From 691ff11fbccefad10509012c95439ac0b2eadda0 Mon Sep 17 00:00:00 2001
From: WerWolv <werwolv98@gmail.com>
Date: Tue, 2 Sep 2025 18:24:48 +0200
Subject: [PATCH] git: Added Windows code signing

---
 .github/workflows/build.yml           | 22 +++++++++++++++
 .github/workflows/nightly_release.yml | 39 +++++++++++++++++++++++++++
 .github/workflows/release.yml         | 39 +++++++++++++++++++++++++++
 3 files changed, 100 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 49287b1af..40dfd5c18 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -166,6 +166,7 @@ jobs:
 
     - name: ⬆️ Upload Windows Installer
       uses: actions/upload-artifact@v4
+      id: upload-installer
       with:
         if-no-files-found: error
         name: Windows Installer ${{ matrix.architecture_name }}
@@ -199,6 +200,27 @@ jobs:
         path: |
           build/install/*
 
+    - name: 🗝️ Test-Sign Installer
+      uses: signpath/github-action-submit-signing-request@v1
+      with:
+        api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
+        organization-id: 'f605a0e8-86cd-411c-bb6f-e05025afcc33'
+        project-slug: 'ImHex'
+        signing-policy-slug: 'test-signing'
+        github-artifact-id: '${{ steps.upload-installer.outputs.artifact-id }}'
+        wait-for-completion: true
+        output-artifact-directory: './signed'
+        parameters: |
+          version: ${{ env.IMHEX_VERSION }}-${ matrix.architecture_name }-${{ github.sha }}-${{ github.run_number }}
+
+    - name: ⬆️ Upload NoGPU Portable ZIP
+      uses: actions/upload-artifact@v4
+      with:
+        if-no-files-found: error
+        name: Windows Installer ${{ matrix.architecture_name }} (Signed)
+        path: |
+          signed/*
+
   win_msvc:
     strategy:
       fail-fast: false
diff --git a/.github/workflows/nightly_release.yml b/.github/workflows/nightly_release.yml
index 03ec9c512..a3df6d80d 100644
--- a/.github/workflows/nightly_release.yml
+++ b/.github/workflows/nightly_release.yml
@@ -82,6 +82,45 @@ jobs:
           git fetch --tags --recurse-submodules=no
           git log nightly..origin/master --oneline --no-merges --pretty=format:'* %s' >> changelog.md
 
+      - name: ⬆️ Upload Unsigned x86_64 Windows Installer
+        if: false
+        uses: actions/upload-artifact@v4
+        id: upload-installer-x86_64
+        with:
+          if-no-files-found: error
+          name: Windows Installer ${{ matrix.architecture_name }}
+          path: |
+            imhex-*-x86_64.msi
+
+      - name: ⬆️ Upload Unsigned ARM64 Windows Installer
+        if: false
+        uses: actions/upload-artifact@v4
+        id: upload-installer-arm64
+        with:
+          if-no-files-found: error
+          name: Windows Installer ${{ matrix.architecture_name }}
+          path: |
+            imhex-*-arm64.msi
+
+      - name: 🗑️ Delete unsigned installers
+        if: false
+        run: |
+          rm imhex-*.msi
+
+      - name: 🗝️ Sign Installer
+        if: false
+        uses: signpath/github-action-submit-signing-request@v1
+        with:
+          api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
+          organization-id: 'f605a0e8-86cd-411c-bb6f-e05025afcc33'
+          project-slug: 'ImHex'
+          signing-policy-slug: 'release-signing'
+          github-artifact-id: '${{ steps.upload-installer.outputs.artifact-id }}'
+          wait-for-completion: true
+          output-artifact-directory: '.'
+          parameters: |
+            version: ${{ env.IMHEX_VERSION }}-${ matrix.architecture_name }-${{ github.sha }}-${{ github.run_number }}
+
       - name: 📦 Update Pre-Release
         if: ${{ steps.check_commits.outputs.should_run == 'true' }}
         run: |
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8fb4dd0ae..eff25cf08 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -121,6 +121,45 @@ jobs:
           mv "ImHex Web.zip" imhex-${{ env.IMHEX_VERSION }}-Web.zip
           rm artifact.tar || true
 
+      - name: ⬆️ Upload Unsigned x86_64 Windows Installer
+        if: false
+        uses: actions/upload-artifact@v4
+        id: upload-installer-x86_64
+        with:
+          if-no-files-found: error
+          name: Windows Installer ${{ matrix.architecture_name }}
+          path: |
+            imhex-*-x86_64.msi
+
+      - name: ⬆️ Upload Unsigned ARM64 Windows Installer
+        if: false
+        uses: actions/upload-artifact@v4
+        id: upload-installer-arm64
+        with:
+          if-no-files-found: error
+          name: Windows Installer ${{ matrix.architecture_name }}
+          path: |
+            imhex-*-arm64.msi
+
+      - name: 🗑️ Delete unsigned installers
+        if: false
+        run: |
+          rm imhex-*.msi
+
+      - name: 🗝️ Sign Installer
+        if: false
+        uses: signpath/github-action-submit-signing-request@v1
+        with:
+          api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
+          organization-id: 'f605a0e8-86cd-411c-bb6f-e05025afcc33'
+          project-slug: 'ImHex'
+          signing-policy-slug: 'release-signing'
+          github-artifact-id: '${{ steps.upload-installer.outputs.artifact-id }}'
+          wait-for-completion: true
+          output-artifact-directory: '.'
+          parameters: |
+            version: ${{ env.IMHEX_VERSION }}-${ matrix.architecture_name }
+
       - name: ⬆️ Upload everything to release
         uses: softprops/action-gh-release@4634c16e79c963813287e889244c50009e7f0981
         with: