feat: add support for signed releases

Using SignPath automatic code signing to certify releases on build

Author: amd989

.github/workflows/release.yml

@@ -50,6 +50,31 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Run ClickOnce release script
+      - name: Build ClickOnce package (unsigned)
         shell: pwsh
-        run: ./release.ps1
+        run: ./release.ps1 -OnlyBuild
+
+      - name: Upload unsigned ClickOnce artifacts
+        id: upload-clickonce
+        uses: actions/upload-artifact@v4
+        with:
+          name: unsigned-clickonce-${{ steps.version.outputs.version }}
+          path: Symlinker/bin/publish/
+
+      - name: Submit signing request to SignPath
+        id: signpath
+        uses: signpath/github-action-submit-signing-request@v1
+        with:
+          api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
+          organization-id: '${{ secrets.SIGNPATH_ORGANIZATION_ID }}'
+          project-slug: '${{ secrets.SIGNPATH_PROJECT_SLUG }}'
+          signing-policy-slug: '${{ secrets.SIGNPATH_SIGNING_POLICY_SLUG }}'
+          github-artifact-id: '${{ steps.upload-clickonce.outputs.artifact-id }}'
+          wait-for-completion: true
+          output-artifact-directory: 'signed-clickonce'
+          parameters: |
+            version: ${{ steps.version.outputs.version }}
+
+      - name: Deploy signed ClickOnce to gh-pages
+        shell: pwsh
+        run: ./release.ps1 -SignedArtifactDir "signed-clickonce"

PRIVACY.md

@@ -0,0 +1 @@
+This program will not transfer any information to other networked systems unless specifically requested by the user or the person installing or operating it

README.md

@@ -55,5 +55,13 @@ See [CHANGELOG.md](CHANGELOG.md)
 
 TODO
 ----
-* Get a real code signing certificate
-* Rework the code to be better
+* Rework the code to be better
+
+Acknowledgments
+---------------
+Free code signing provided by [SignPath.io](https://about.signpath.io/), certificate by [SignPath Foundation](https://signpath.org/)
+Committers and reviewers: [Contributors](https://github.com/amd989/Symlinker/graphs/contributors)
+
+Privacy Policy
+--------------
+See [PRIVACY.md](PRIVACY.md)

Symlinker/Properties/PublishProfiles/ClickOnceProfile.pubxml

@@ -3,7 +3,7 @@
 <Project>
   <PropertyGroup>
     <ApplicationRevision>0</ApplicationRevision>
-    <ApplicationVersion>2.0.0.0</ApplicationVersion>
+    <ApplicationVersion>2.1.0.0</ApplicationVersion>
     <BootstrapperEnabled>True</BootstrapperEnabled>
     <Configuration>Release</Configuration>
     <CreateWebPageOnPublish>True</CreateWebPageOnPublish>
@@ -33,7 +33,7 @@
   </PropertyGroup>
   <ItemGroup>
     <BootstrapperPackage Include="Microsoft.NetCore.DesktopRuntime.8.0.x64">
-      <Install>True</Install>
+      <Install>true</Install>
       <ProductName>.NET Desktop Runtime 8.0.18 (x64)</ProductName>
     </BootstrapperPackage>
   </ItemGroup>

Symlinker/Symlinker.csproj

@@ -3,13 +3,10 @@
     <TargetFramework>net8.0-windows</TargetFramework>
     <OutputType>WinExe</OutputType>
     <RootNamespace>Symlinker</RootNamespace>
-    <ManifestCertificateThumbprint>1545011842E7D72688AF686E0A94663E3A278CFA</ManifestCertificateThumbprint>
-    <ManifestKeyFile>cert.pfx</ManifestKeyFile>
     <GenerateManifests>false</GenerateManifests>
     <SignManifests>false</SignManifests>
     <IsWebBootstrapper>true</IsWebBootstrapper>
     <ApplicationIcon>icon.ico</ApplicationIcon>
-    <AssemblyOriginatorKeyFile>key.snk</AssemblyOriginatorKeyFile>
     <PublishUrl>ftp://ftp.alejandro.com/public_html/alejandro.md/publish/Symlinker/</PublishUrl>
     <Install>true</Install>
     <InstallFrom>Web</InstallFrom>
@@ -30,8 +27,6 @@
     <SuiteName>Symlinker</SuiteName>
     <CreateWebPageOnPublish>true</CreateWebPageOnPublish>
     <WebPage>publish.htm</WebPage>
-    <ApplicationRevision>16</ApplicationRevision>
-    <ApplicationVersion>1.1.2.%2a</ApplicationVersion>
     <UseApplicationTrust>false</UseApplicationTrust>
     <CreateDesktopShortcut>true</CreateDesktopShortcut>
     <PublishWizardCompleted>true</PublishWizardCompleted>
@@ -42,7 +37,7 @@
     <TargetZone>LocalIntranet</TargetZone>
     <ApplicationManifest>Properties\app.manifest</ApplicationManifest>
     <StartupObject>Symlinker.Program</StartupObject>
-    <Version>2.0.0.0</Version>
+    <Version>2.1.0.0</Version>
     <Description>Symbolic link creator app</Description>
     <Copyright>Copyright © Alejandro Mora 2025</Copyright>
     <PackageProjectUrl>https://github.com/amd989/Symlinker</PackageProjectUrl>

Symlinker/cert.pfx

@@ -2,7 +2,8 @@
 
 [CmdletBinding(PositionalBinding=$false)]
 param (
-    [switch]$OnlyBuild=$false
+    [switch]$OnlyBuild=$false,
+    [string]$SignedArtifactDir=""
 )
 
 $appName = "Symlinker" 
@@ -64,6 +65,18 @@ if ($OnlyBuild) {
     exit
 }
 
+# Determine which directory to deploy (signed or unsigned).
+$deployDir = $outDir
+if ($SignedArtifactDir) {
+    if (-Not (Test-Path $SignedArtifactDir)) {
+        throw "Signed artifact directory not found: $SignedArtifactDir"
+    }
+    $deployDir = $SignedArtifactDir
+    Write-Output "Using signed artifacts from: $SignedArtifactDir"
+} else {
+    Write-Output "Using unsigned artifacts from: $outDir"
+}
+
 # Clone `gh-pages` branch.
 $ghPagesDir = "gh-pages"
 if (-Not (Test-Path $ghPagesDir)) {
@@ -84,7 +97,7 @@ try {
 
     # Copy new application files.
     Write-Output "Copying new files..."
-    Copy-Item -Path "../$outDir/Application Files","../$outDir/$appName.application" `
+    Copy-Item -Path "../$deployDir/Application Files","../$deployDir/$appName.application" `
         -Destination . -Recurse
 
     # Stage and commit.