Sign with SignPath

ge0rdi · ge0rdi · commit b10eaa4d7d75 · 2026-05-31T09:31:43.000+02:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -60,6 +60,7 @@ jobs:
         run: Src\Setup\BuildBinaries.bat
 
       - name: Upload binaries
+        id: upload-binaries
         uses: actions/upload-artifact@v7
         with:
           name: Binaries
@@ -69,33 +70,79 @@ jobs:
             !Src/Setup/Output/*.skin7
             !Src/Setup/Output/*.zip
 
+      - name: Sign binaries with SignPath
+        uses: signpath/github-action-submit-signing-request@v2
+        with:
+          api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
+          organization-id: 'b34b60e3-e5bf-4a6e-a13c-dcf641b4362c'
+          project-slug: 'Open-Shell-Menu'
+          signing-policy-slug: 'test-signing'
+          artifact-configuration-slug: 'Binaries'
+          github-artifact-id: '${{ steps.upload-binaries.outputs.artifact-id }}'
+          wait-for-completion: true
+          output-artifact-directory: 'Src/Setup/Output/'
+
       - name: Build installers
         shell: cmd
         env:
           CS_VERSION: ${{ steps.versioning.outputs.NEW_VERSION }}
         run: Src\Setup\_BuildEnglish.bat
 
       - name: Upload installers
+        id: upload-installers
         uses: actions/upload-artifact@v7
         with:
           name: MSI
           path: |
             Src/Setup/Temp/*.msi
 
+      - name: Sign installers with SignPath
+        uses: signpath/github-action-submit-signing-request@v2
+        with:
+          api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
+          organization-id: 'b34b60e3-e5bf-4a6e-a13c-dcf641b4362c'
+          project-slug: 'Open-Shell-Menu'
+          signing-policy-slug: 'test-signing'
+          artifact-configuration-slug: 'Installers'
+          github-artifact-id: '${{ steps.upload-installers.outputs.artifact-id }}'
+          wait-for-completion: true
+          output-artifact-directory: 'Src/Setup/Temp/'
+
       - name: Build final
         shell: cmd
         env:
           CS_VERSION: ${{ steps.versioning.outputs.NEW_VERSION }}
         run: Src\Setup\BuildArchives.bat
 
       - name: Upload final
+        id: upload-final
         uses: actions/upload-artifact@v7
         with:
           name: Final
           path: |
             Src/Setup/Final/
             !Src/Setup/Final/OpenShellLoc.zip
 
+      - name: Sign final artifacts with SignPath
+        uses: signpath/github-action-submit-signing-request@v2
+        with:
+          api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
+          organization-id: 'b34b60e3-e5bf-4a6e-a13c-dcf641b4362c'
+          project-slug: 'Open-Shell-Menu'
+          signing-policy-slug: 'test-signing'
+          artifact-configuration-slug: 'Final'
+          github-artifact-id: '${{ steps.upload-final.outputs.artifact-id }}'
+          wait-for-completion: true
+          output-artifact-directory: 'Src/Setup/Final/'
+
+      - name: Upload final (signed)
+        uses: actions/upload-artifact@v7
+        with:
+          name: Final-signed
+          path: |
+            Src/Setup/Final/
+            !Src/Setup/Final/OpenShellLoc.zip
+
   release:
     if: github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/master' # Only manual master builds
     needs: build
