feat: add support for signed releases

Using SignPath automatic code signing to certify releases on build

Author: amd989

.github/workflows/release.yml

@@ -36,11 +36,55 @@ jobs:
           echo "version=$version" >> $env:GITHUB_OUTPUT
           echo "Version: $version"
 
-      - name: Build portable distribution for Scoop
+      - name: Build portable distribution for Scoop (unsigned)
         shell: pwsh
         run: ./build-portable.ps1 -Version ${{ steps.version.outputs.version }}
 
-      - name: Create GitHub Release with portable ZIP
+      - name: Upload unsigned portable artifacts
+        id: upload-portable
+        uses: actions/upload-artifact@v4
+        with:
+          name: unsigned-portable-${{ steps.version.outputs.version }}
+          path: Symlinker/bin/portable/
+
+      - name: Sign portable executable
+        id: signpath-portable
+        uses: signpath/github-action-submit-signing-request@v1
+        with:
+          api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
+          organization-id: '${{ secrets.SIGNPATH_ORGANIZATION_ID }}'
+          project-slug: '${{ secrets.SIGNPATH_PROJECT_SLUG }}'
+          signing-policy-slug: '${{ secrets.SIGNPATH_SIGNING_POLICY_SLUG }}'
+          artifact-configuration-slug: 'Portable'
+          github-artifact-id: '${{ steps.upload-portable.outputs.artifact-id }}'
+          wait-for-completion: true
+          output-artifact-directory: 'Symlinker/bin/portable-signed'
+          parameters: |
+            version: ${{ toJSON(steps.version.outputs.version) }}
+
+      - name: Create signed portable ZIP
+        shell: pwsh
+        run: |
+          $version = "${{ steps.version.outputs.version }}"
+          $zipName = "symlinker-$version-portable.zip"
+
+          # Remove unsigned ZIP if exists
+          if (Test-Path $zipName) {
+            Remove-Item $zipName -Force
+          }
+
+          # Create ZIP from signed artifacts
+          Add-Type -AssemblyName System.IO.Compression.FileSystem
+          [System.IO.Compression.ZipFile]::CreateFromDirectory(
+            (Resolve-Path "Symlinker/bin/portable-signed").Path,
+            (Join-Path (Get-Location) $zipName),
+            [System.IO.Compression.CompressionLevel]::Optimal,
+            $false
+          )
+
+          Write-Output "Created signed portable ZIP: $zipName"
+
+      - name: Create GitHub Release with signed portable ZIP
         uses: softprops/action-gh-release@v1
         with:
           files: symlinker-${{ steps.version.outputs.version }}-portable.zip
@@ -50,6 +94,32 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Run ClickOnce release script
+      - name: Build ClickOnce package (unsigned)
+        shell: pwsh
+        run: ./release.ps1 -OnlyBuild
+
+      - name: Upload unsigned ClickOnce artifacts
+        id: upload-clickonce
+        uses: actions/upload-artifact@v4
+        with:
+          name: unsigned-clickonce-${{ steps.version.outputs.version }}
+          path: Symlinker/bin/publish/
+
+      - name: Submit signing request to SignPath
+        id: signpath
+        uses: signpath/github-action-submit-signing-request@v1
+        with:
+          api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
+          organization-id: '${{ secrets.SIGNPATH_ORGANIZATION_ID }}'
+          project-slug: '${{ secrets.SIGNPATH_PROJECT_SLUG }}'
+          signing-policy-slug: '${{ secrets.SIGNPATH_SIGNING_POLICY_SLUG }}'
+          artifact-configuration-slug: 'ClickOnce'
+          github-artifact-id: '${{ steps.upload-clickonce.outputs.artifact-id }}'
+          wait-for-completion: true
+          output-artifact-directory: 'signed-clickonce'
+          parameters: |
+            version: ${{ toJSON(steps.version.outputs.version) }}
+
+      - name: Deploy signed ClickOnce to gh-pages
         shell: pwsh
-        run: ./release.ps1
+        run: ./release.ps1 -SignedArtifactDir "signed-clickonce"

CHANGELOG.md

@@ -1,4 +1,12 @@
+## What's Changed
+* feat: add support for signed releases by @amd989
+* docs: :memo: update readme by @amd989
+* chore: add funding usernames by @amd989
+
 ## What's Changed in 2.0.0
+* chore: ♻️ rename project by @amd989
+* ci: :construction_worker: add support for scoop.sh by @amd989 in [#27](https://github.com/amd989/Symlinker/pull/27)
+* docs: :memo: add changelog with gitcliff by @amd989
 * ci: 💚 fix click once publish by @amd989
 * docs: :page_facing_up: add mit license by @amd989 in [#26](https://github.com/amd989/Symlinker/pull/26)
 * feat: modernize application by @amd989 in [#25](https://github.com/amd989/Symlinker/pull/25)

PRIVACY.md

@@ -0,0 +1 @@
+This program will not transfer any information to other networked systems unless specifically requested by the user or the person installing or operating it

README.md

@@ -55,5 +55,13 @@ See [CHANGELOG.md](CHANGELOG.md)
 
 TODO
 ----
-* Get a real code signing certificate
-* Rework the code to be better
+* Rework the code to be better
+
+Acknowledgments
+---------------
+Free code signing provided by [SignPath.io](https://about.signpath.io/), certificate by [SignPath Foundation](https://signpath.org/)
+Committers and reviewers: [Contributors](https://github.com/amd989/Symlinker/graphs/contributors)
+
+Privacy Policy
+--------------
+See [PRIVACY.md](PRIVACY.md)

Symlinker/Properties/PublishProfiles/ClickOnceProfile.pubxml

@@ -3,7 +3,7 @@
 <Project>
   <PropertyGroup>
     <ApplicationRevision>0</ApplicationRevision>
-    <ApplicationVersion>2.0.0.0</ApplicationVersion>
+    <ApplicationVersion>2.1.0.0</ApplicationVersion>
     <BootstrapperEnabled>True</BootstrapperEnabled>
     <Configuration>Release</Configuration>
     <CreateWebPageOnPublish>True</CreateWebPageOnPublish>
@@ -33,7 +33,7 @@
   </PropertyGroup>
   <ItemGroup>
     <BootstrapperPackage Include="Microsoft.NetCore.DesktopRuntime.8.0.x64">
-      <Install>True</Install>
+      <Install>true</Install>
       <ProductName>.NET Desktop Runtime 8.0.18 (x64)</ProductName>
     </BootstrapperPackage>
   </ItemGroup>

Symlinker/Symlinker.csproj

@@ -3,13 +3,10 @@
     <TargetFramework>net8.0-windows</TargetFramework>
     <OutputType>WinExe</OutputType>
     <RootNamespace>Symlinker</RootNamespace>
-    <ManifestCertificateThumbprint>1545011842E7D72688AF686E0A94663E3A278CFA</ManifestCertificateThumbprint>
-    <ManifestKeyFile>cert.pfx</ManifestKeyFile>
     <GenerateManifests>false</GenerateManifests>
     <SignManifests>false</SignManifests>
     <IsWebBootstrapper>true</IsWebBootstrapper>
     <ApplicationIcon>icon.ico</ApplicationIcon>
-    <AssemblyOriginatorKeyFile>key.snk</AssemblyOriginatorKeyFile>
     <PublishUrl>ftp://ftp.alejandro.com/public_html/alejandro.md/publish/Symlinker/</PublishUrl>
     <Install>true</Install>
     <InstallFrom>Web</InstallFrom>
@@ -30,8 +27,6 @@
     <SuiteName>Symlinker</SuiteName>
     <CreateWebPageOnPublish>true</CreateWebPageOnPublish>
     <WebPage>publish.htm</WebPage>
-    <ApplicationRevision>16</ApplicationRevision>
-    <ApplicationVersion>1.1.2.%2a</ApplicationVersion>
     <UseApplicationTrust>false</UseApplicationTrust>
     <CreateDesktopShortcut>true</CreateDesktopShortcut>
     <PublishWizardCompleted>true</PublishWizardCompleted>
@@ -42,7 +37,7 @@
     <TargetZone>LocalIntranet</TargetZone>
     <ApplicationManifest>Properties\app.manifest</ApplicationManifest>
     <StartupObject>Symlinker.Program</StartupObject>
-    <Version>2.0.0.0</Version>
+    <Version>2.1.0.0</Version>
     <Description>Symbolic link creator app</Description>
     <Copyright>Copyright © Alejandro Mora 2025</Copyright>
     <PackageProjectUrl>https://github.com/amd989/Symlinker</PackageProjectUrl>

Symlinker/cert.pfx

@@ -2,7 +2,8 @@
 
 [CmdletBinding(PositionalBinding=$false)]
 param (
-    [switch]$OnlyBuild=$false
+    [switch]$OnlyBuild=$false,
+    [string]$SignedArtifactDir=""
 )
 
 $appName = "Symlinker" 
@@ -64,6 +65,18 @@ if ($OnlyBuild) {
     exit
 }
 
+# Determine which directory to deploy (signed or unsigned).
+$deployDir = $outDir
+if ($SignedArtifactDir) {
+    if (-Not (Test-Path $SignedArtifactDir)) {
+        throw "Signed artifact directory not found: $SignedArtifactDir"
+    }
+    $deployDir = $SignedArtifactDir
+    Write-Output "Using signed artifacts from: $SignedArtifactDir"
+} else {
+    Write-Output "Using unsigned artifacts from: $outDir"
+}
+
 # Clone `gh-pages` branch.
 $ghPagesDir = "gh-pages"
 if (-Not (Test-Path $ghPagesDir)) {
@@ -84,7 +97,7 @@ try {
 
     # Copy new application files.
     Write-Output "Copying new files..."
-    Copy-Item -Path "../$outDir/Application Files","../$outDir/$appName.application" `
+    Copy-Item -Path "../$deployDir/Application Files","../$deployDir/$appName.application" `
         -Destination . -Recurse
 
     # Stage and commit.