Sign windows build with signpath.io

.github/workflows/release.yml

@@ -11,6 +11,7 @@ name: Create Release
 
 permissions:
   contents: write
+  actions: read
 
 jobs:
   build-macos-windows:
@@ -35,7 +36,39 @@ jobs:
         uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6
       - name: Build
         run: cargo build --profile superoptimized --locked --target ${{ matrix.target }}
-      - uses: actions/upload-artifact@v4
+      - name: Upload unsigned Windows artifact
+        if: matrix.os == 'windows-latest'
+        id: upload_unsigned
+        uses: actions/upload-artifact@v4
+        with:
+          name: unsigned-windows
+          path: target/${{ matrix.target }}/superoptimized/sqlpage.exe
+          if-no-files-found: error
+
+      - name: Submit signing request to SignPath
+        if: matrix.os == 'windows-latest'
+        id: signpath
+        uses: signpath/[email protected]
+        with:
+          api-token: ${{ secrets.SIGNPATH_API_TOKEN }}
+          organization-id: '45fd8443-c7ca-4d29-a68b-608948185335'
+          project-slug: 'sqlpage'
+          signing-policy-slug: 'release-signing'
+          github-artifact-id: ${{ steps.upload_unsigned.outputs.artifact-id }}
+          wait-for-completion: true
+          output-artifact-directory: './signed-windows'
+
+      - name: Upload signed Windows artifact
+        if: matrix.os == 'windows-latest'
+        uses: actions/upload-artifact@v4
+        with:
+          name: sqlpage windows-latest
+          path: signed-windows/sqlpage.exe
+          if-no-files-found: error
+
+      - name: Upload artifact (non-Windows)
+        if: matrix.os != 'windows-latest'
+        uses: actions/upload-artifact@v4
         with:
           name: sqlpage ${{ matrix.os }}
           path: target/${{ matrix.target }}/superoptimized/sqlpage${{ matrix.binary_extension }}

CHANGELOG.md

@@ -1,6 +1,8 @@
 # CHANGELOG.md
 
 ## v0.37.0
+ - We now cryptographically sign the Windows app during releases, which proves the file hasn’t been tampered with. Once the production certificate is active, Windows will show a "verified publisher" and should stop showing screens saying "This app might harm your device", "Windows protected your PC" or "Are you sure you want to run this application ?". 
+   - Thanks to https://signpath.io for providing us with a windows signing certificate !
  - Added a new parameter `encoding` to the [fetch](https://sql-page.com/functions.sql?function=fetch) function:
   - All [standard web encodings](https://encoding.spec.whatwg.org/#concept-encoding-get) are supported.
   - Additionally, `base64` can be specified to decode binary data as base64 (compatible with [data URI](https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URIs))

README.md

@@ -322,3 +322,10 @@ We welcome contributions! SQLPage is built with Rust and uses
 vanilla javascript for its frontend parts.
 
 Check out our [Contributing Guide](./CONTRIBUTING.md) for detailed instructions on development setup, testing, and pull request process.
+
+# Code signing policy
+
+Our windows binaries are digitally signed, so they should be recognized as safe by Windows.
+Free code signing provided by [SignPath.io](https://about.signpath.io/), certificate by [SignPath Foundation](https://signpath.org/). [Contributors](https://github.com/sqlpage/SQLPage/graphs/contributors), [Owners](https://github.com/orgs/sqlpage/people?query=role%3Aowner).
+
+This program will not transfer any information to other networked systems unless specifically requested by the user or the person installing or operating it