
- name: Sign Main App with SignPath
88+
id: sign-main-app
89+
uses: signpath/github-action-submit-signing-request@v2
90+
with:
91+
api-token: ${{ secrets.SIGNPATH_API_KEY }}
92+
organization-id: ${{ secrets.SIGNPATH_ORG_ID }}
93+
project-slug: wabbajack
94+
signing-policy-slug: test-signing
95+
artifact-configuration-slug: default
96+
github-artifact-id: ${{ steps.upload-main-app.outputs.artifact-id }}
97+
wait-for-completion: true
98+
wait-for-completion-timeout-in-seconds: 600
99+
output-artifact-directory: publish\app
100+
101+
- name: Verify Main App Signature
97102
shell: pwsh
98-
env:
99-
SIGNPATH_API_TOKEN: ${{ secrets.SIGNPATH_API_KEY }}
100-
SIGNPATH_ORG_ID: ${{ secrets.SIGNPATH_ORG_ID }}
101103
run: |
102-
Submit-SigningRequest `
103-
-InputArtifactPath "publish\app\cli\wabbajack-cli.exe" `
104-
-ApiToken $env:SIGNPATH_API_TOKEN `
105-
-OrganizationId $env:SIGNPATH_ORG_ID `
106-
-ProjectSlug "wabbajack" `
107-
-SigningPolicySlug "test-signing" `
108-
-OutputArtifactPath "publish\app\cli\wabbajack-cli.exe" `
109-
-WaitForCompletion `
110-
-Force
111-
112-
- name: Sign Wabbajack.exe (Launcher)
104+
Write-Host "Verifying Main App signature..."
105+
$sig = Get-AuthenticodeSignature "publish\app\Wabbajack.exe"
106+
if ($sig.Status -ne 'Valid') {
107+
Write-Error "Main App signature verification failed: $($sig.Status)"
108+
exit 1
109+
}
110+
$sig | Format-List
111+
112+
# CLI Signing: Upload → Sign → Verify
113+
- name: Upload Unsigned CLI for Signing
114+
id: upload-cli
115+
uses: actions/upload-artifact@v4
116+
with:
117+
name: unsigned-cli
118+
path: publish\app\cli\wabbajack-cli.exe
119+
retention-days: 1
120+
121+
- name: Sign CLI with SignPath
122+
id: sign-cli
123+
uses: signpath/github-action-submit-signing-request@v2
124+
with:
125+
api-token: ${{ secrets.SIGNPATH_API_KEY }}
126+
organization-id: ${{ secrets.SIGNPATH_ORG_ID }}
127+
project-slug: wabbajack
128+
signing-policy-slug: test-signing
129+
artifact-configuration-slug: default
130+
github-artifact-id: ${{ steps.upload-cli.outputs.artifact-id }}
131+
wait-for-completion: true
132+
wait-for-completion-timeout-in-seconds: 600
133+
output-artifact-directory: publish\app\cli
134+
135+
- name: Verify CLI Signature
113136
shell: pwsh
114-
env:
115-
SIGNPATH_API_TOKEN: ${{ secrets.SIGNPATH_API_KEY }}
116-
SIGNPATH_ORG_ID: ${{ secrets.SIGNPATH_ORG_ID }}
117137
run: |
118-
Submit-SigningRequest `
119-
-InputArtifactPath "publish\launcher\Wabbajack.exe" `
120-
-ApiToken $env:SIGNPATH_API_TOKEN `
121-
-OrganizationId $env:SIGNPATH_ORG_ID `
122-
-ProjectSlug "wabbajack" `
123-
-SigningPolicySlug "test-signing" `
124-
-OutputArtifactPath "publish\launcher\Wabbajack.exe" `
125-
-WaitForCompletion `
126-
-Force
127-
128-
- name: Verify Signatures
138+
Write-Host "Verifying CLI signature..."
139+
$sig = Get-AuthenticodeSignature "publish\app\cli\wabbajack-cli.exe"
140+
if ($sig.Status -ne 'Valid') {
141+
Write-Error "CLI signature verification failed: $($sig.Status)"
142+
exit 1
143+
}
144+
$sig | Format-List
145+
146+
# Launcher Signing: Upload → Sign → Verify
147+
- name: Upload Unsigned Launcher for Signing
148+
id: upload-launcher
149+
uses: actions/upload-artifact@v4
150+
with:
151+
name: unsigned-launcher
152+
path: publish\launcher\Wabbajack.exe
153+
retention-days: 1
154+
155+
- name: Sign Launcher with SignPath
156+
id: sign-launcher
157+
uses: signpath/github-action-submit-signing-request@v2
158+
with:
159+
api-token: ${{ secrets.SIGNPATH_API_KEY }}
160+
organization-id: ${{ secrets.SIGNPATH_ORG_ID }}
161+
project-slug: wabbajack
162+
signing-policy-slug: test-signing
163+
artifact-configuration-slug: default
164+
github-artifact-id: ${{ steps.upload-launcher.outputs.artifact-id }}
165+
wait-for-completion: true
166+
wait-for-completion-timeout-in-seconds: 600
167+
output-artifact-directory: publish\launcher
168+
169+
- name: Verify Launcher Signature
129170
shell: pwsh
130171
run: |
131-
Write-Host "Checking signatures..."
132-
Get-AuthenticodeSignature "publish\app\Wabbajack.exe" | Format-List
133-
Get-AuthenticodeSignature "publish\app\cli\wabbajack-cli.exe" | Format-List
134-
Get-AuthenticodeSignature "publish\launcher\Wabbajack.exe" | Format-List
172+
Write-Host "Verifying Launcher signature..."
173+
$sig = Get-AuthenticodeSignature "publish\launcher\Wabbajack.exe"
174+
if ($sig.Status -ne 'Valid') {
175+
Write-Error "Launcher signature verification failed: $($sig.Status)"
176+
exit 1
177+
}
178+
$sig | Format-List
135179
136180
- name: Create App ZIP
137181
run: |

0 commit comments

Comments
 (0)