WIP: SignPath signing test

.github/workflows/main.yml

@@ -52,6 +52,7 @@ jobs:
             build_flags: -DINITSYS=systemd -DBUILD_PACKAGE_SUFFIX=x86_64 -G Ninja
             build_type: Release
             collect_symbols: false
+            signpath: false
             # This causes the AppImage to be generated, instead of just creating
             # the portable tree, because there seems to be no way to separate
             # these steps with linuxdeploy
@@ -100,6 +101,7 @@ jobs:
             sccache_triplet: x86_64-unknown-linux-musl
             build_type: Release
             collect_symbols: false
+            signpath: false
             packager: cmake --install build --config Release --prefix .
             cross_qt_args: >-
               "-DANDROID_SDK_ROOT=$ANDROID_SDK_ROOT"
@@ -165,6 +167,7 @@ jobs:
             sccache_triplet: x86_64-unknown-linux-musl
             build_type: Release
             collect_symbols: false
+            signpath: false
             packager: cmake --install build --config Release --prefix .
             cross_qt_args: >-
               "-DANDROID_SDK_ROOT=$ANDROID_SDK_ROOT"
@@ -230,6 +233,7 @@ jobs:
             build_flags: -DBUILD_PACKAGE_SUFFIX=x86_64 -G Ninja
             build_type: Release
             collect_symbols: false
+            signpath: false
             sccache_triplet: x86_64-apple-darwin
             packager: cpack --verbose --config build/CPackConfig.cmake -C Release
 
@@ -241,6 +245,7 @@ jobs:
             build_flags: -DBUILD_PACKAGE_SUFFIX=arm64 -G Ninja
             build_type: Release
             collect_symbols: false
+            signpath: false
             sccache_triplet: aarch64-apple-darwin
             packager: cpack --verbose --config build/CPackConfig.cmake -C Release
 
@@ -253,6 +258,7 @@ jobs:
             build_flags: -DBUILD_PACKAGE_SUFFIX=x86_64 -G Ninja
             build_type: RelWithDebInfo
             collect_symbols: true
+            signpath: true
             qt_pre_build: >
               choco install gperf jom winflexbison3 &&
               New-Item -Path C:\ProgramData\Chocolatey\bin\flex.exe -ItemType SymbolicLink -Value C:\ProgramData\Chocolatey\bin\win_flex.exe &&
@@ -277,6 +283,7 @@ jobs:
             build_flags: -DBUILD_PACKAGE_SUFFIX=x86_64 -G Ninja
             build_type: RelWithDebInfo
             collect_symbols: false
+            signpath: false
             qt_pre_build: >
               choco install gperf jom winflexbison3 &&
               New-Item -Path C:\ProgramData\Chocolatey\bin\flex.exe -ItemType SymbolicLink -Value C:\ProgramData\Chocolatey\bin\win_flex.exe &&
@@ -299,6 +306,7 @@ jobs:
             build_flags: -DCARGO_TRIPLE=i686-pc-windows-msvc -DBUILD_PACKAGE_SUFFIX=x86 -G Ninja
             build_type: RelWithDebInfo
             collect_symbols: false
+            signpath: true
             qt_pre_build: >
               choco install gperf jom winflexbison3 &&
               New-Item -Path C:\ProgramData\Chocolatey\bin\flex.exe -ItemType SymbolicLink -Value C:\ProgramData\Chocolatey\bin\win_flex.exe &&
@@ -478,7 +486,9 @@ jobs:
           }
         env:
           WINDOWS_CERTIFICATE: ${{ secrets.WINDOWS_CERTIFICATE }}
-        if: runner.os == 'Windows'
+        if: runner.os == 'Windows' && matrix.packager && !matrix.signpath
+        # TODO: switch to commented version
+        # if: runner.os == 'Windows' && matrix.packager && (!startsWith(github.ref, 'refs/tags/') || !matrix.signpath)
 
       - name: Generate project
         run: >
@@ -547,6 +557,60 @@ jobs:
           WINDOWS_PFX_TIMESTAMP_URL: 'http://timestamp.digicert.com'
         if: matrix.packager
 
+      - name: Upload artifacts for SignPath to sign
+        uses: actions/upload-artifact@v4
+        id: signpath-upload
+        with:
+          name: SignPath${{ matrix.component && format('-{0}', matrix.component) }}-${{ matrix.cross_os || runner.os }}-${{ matrix.arch }}-Qt${{ matrix.qt }}
+          path: |
+            Drawpile-*.msi
+            Drawpile-*.zip
+        if: runner.os == 'Windows' && matrix.packager && matrix.signpath
+        # TODO: switch to commented version
+        # if: runner.os == 'Windows' && matrix.packager && startsWith(github.ref, 'refs/tags/') && matrix.signpath
+
+      - name: Delete unsigned artifacts
+        id: signpath-delete-unsigned
+        shell: bash
+        run: rm -vf Drawpile-*.msi Drawpile-*.zip
+        if: runner.os == 'Windows' && matrix.packager && matrix.signpath
+        # TODO: switch to commented version
+        # if: runner.os == 'Windows' && matrix.packager && startsWith(github.ref, 'refs/tags/') && matrix.signpath
+
+      - name: Submit artifacts to SignPath to sign
+        uses: signpath/github-action-submit-signing-request@v1
+        id: signpath-sign
+        with:
+          api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
+          organization-id: '${{ secrets.SIGNPATH_ORGANIZATION_ID }}'
+          project-slug: 'Drawpile'
+          signing-policy-slug: 'test-signing'
+          artifact-configuration-slug: 'client'
+          github-artifact-id: '${{ steps.signpath-upload.outputs.artifact-id }}'
+          wait-for-completion: true
+          output-artifact-directory: '.'
+          # TODO: uncomment
+          # parameters: |
+          #   Version: "${{ github.ref_name }}"
+          #   Release_Tag: "${{ github.ref_name }}"
+        # TODO: switch to commented version
+        if: runner.os == 'Windows' && matrix.packager && matrix.signpath
+        # if: runner.os == 'Windows' && matrix.packager && startsWith(github.ref, 'refs/tags/') && matrix.signpath
+
+      - name: Delete unsigned executable uploaded for SignPath after signing
+        uses: actions/github-script@v7
+        id: signpath-exe-delete
+        with:
+          script: |
+            github.rest.actions.deleteArtifact({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              artifact_id: ${{ steps.signpath-upload.outputs.artifact-id }}
+            });
+        # TODO: switch to commented version
+        if: runner.os == 'Windows' && matrix.packager && matrix.signpath
+        # if: runner.os == 'Windows' && matrix.packager && startsWith(github.ref, 'refs/tags/') && matrix.signpath
+
       - name: Bundle PDBs
         run: >
           cmake "-DEXE_SEARCH_PATHS=build"

README.md

@@ -4,6 +4,8 @@
 
 Drawpile is a drawing program that lets you draw, paint and animate together with others on the same canvas. It runs on Windows, Linux, macOS and Android.
 
+Thanks to [SignPath.io](https://signpath.io/) for the code signing services and [the SignPath Foundation](https://signpath.org/) for providing us with an open source signing certificate.
+
 ## Installing
 
 Take a look at [the downloads page on drawpile.net](https://drawpile.net/download/) or [the GitHub releases](https://github.com/drawpile/Drawpile/releases).