ci(build): Introduce code signing

The code signing is performed by the SignPath
Github Action. All releases are automatically
signed - both the MSI and all the binaries/DLLs.

Author: rabbitstack

.github/workflows/release.yml

@@ -88,12 +88,29 @@ jobs:
       - name: Package
         shell: bash
         run: |
-           export VERSION=${{ steps.get_version.outputs.VERSION }}
-           ./make.bat pkg
+          export VERSION=${{ steps.get_version.outputs.VERSION }}
+          ./make.bat pkg
+          mkdir ./build/msi/signed
       - uses: actions/upload-artifact@v4
+        id: upload-msi
         with:
           name: fibratus-${{ steps.get_version.outputs.VERSION }}-amd64.msi
           path: "./build/msi/fibratus-${{ steps.get_version.outputs.VERSION }}-amd64.msi"
+      - name: Sign MSI
+        uses: signpath/github-action-submit-signing-request@v1
+        with:
+          api-token: "${{ secrets.SIGNPATH_API_TOKEN }}"
+          organization-id: "${{ secrets.SIGNPATH_ORG_ID }}"
+          project-slug: "fibratus"
+          signing-policy-slug: "release-signing"
+          github-artifact-id: "${{ steps.upload-msi.outputs.artifact-id }}"
+          wait-for-completion: true
+          output-artifact-directory: "./build/msi/signed"
+      - uses: actions/upload-artifact@v4
+        with:
+          name: fibratus-${{ steps.get_version.outputs.VERSION }}-amd64.msi
+          path: "./build/msi/signed/fibratus-${{ steps.get_version.outputs.VERSION }}-amd64.msi"
+          overwrite: true
 
   build-slim:
       runs-on: windows-latest
@@ -125,12 +142,30 @@ jobs:
       - name: Package
         shell: bash
         run: |
-           export VERSION=${{ steps.get_version.outputs.VERSION }}
-           ./make.bat pkg-slim
+          export VERSION=${{ steps.get_version.outputs.VERSION }}
+          ./make.bat pkg-slim
+          mkdir ./build/msi/signed
       - uses: actions/upload-artifact@v4
+        id: upload-msi
         with:
           name: fibratus-${{ steps.get_version.outputs.VERSION }}-slim-amd64.msi
           path: "./build/msi/fibratus-${{ steps.get_version.outputs.VERSION }}-slim-amd64.msi"
+      - name: Sign MSI
+        uses: signpath/github-action-submit-signing-request@v1
+        with:
+          api-token: "${{ secrets.SIGNPATH_API_TOKEN }}"
+          organization-id: "${{ secrets.SIGNPATH_ORG_ID }}"
+          project-slug: "fibratus"
+          signing-policy-slug: "release-signing"
+          artifact-configuration-slug: "fibratus-slim"
+          github-artifact-id: "${{ steps.upload-msi.outputs.artifact-id }}"
+          wait-for-completion: true
+          output-artifact-directory: "./build/msi/signed"
+      - uses: actions/upload-artifact@v4
+        with:
+          name: fibratus-${{ steps.get_version.outputs.VERSION }}-slim-amd64.msi
+          path: "./build/msi/signed/fibratus-${{ steps.get_version.outputs.VERSION }}-slim-amd64.msi"
+          overwrite: true
 
   release:
       runs-on: windows-latest

README.md

@@ -62,6 +62,14 @@ To describe all rules in the catalog, use the `fibratus rules list` command. It
 
 We love contributions. To start contributing to Fibratus, please read our [contribution guidelines](https://github.com/rabbitstack/fibratus/blob/master/CONTRIBUTING.md).
 
+### Code Signing Policy
+
+Free code signing provided by [SignPath.io], certificate by
+[SignPath Foundation]. All releases are automatically signed.
+
+[SignPath.io]: https://signpath.io
+[SignPath Foundation]: https://signpath.org
+
 ---
 
 <p align="center">