Skip to content

Add release workflow with SignPath code signing#4

Open
hsbt wants to merge 3 commits into
masterfrom
claude/sad-leavitt-19c724
Open

Add release workflow with SignPath code signing#4
hsbt wants to merge 3 commits into
masterfrom
claude/sad-leavitt-19c724

Conversation

@hsbt

@hsbt hsbt commented Jul 14, 2026

Copy link
Copy Markdown
Member

Pushing a v* tag now builds NativeAOT rb.exe for win-x64 and win-arm64, signs both through SignPath Foundation, verifies the signatures with Get-AuthenticodeSignature, and attaches the binaries with .sha256 checksums to a GitHub release. rb.exe is the one binary users download directly with a browser, so it carries the Mark of the Web and an unsigned build is effectively blocked by SmartScreen. That makes it the first signing target ahead of the MSI and winget channels.

The signing provider will change later. SignPath Foundation goes first because Azure Trusted Signing currently limits identity validation to US/CA/EU/UK legal entities, so all provider-specific logic is isolated in the .github/actions/sign composite action and the release workflow only sees "unsigned artifact in, signed files out". The SignPath credentials live in the release-signing GitHub environment (SIGNPATH_API_TOKEN secret plus SIGNPATH_ORGANIZATION_ID, SIGNPATH_PROJECT_SLUG, and SIGNPATH_SIGNING_POLICY_SLUG variables), which can require reviewer approval before the job starts. While they are not configured, tag pushes still work but produce unsigned draft releases with a warning, so nothing unsigned is published silently.

CI additionally publishes the NativeAOT binaries for both RIDs on every push and PR, unsigned, so AOT breakage surfaces before release time. The exe now carries VERSIONINFO metadata (ProductName rbmanager and friends) that SignPath uses to match the artifact to the project, and docs/code-signing.md doubles as the published signing policy and the SignPath Foundation application checklist.

hsbt added 3 commits July 14, 2026 19:06
SmartScreen and the file-properties dialog show these fields, and the
code-signing provider requires them to identify the project. The
release workflow overrides Version from the tag.
Catches AOT publish breakage on every push instead of at release time.
The arm64 target cross-compiles on the x64 runner with the ARM64 MSVC
tools present on the hosted image. CI artifacts are unsigned.
Pushing a v* tag builds rb.exe for win-x64 and win-arm64, signs both
through SignPath Foundation, verifies the signatures, and attaches the
binaries with .sha256 checksums to a GitHub release. Signing lives in
the .github/actions/sign composite action so the planned migration to
Azure Artifact Signing or an OV certificate only swaps that one seam.
While the SignPath credentials are not configured, releases come out
as unsigned drafts with a warning. docs/code-signing.md doubles as the
signing policy and the SignPath Foundation application checklist.
Copilot AI review requested due to automatic review settings July 14, 2026 10:22

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Introduces a tag-driven release pipeline that builds NativeAOT rb.exe for win-x64 and win-arm64, optionally signs the binaries via SignPath Foundation (through a provider-isolated composite action), verifies Authenticode signatures, and publishes the binaries plus .sha256 files to a GitHub Release. It also adds VERSIONINFO metadata to the executable and documents the signing policy and operational steps.

Changes:

  • Add a release workflow (v* tags) to build, sign (when configured), verify, checksum, and publish rb.exe artifacts to a GitHub Release.
  • Add CI publishing of unsigned NativeAOT binaries for win-x64/win-arm64 to surface AOT breakage earlier.
  • Add VERSIONINFO metadata and documentation covering the signing policy and setup checklist.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
src/rbmanager/rbmanager.csproj Adds VERSIONINFO metadata used by SmartScreen/file properties and for signing-provider identification.
README.md Documents the new release/signing pipeline and attribution requirements.
docs/code-signing.md Adds the signing policy and operational/runbook documentation for release signing.
.github/workflows/release.yml New tag-triggered release workflow that builds, signs (optional), verifies signatures, and creates GitHub Releases with checksums.
.github/workflows/ci.yml Adds CI NativeAOT publish artifacts (unsigned) for win-x64 and win-arm64.
.github/actions/sign/action.yml Adds a composite action encapsulating provider-specific signing behavior (SignPath today).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +12 to +14
permissions:
contents: read

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants