Code-signing

[eltos]

Consider code-signing

Would resolve #67 and #10 and is a prerequisite for #16

As mentioned by @insane66613 in #16 (comment)

Just a quick note regarding the code-signing hurdle mentioned here (for sparse packaging and Windows 11 context menu support) — there's a great free option available specifically for open-source projects:

✅ Free Code Signing via SignPath.io
SignPath Foundation offers free, secure code signing certificates for open-source projects that meet the following criteria:

Uses an OSI-approved open-source license (e.g. MIT, GPL, etc.)

Transparent public repo with automated build process

No dual-licensing or commercial clauses

Highlights:

🔐 Private keys never leave SignPath — signing is done via a secure HSM

⚙️ Integrates well with GitHub Actions (or other CI) for fully automated signed builds

🛡️ Helps eliminate Windows SmartScreen warnings and is valid for MSIX packaging

This is the same setup used by other open-source WinForms apps like LGTV Companion, which had similar signing needs.

Could be a practical solution if signing continues to be a blocker for modern Windows packaging. I’d be happy to help with GitHub Actions config if needed.

https://about.signpath.io/product/open-source

[eltos]

I have contacted oss-support@signpath.org applying for a certificate.

[insane66613]

I reached out to them on behalf of the project as well, just got a response on the ticket. Figure I'd provide it here for reference.

Hello Matt,

thanks for reaching out to us. We provide a free code signing certificate (issued to our “SignPath Foundation”) and offer our service for free to open source projects. Due to the certificate being issued to our organization, we need to verify that the binary artifact is built solely from the source code in the public GitHub repository. We therefore integrate with CI services and check the configuration. Currently, AppVeyor and GitHub Actions are supported.

If you are interested in an OSS subscription, I would kindly ask you to fill out the attached form. We can then create a subscription for you with a test certificate. Once your setup is complete, we would go ahead and order a release certificate for you and import it into the subscription.

See also the "Open Source" column on https://about.signpath.io/product/editions and our Open Source Terms of Use.

Looking forward to hearing back from you!

Best regards,
Phillip

OSSRequestForm - v3.xlsx

[eltos]

@insane66613 okay, thanks. In this case, and since I did (not yet) get a response, I think it'll be best if you continue the communication on your ticket number to avoid confusion. Since you mentioned you would be willing to help with the CI, I guess that would be easiest for you anyways. Would that be okay for you? Or would you prefer it differently? Let me know if you need anything.

[insane66613]

Yeah not a problem.

[insane66613]

Name: PasteIntoFile
Handle Type: Software Application
License: MIT License (based on common GitHub projects, though I'd need to verify this from the actual repository)
Repository URL: https://github.com/eltos/PasteIntoFile
Homepage URL: https://github.com/eltos/PasteIntoFile
Download URL: https://github.com/eltos/PasteIntoFile/releases
Privacy Policy URL: Not available
Wikipedia URL: Not available
Tagline: Paste clipboard data into files and copy file contents directly via hotkey or context menu GitHub
Description: An application that allows users to paste clipboard contents directly into files via a new entry in the file explorer context menu and/or additional hotkeys. It supports many formats including images, text, HTML, CSV, and more. It can also copy file contents to the clipboard directly, saving time when working with files. GitHub
Reputation: Open source project with regular updates, maintained by eltos with multiple contributors
User Full Name: [Your full name here]
User Email: [Your email address here]
Accept terms of use: I hereby accept the terms of use

are these good answers for the application?

and I don't know what you want for the full name and email, if you want PM me or advise otherwise, as I don't feel that I should put my name and email for the certificate itself. Naturally being your project I presume you would like be listed here.

[insane66613]

I used claude AI to generate these answers so please doublecheck my work

[eltos]

• Handle: PasteIntoFile
• Type: Program
• MIT licence is correct, see https://github.com/eltos/PasteIntoFile/blob/main/LICENSE
• Privacy policy: https://github.com/eltos/PasteIntoFile/blob/main/PRIVACY

Regarding name and contact email: questions is what they ask it for. If they want contact details of the project maintainer, then Philipp Niedermayer eltos@outlook.de (github.com/eltos). If they want contact for doing the initial setup only, you can also put your details if you feel comfortable, up to you. I'm happy with motivated people contributing here :)
As far as I got it, the name in the signature will anyways be "SignPath" and no personal details, as they don't give us a new own certificate, but rather sign our app in their name. Whatever you feel comfortable with, if at any point you feel that I should take over just let me know.

[eltos]

Hi @insane66613 , any news on the matter?

[insane66613]

I submitted the form, keep an eye out for an email

[eltos]

Got the email. I saw there is a Paste Into File OSS
Organisation ID 030bee06-17be-4a2a-a788-9efdbd14a889
Project slug PasteIntoFile
Signing policy slug test-signing

Signing by uploading worked using these configurations:

Installer

<?xml version="1.0" encoding="utf-8"?>
<artifact-configuration xmlns="http://signpath.io/artifact-configuration/v1">
  <msi-file>
    <directory path="PasteIntoFile">
      <pe-file-set>
        <include path="PasteIntoFile.exe" />
        <for-each>
          <authenticode-sign />
        </for-each>
      </pe-file-set>
    </directory>
    <authenticode-sign />
  </msi-file>
</artifact-configuration>

Portable

<?xml version="1.0" encoding="utf-8" ?>
<artifact-configuration xmlns="http://signpath.io/artifact-configuration/v1">
  <zip-file>
    <pe-file-set>
      <include path="PasteIntoFile.exe" />
      <for-each>
        <authenticode-sign />
      </for-each>
    </pe-file-set>
  </zip-file>
</artifact-configuration>

How can this be integrated with GitHub CI release workflow?

[insane66613]

Hello Matt,

you should have received an invitation to the new OSS organization. You can start to

set up your project and artifact configuration (GitHub requires you to put it in a ): https://about.signpath.io/documentation/artifact-configuration/
configure the GitHub Actions integration: https://about.signpath.io/documentation/trusted-build-systems/github
Then you can start signing using the provided self-signed test certificate. Once you're all set, we'll review the setup and order the actual production certificate and import it into your organization.

Let me know if you have any more questions.

Best regards,
Phillip

[eltos]

I managed to get it working for the portable exe. I did not have the time for the installer, will do it next time.

[eltos]

I have requested review of the setup

Dear Phillip,

we have complete integration of our GitHub CI with SignPath for the OSS Project PasteIntoFile. We would kindly request you to review and approve the setup.

Please find the PR with the CI implementation made here:
#78

Please find a proof for the release assets created with this setup here:
https://github.com/eltos/PasteIntoFile/releases/tag/v5.4.3-signtest12

The corresponding signing requests are:
https://app.signpath.io/Web/030bee06-17be-4a2a-a788-9efdbd14a889/SigningRequests/66bd5cb8-b004-4ab2-bdc8-a68133ba6ed3
https://app.signpath.io/Web/030bee06-17be-4a2a-a788-9efdbd14a889/SigningRequests/8dc2f12f-6e75-4cf8-ab00-450b7e977b6c

If everything looks good I kindly request to unlock the release certificate in order for us to change from the signing-policy 'test-signing' to 'release-signing' and merge the PR.

Thank you.

[insane66613]

I am happy to inform you that we issued the release certificate to you/your project.

We also updated our signpath.org/projects site to include your project, as well as authorizing the support user for your organization in SignPath, in case you need help/support from us.

Can you confirm that you have received the production certificate and then update your policy regarding our terms (linked screenshot example), you can do this in your official website or your github open source project. No need to rush, you can take your time. :)

Best regard,
Phillip