feat(release): codesign windows release binaries (starship#6273)

viccie30 · Oct 13, 2024 · fcc697b · fcc697b
1 parent d6814be
commit fcc697b
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 9 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -138,18 +138,15 @@ jobs:
       - name: Sign | Sign [Windows]
         continue-on-error: true
         if: matrix.os == 'windows-latest'
-        uses: signpath/github-action-submit-signing-request@v0.4
+        uses: signpath/github-action-submit-signing-request@v1
         with:
           api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
           organization-id: '${{ vars.SIGNPATH_ORGANIZATION_ID }}'
           project-slug: 'starship'
-          signing-policy-slug: 'test-signing'
           github-artifact-id: '${{ steps.unsigned-artifacts.outputs.artifact-id }}'
-          wait-for-completion: false
-          # TODO use release-signing certificate:
-          # signing-policy-slug: 'release-signing'
-          # wait-for-completion: true
-          # output-artifact-directory: 'target/${{ matrix.target }}/release'
+          signing-policy-slug: 'release-signing'
+          wait-for-completion: true
+          output-artifact-directory: 'target/${{ matrix.target }}/release'
 
       - name: Post Build | Prepare artifacts [Windows]
         if: matrix.os == 'windows-latest'

diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml
@@ -233,7 +233,7 @@ jobs:
             target/debug/starship-x86_64-pc-windows-msvc.msi
 
       - name: Sign | Sign [Windows]
-        uses: signpath/github-action-submit-signing-request@v0.4
+        uses: signpath/github-action-submit-signing-request@v1
         continue-on-error: true
         if: matrix.os == 'windows-latest' && matrix.rust == 'stable' && github.event_name == 'push' && github.repository == 'starship/starship'
         with:

diff --git a/README.md b/README.md
@@ -433,7 +433,16 @@ Please check out these previous works that helped inspire the creation of starsh
 
 Support this project by [becoming a sponsor](https://github.com/sponsors/starship). Your name or logo will show up here with a link to your website.
 
-- Free code signing provided by [SignPath.io], certificate by [SignPath Foundation]
+## 🔒 Code Signing Policy
+
+Free code signing provided by [SignPath.io], certificate by [SignPath Foundation].
+
+Code Signing Roles:
+
+- Reviewers: [Astronauts](https://github.com/orgs/starship/teams/astronauts)
+- Approvers and Authors: [Mission Control](https://github.com/orgs/starship/teams/mission-control)
+
+This program will not transfer any information to other networked systems unless specifically requested by the user or the person installing or operating it.
 
 <p align="center">
     <br>