From fcc697b9b31aef44aefaf9a6660d51d44f707149 Mon Sep 17 00:00:00 2001 From: David Knaack Date: Sun, 13 Oct 2024 22:22:12 +0200 Subject: [PATCH] feat(release): codesign windows release binaries (#6273) --- .github/workflows/release.yml | 11 ++++------- .github/workflows/workflow.yml | 2 +- README.md | 11 ++++++++++- 3 files changed, 15 insertions(+), 9 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a25cf0d67..bc607eeac 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -138,18 +138,15 @@ jobs: - name: Sign | Sign [Windows] continue-on-error: true if: matrix.os == 'windows-latest' - uses: signpath/github-action-submit-signing-request@v0.4 + uses: signpath/github-action-submit-signing-request@v1 with: api-token: '${{ secrets.SIGNPATH_API_TOKEN }}' organization-id: '${{ vars.SIGNPATH_ORGANIZATION_ID }}' project-slug: 'starship' - signing-policy-slug: 'test-signing' github-artifact-id: '${{ steps.unsigned-artifacts.outputs.artifact-id }}' - wait-for-completion: false - # TODO use release-signing certificate: - # signing-policy-slug: 'release-signing' - # wait-for-completion: true - # output-artifact-directory: 'target/${{ matrix.target }}/release' + signing-policy-slug: 'release-signing' + wait-for-completion: true + output-artifact-directory: 'target/${{ matrix.target }}/release' - name: Post Build | Prepare artifacts [Windows] if: matrix.os == 'windows-latest' diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index 026925954..9ab782b58 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -233,7 +233,7 @@ jobs: target/debug/starship-x86_64-pc-windows-msvc.msi - name: Sign | Sign [Windows] - uses: signpath/github-action-submit-signing-request@v0.4 + uses: signpath/github-action-submit-signing-request@v1 continue-on-error: true if: matrix.os == 'windows-latest' && matrix.rust == 'stable' && github.event_name == 'push' && github.repository == 'starship/starship' with: diff --git a/README.md b/README.md index 1d0488510..8c87db04b 100644 --- a/README.md +++ b/README.md @@ -433,7 +433,16 @@ Please check out these previous works that helped inspire the creation of starsh Support this project by [becoming a sponsor](https://github.com/sponsors/starship). Your name or logo will show up here with a link to your website. -- Free code signing provided by [SignPath.io], certificate by [SignPath Foundation] +## 🔒 Code Signing Policy + +Free code signing provided by [SignPath.io], certificate by [SignPath Foundation]. + +Code Signing Roles: + +- Reviewers: [Astronauts](https://github.com/orgs/starship/teams/astronauts) +- Approvers and Authors: [Mission Control](https://github.com/orgs/starship/teams/mission-control) + +This program will not transfer any information to other networked systems unless specifically requested by the user or the person installing or operating it.