Sign windows build with signpath.io

lovasoa · lovasoa · commit e80fcc48c45f · 2025-08-12T10:12:51.000+02:00
Thanks to signpath.io for providing us with a free windows signing certificate !

- Added permissions for actions read access.
- Implemented unsigned artifact upload for Windows.
- Integrated SignPath for signing requests and added signed artifact upload.
- Updated non-Windows artifact upload process.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -11,6 +11,7 @@ name: Create Release
 
 permissions:
   contents: write
+  actions: read
 
 jobs:
   build-macos-windows:
@@ -35,7 +36,39 @@ jobs:
         uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6
       - name: Build
         run: cargo build --profile superoptimized --locked --target ${{ matrix.target }}
-      - uses: actions/upload-artifact@v4
+      - name: Upload unsigned Windows artifact
+        if: matrix.os == 'windows-latest'
+        id: upload_unsigned
+        uses: actions/upload-artifact@v4
+        with:
+          name: unsigned-windows
+          path: target/${{ matrix.target }}/superoptimized/sqlpage.exe
+          if-no-files-found: error
+
+      - name: Submit signing request to SignPath
+        if: matrix.os == 'windows-latest'
+        id: signpath
+        uses: signpath/github-action-submit-signing-request@v1.1
+        with:
+          api-token: ${{ secrets.SIGNPATH_API_TOKEN }}
+          organization-id: '45fd8443-c7ca-4d29-a68b-608948185335'
+          project-slug: 'sqlpage'
+          signing-policy-slug: 'test-signing'
+          github-artifact-id: ${{ steps.upload_unsigned.outputs.artifact-id }}
+          wait-for-completion: true
+          output-artifact-directory: './signed-windows'
+
+      - name: Upload signed Windows artifact
+        if: matrix.os == 'windows-latest'
+        uses: actions/upload-artifact@v4
+        with:
+          name: sqlpage windows-latest
+          path: signed-windows/sqlpage.exe
+          if-no-files-found: error
+
+      - name: Upload artifact (non-Windows)
+        if: matrix.os != 'windows-latest'
+        uses: actions/upload-artifact@v4
         with:
           name: sqlpage ${{ matrix.os }}
           path: target/${{ matrix.target }}/superoptimized/sqlpage${{ matrix.binary_extension }}
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # CHANGELOG.md
 
+## unreleased
+ - We now cryptographically sign the Windows app during releases, which proves the file hasn’t been tampered with. Once the production certificate is active, Windows will show a "verified publisher" and should stop showing screens saying "This app might harm your device", "Windows protected your PC" or "Are you sure you want to run this application ?". 
+   - Thanks to https://signpath.io for providing us with a windows signing certificate !
+
 ## v0.36.1
  - Fix regression introduced in v0.36.0: PostgreSQL money values showed as 0.0
    - The recommended way to display money values in postgres is still to format them in the way you expect in SQL. See https://github.com/sqlpage/SQLPage/issues/983
