From 691ff11fbccefad10509012c95439ac0b2eadda0 Mon Sep 17 00:00:00 2001 From: WerWolv Date: Tue, 2 Sep 2025 18:24:48 +0200 Subject: [PATCH 1/4] git: Added Windows code signing --- .github/workflows/build.yml | 22 +++++++++++++++ .github/workflows/nightly_release.yml | 39 +++++++++++++++++++++++++++ .github/workflows/release.yml | 39 +++++++++++++++++++++++++++ 3 files changed, 100 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 49287b1af..40dfd5c18 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -166,6 +166,7 @@ jobs: - name: ⬆️ Upload Windows Installer uses: actions/upload-artifact@v4 + id: upload-installer with: if-no-files-found: error name: Windows Installer ${{ matrix.architecture_name }} @@ -199,6 +200,27 @@ jobs: path: | build/install/* + - name: 🗝️ Test-Sign Installer + uses: signpath/github-action-submit-signing-request@v1 + with: + api-token: '${{ secrets.SIGNPATH_API_TOKEN }}' + organization-id: 'f605a0e8-86cd-411c-bb6f-e05025afcc33' + project-slug: 'ImHex' + signing-policy-slug: 'test-signing' + github-artifact-id: '${{ steps.upload-installer.outputs.artifact-id }}' + wait-for-completion: true + output-artifact-directory: './signed' + parameters: | + version: ${{ env.IMHEX_VERSION }}-${ matrix.architecture_name }-${{ github.sha }}-${{ github.run_number }} + + - name: ⬆️ Upload NoGPU Portable ZIP + uses: actions/upload-artifact@v4 + with: + if-no-files-found: error + name: Windows Installer ${{ matrix.architecture_name }} (Signed) + path: | + signed/* + win_msvc: strategy: fail-fast: false diff --git a/.github/workflows/nightly_release.yml b/.github/workflows/nightly_release.yml index 03ec9c512..a3df6d80d 100644 --- a/.github/workflows/nightly_release.yml +++ b/.github/workflows/nightly_release.yml @@ -82,6 +82,45 @@ jobs: git fetch --tags --recurse-submodules=no git log nightly..origin/master --oneline --no-merges --pretty=format:'* %s' >> changelog.md + - name: ⬆️ Upload Unsigned x86_64 Windows Installer + if: false + uses: actions/upload-artifact@v4 + id: upload-installer-x86_64 + with: + if-no-files-found: error + name: Windows Installer ${{ matrix.architecture_name }} + path: | + imhex-*-x86_64.msi + + - name: ⬆️ Upload Unsigned ARM64 Windows Installer + if: false + uses: actions/upload-artifact@v4 + id: upload-installer-arm64 + with: + if-no-files-found: error + name: Windows Installer ${{ matrix.architecture_name }} + path: | + imhex-*-arm64.msi + + - name: 🗑️ Delete unsigned installers + if: false + run: | + rm imhex-*.msi + + - name: 🗝️ Sign Installer + if: false + uses: signpath/github-action-submit-signing-request@v1 + with: + api-token: '${{ secrets.SIGNPATH_API_TOKEN }}' + organization-id: 'f605a0e8-86cd-411c-bb6f-e05025afcc33' + project-slug: 'ImHex' + signing-policy-slug: 'release-signing' + github-artifact-id: '${{ steps.upload-installer.outputs.artifact-id }}' + wait-for-completion: true + output-artifact-directory: '.' + parameters: | + version: ${{ env.IMHEX_VERSION }}-${ matrix.architecture_name }-${{ github.sha }}-${{ github.run_number }} + - name: 📦 Update Pre-Release if: ${{ steps.check_commits.outputs.should_run == 'true' }} run: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8fb4dd0ae..eff25cf08 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -121,6 +121,45 @@ jobs: mv "ImHex Web.zip" imhex-${{ env.IMHEX_VERSION }}-Web.zip rm artifact.tar || true + - name: ⬆️ Upload Unsigned x86_64 Windows Installer + if: false + uses: actions/upload-artifact@v4 + id: upload-installer-x86_64 + with: + if-no-files-found: error + name: Windows Installer ${{ matrix.architecture_name }} + path: | + imhex-*-x86_64.msi + + - name: ⬆️ Upload Unsigned ARM64 Windows Installer + if: false + uses: actions/upload-artifact@v4 + id: upload-installer-arm64 + with: + if-no-files-found: error + name: Windows Installer ${{ matrix.architecture_name }} + path: | + imhex-*-arm64.msi + + - name: 🗑️ Delete unsigned installers + if: false + run: | + rm imhex-*.msi + + - name: 🗝️ Sign Installer + if: false + uses: signpath/github-action-submit-signing-request@v1 + with: + api-token: '${{ secrets.SIGNPATH_API_TOKEN }}' + organization-id: 'f605a0e8-86cd-411c-bb6f-e05025afcc33' + project-slug: 'ImHex' + signing-policy-slug: 'release-signing' + github-artifact-id: '${{ steps.upload-installer.outputs.artifact-id }}' + wait-for-completion: true + output-artifact-directory: '.' + parameters: | + version: ${{ env.IMHEX_VERSION }}-${ matrix.architecture_name } + - name: ⬆️ Upload everything to release uses: softprops/action-gh-release@4634c16e79c963813287e889244c50009e7f0981 with: From 4bda321e7a82bed6a126806890e23878b4c2da6b Mon Sep 17 00:00:00 2001 From: WerWolv Date: Tue, 2 Sep 2025 18:34:39 +0200 Subject: [PATCH 2/4] git: Fix version string --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 40dfd5c18..6b896e204 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -211,9 +211,9 @@ jobs: wait-for-completion: true output-artifact-directory: './signed' parameters: | - version: ${{ env.IMHEX_VERSION }}-${ matrix.architecture_name }-${{ github.sha }}-${{ github.run_number }} + version: ${{ env.IMHEX_VERSION }}-${{ matrix.architecture_name }}-${{ github.sha }}-${{ github.run_number }} - - name: ⬆️ Upload NoGPU Portable ZIP + - name: ⬆️ Upload Signed Windows Installer uses: actions/upload-artifact@v4 with: if-no-files-found: error From 47b1c603b373833296c94871a881c096f73ce88c Mon Sep 17 00:00:00 2001 From: WerWolv Date: Tue, 2 Sep 2025 19:26:47 +0200 Subject: [PATCH 3/4] git: Remove signpath parameters --- .github/workflows/build.yml | 2 -- .github/workflows/nightly_release.yml | 2 -- .github/workflows/release.yml | 2 -- 3 files changed, 6 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 6b896e204..e280e2554 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -210,8 +210,6 @@ jobs: github-artifact-id: '${{ steps.upload-installer.outputs.artifact-id }}' wait-for-completion: true output-artifact-directory: './signed' - parameters: | - version: ${{ env.IMHEX_VERSION }}-${{ matrix.architecture_name }}-${{ github.sha }}-${{ github.run_number }} - name: ⬆️ Upload Signed Windows Installer uses: actions/upload-artifact@v4 diff --git a/.github/workflows/nightly_release.yml b/.github/workflows/nightly_release.yml index a3df6d80d..93de9b9fc 100644 --- a/.github/workflows/nightly_release.yml +++ b/.github/workflows/nightly_release.yml @@ -118,8 +118,6 @@ jobs: github-artifact-id: '${{ steps.upload-installer.outputs.artifact-id }}' wait-for-completion: true output-artifact-directory: '.' - parameters: | - version: ${{ env.IMHEX_VERSION }}-${ matrix.architecture_name }-${{ github.sha }}-${{ github.run_number }} - name: 📦 Update Pre-Release if: ${{ steps.check_commits.outputs.should_run == 'true' }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index eff25cf08..a2afac847 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -157,8 +157,6 @@ jobs: github-artifact-id: '${{ steps.upload-installer.outputs.artifact-id }}' wait-for-completion: true output-artifact-directory: '.' - parameters: | - version: ${{ env.IMHEX_VERSION }}-${ matrix.architecture_name } - name: ⬆️ Upload everything to release uses: softprops/action-gh-release@4634c16e79c963813287e889244c50009e7f0981 From 0906e5f9cf4018c5363d0ccd2e000c2ecf7ccf8b Mon Sep 17 00:00:00 2001 From: WerWolv Date: Sat, 20 Sep 2025 11:57:52 +0200 Subject: [PATCH 4/4] git: Remove test signing, get release signing ready --- .github/workflows/build.yml | 19 ------------------- .github/workflows/release.yml | 19 +++++++++++++------ 2 files changed, 13 insertions(+), 25 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e280e2554..1a7a5382f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -200,25 +200,6 @@ jobs: path: | build/install/* - - name: 🗝️ Test-Sign Installer - uses: signpath/github-action-submit-signing-request@v1 - with: - api-token: '${{ secrets.SIGNPATH_API_TOKEN }}' - organization-id: 'f605a0e8-86cd-411c-bb6f-e05025afcc33' - project-slug: 'ImHex' - signing-policy-slug: 'test-signing' - github-artifact-id: '${{ steps.upload-installer.outputs.artifact-id }}' - wait-for-completion: true - output-artifact-directory: './signed' - - - name: ⬆️ Upload Signed Windows Installer - uses: actions/upload-artifact@v4 - with: - if-no-files-found: error - name: Windows Installer ${{ matrix.architecture_name }} (Signed) - path: | - signed/* - win_msvc: strategy: fail-fast: false diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a2afac847..308686c29 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -122,7 +122,6 @@ jobs: rm artifact.tar || true - name: ⬆️ Upload Unsigned x86_64 Windows Installer - if: false uses: actions/upload-artifact@v4 id: upload-installer-x86_64 with: @@ -132,7 +131,6 @@ jobs: imhex-*-x86_64.msi - name: ⬆️ Upload Unsigned ARM64 Windows Installer - if: false uses: actions/upload-artifact@v4 id: upload-installer-arm64 with: @@ -142,19 +140,28 @@ jobs: imhex-*-arm64.msi - name: 🗑️ Delete unsigned installers - if: false run: | rm imhex-*.msi - - name: 🗝️ Sign Installer - if: false + - name: 🗝️ Sign x86_64 Installer uses: signpath/github-action-submit-signing-request@v1 with: api-token: '${{ secrets.SIGNPATH_API_TOKEN }}' organization-id: 'f605a0e8-86cd-411c-bb6f-e05025afcc33' project-slug: 'ImHex' signing-policy-slug: 'release-signing' - github-artifact-id: '${{ steps.upload-installer.outputs.artifact-id }}' + github-artifact-id: '${{ steps.upload-installer-x86_64.outputs.artifact-id }}' + wait-for-completion: true + output-artifact-directory: '.' + + - name: 🗝️ Sign ARM64 Installer + uses: signpath/github-action-submit-signing-request@v1 + with: + api-token: '${{ secrets.SIGNPATH_API_TOKEN }}' + organization-id: 'f605a0e8-86cd-411c-bb6f-e05025afcc33' + project-slug: 'ImHex' + signing-policy-slug: 'release-signing' + github-artifact-id: '${{ steps.upload-installer-arm64.outputs.artifact-id }}' wait-for-completion: true output-artifact-directory: '.'