Code-signing (#78)

Author: eltos

.github/build/action.yml

@@ -33,6 +33,12 @@ outputs:
   path:
     description: 'Build output path'
     value: ${{ steps.build.outputs.path }}
+  version:
+    description: 'Program version'
+    value: ${{ steps.build.outputs.version }}
+  artifact-id:
+    description: 'Build output artifact ID'
+    value: ${{ steps.upload.outputs.artifact-id }}
 
 runs:
   using: 'composite'
@@ -55,9 +61,12 @@ runs:
         msbuild /r /p:Configuration=${{ inputs.configuration }} /p:Flavor=${{ inputs.flavor }} ${{ inputs.build_options }}
         copy LICENSE ${{ inputs.project_directory }}\bin\${{ inputs.configuration }}
         echo "path=${{ inputs.project_directory }}\bin\${{ inputs.configuration }}" >> $env:GITHUB_OUTPUT
+        $VERSION=(Get-Item -Path ${{ inputs.project_directory }}\bin\${{ inputs.configuration }}\*.exe).VersionInfo.ProductVersion
+        echo "version=$VERSION" >> $env:GITHUB_OUTPUT
       shell: pwsh
 
     - name: Upload build artifacts
+      id: upload
       if: ${{ inputs.artifact != '' }}
       uses: actions/upload-artifact@v4
       with:

.github/workflows/dotnet-release.yml

@@ -8,66 +8,121 @@ on:
 
 jobs:
 
-  portable-build:
+  portable:
     runs-on: windows-2019
     steps:
       - uses: actions/checkout@v4
+
       - uses: ./.github/build
+        id: build
         with:
           configuration: Release
           flavor: Portable
           artifact: release_artifact_portable
 
-  portable-publish:
-    runs-on: windows-2019
-    needs: portable-build
-    steps:
-      - name: Collect artifact
-        uses: actions/download-artifact@v4
-        with:
-          name: release_artifact_portable
-          path: release_artifact_portable
       - name: Create zip
-        run: Compress-Archive -Path release_artifact_portable/* -Destination release_artifact_portable.zip
-        #run: tar -cvzf release_artifact_portable.tar.gz -C release_artifact_portable *
+        run: Compress-Archive -Path ${{steps.build.outputs.path}}/* -Destination release_artifact_portable_unsigned.zip
+
       - name: Upload release artifact
         uses: actions/upload-release-asset@v1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           upload_url: ${{ github.event.release.upload_url }}
-          asset_path: release_artifact_portable.zip
-          asset_name: PasteIntoFile_${{ github.event.release.tag_name }}_portable.zip
+          asset_path: release_artifact_portable_unsigned.zip
+          asset_name: PasteIntoFile_${{ github.event.release.tag_name }}_portable_unsigned.zip
+          asset_content_type: application/zip
+
+      - name: Sign with Signpath
+        uses: signpath/[email protected]
+        with:
+          api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
+          organization-id: '030bee06-17be-4a2a-a788-9efdbd14a889'
+          project-slug: 'PasteIntoFile'
+          signing-policy-slug: 'release-signing'
+          artifact-configuration-slug: 'portable'
+          github-artifact-id: '${{ steps.build.outputs.artifact-id }}'
+          parameters: |
+              version: "${{ steps.build.outputs.version }}"
+          wait-for-completion: true
+          output-artifact-directory: 'signing_result'
+
+      - name: Create zip
+        run: Compress-Archive -Path signing_result/* -Destination release_artifact_portable_signed.zip
+
+      - name: Upload signed release artifact
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ github.event.release.upload_url }}
+          asset_path: release_artifact_portable_signed.zip
+          asset_name: PasteIntoFile_${{ github.event.release.tag_name }}_portable_signed.zip
           asset_content_type: application/zip
 
   installer:
     runs-on: windows-2019
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+
       - name: Build program executable
         id: build
         uses: ./.github/build
         with:
           configuration: Release
           flavor: Installer
+
       - name: Add WiX toolkit to PATH
         shell: bash
         run: echo "${WIX}bin" >> $GITHUB_PATH
+
       - name: Build MSI file with WiX toolchain
         run: |
           cd Installer
           heat dir ../${{steps.build.outputs.path}} -dr INSTALLFOLDER -ag -cg ReleaseFragment -ke -srd -sfrag -nologo -pog:Binaries -pog:Documents -pog: Satellites -pog:Sources -pog:Content -t releaseFiles.xslt -out releaseFiles.wxs
           candle releaseFiles.wxs
           candle PasteIntoFile.wxs
           light -b ../${{steps.build.outputs.path}} releaseFiles.wixobj PasteIntoFile.wixobj -ext WixNetFxExtension -out Installer.msi
+
       - name: Upload release artifact
         uses: actions/upload-release-asset@v1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           upload_url: ${{ github.event.release.upload_url }}
           asset_path: Installer/Installer.msi
-          asset_name: PasteIntoFile_${{ github.event.release.tag_name }}_installer.msi
+          asset_name: PasteIntoFile_${{ github.event.release.tag_name }}_installer_unsigned.msi
           asset_content_type: application/msi
 
+
+      - name: Upload artifact for signing
+        id: upload
+        uses: actions/upload-artifact@v4
+        with:
+            path: Installer/Installer.msi
+
+      - name: Sign with Signpath
+        uses: signpath/[email protected]
+        with:
+            api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
+            organization-id: '030bee06-17be-4a2a-a788-9efdbd14a889'
+            project-slug: 'PasteIntoFile'
+            signing-policy-slug: 'release-signing'
+            artifact-configuration-slug: 'installer-zip'
+            github-artifact-id: '${{ steps.upload.outputs.artifact-id }}'
+            parameters: |
+                version: "${{ steps.build.outputs.version }}"
+            wait-for-completion: true
+            output-artifact-directory: 'signing_result'
+
+      - name: Upload signed release artifact
+        uses: actions/upload-release-asset@v1
+        env:
+            GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+            upload_url: ${{ github.event.release.upload_url }}
+            asset_path: signing_result/Installer.msi
+            asset_name: PasteIntoFile_${{ github.event.release.tag_name }}_installer_signed.msi
+            asset_content_type: application/msi
+

PRIVACY

@@ -1,10 +1,8 @@
 Paste Into File Privacy Policy
 ------------------------------
 
-Paste Into File reads data in your clipboard and saves it to a local file on your computer at your request. That is what it is made for.
-
-Other than that, your data is not collected, used, transferred, shared or otherwise utilized.
-
+This program reads/writes data to/from your clipboard and local files at your request.
+This program will not transfer any information to other networked systems.
 
 
 

README.md

@@ -197,3 +197,16 @@ Copyright © PasteIntoFile GitHub contributors
   PasteIntoFile copy path_to/the_file
   ```
 
+## Code signing policy
+
+Free code signing provided by [SignPath.io](https://about.signpath.io/), certificate by [SignPath Foundation](https://signpath.org/)
+- Committers and reviewers: [Contributors](https://github.com/eltos/PasteIntoFile/graphs/contributors)
+- Approvers: [Owner](https://github.com/eltos)
+
+## Privacy Policy
+
+See [PRIVACY](PRIVACY) file
+
+## License
+
+See [LICENSE](LICENSE) file