testing siging with bash script

.github/workflows/build.yml

@@ -310,20 +310,20 @@ jobs:
           python -m pip install mypy
           python -m mypy --output json | python .github/mypy-github-formatter
         continue-on-error: true
-      - shell: bash
+      - name: Running make dist
+        shell: bash
         run: |
           make dist
         env:
           BUILD: windows
-      - shell: bash
+      - name: signing windows binaries
+        shell: bash
         run: |
-          bash bin/build-windows-installer
-        env:
-          BUILD: windows
+          bash bin/windows-binaries-signing
       - uses: actions/upload-artifact@v4
         with:
           name: inkstitch-windows32
-          path: artifacts
+          path: signed-artifacts
   windows64:
     runs-on: windows-2019
     steps:
@@ -381,15 +381,56 @@ jobs:
           make dist
         env:
           BUILD: windows
+      - name: upload-unsigned-exe
+        id: upload-unsigned-exe
+        uses: actions/upload-artifact@v4
+        with:
+          name: inkstitch-windows64-exe
+          path: |
+            dist/inkstitch/bin/inkstitch.exe
+      - name: Sign-exe
+        id: Sign-exe
+        uses: signpath/github-action-submit-signing-request@v1.1
+        with:
+          api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
+          organization-id: '6b880880-2af8-4cf3-a8e7-1b4977c593df'
+          project-slug: 'inkstitch'
+          signing-policy-slug: 'test-signing'
+          github-artifact-id: '${{ steps.upload-unsigned-exe.outputs.artifact-id }}'
+          wait-for-completion: true
+          output-artifact-directory: 'signed-artifacts'
+      - name: Copy signed exe to dist
+        shell: bash
+        run: |
+            mv  -f signed-artifacts/inkstitch.exe dist/inkstitch/bin/inkstitch.exe
       - shell: bash
         run: |
           bash bin/build-windows-installer
         env:
           BUILD: windows
+      - name: upload-unsigned-installer
+        id: upload-unsigned-installer
+        uses: actions/upload-artifact@v4
+        with:
+          name: inkstitch-windows64-installer
+          path: artifacts
+      - name: Sign-installer
+        id: Sign-installer
+        uses: signpath/github-action-submit-signing-request@v1.1
+        with:
+          api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
+          organization-id: '6b880880-2af8-4cf3-a8e7-1b4977c593df'
+          project-slug: 'inkstitch'
+          # set to test signing temporarily
+          signing-policy-slug: 'test-signing'
+          artifact-configuration-slug: 'windows-installer-config'
+          github-artifact-id: '${{ steps.upload-unsigned-installer.outputs.artifact-id }}'
+          wait-for-completion: true
+          output-artifact-directory: 'signed-artifacts'
       - uses: actions/upload-artifact@v4
         with:
           name: inkstitch-windows64
-          path: artifacts
+          path: signed-artifacts
   macx86:
     runs-on: macos-13
     steps:
@@ -568,13 +609,13 @@ jobs:
         uses: actions/download-artifact@v4
         with:
           name: 'inkstitch-windows32'
-          path: 'artifacts/'
+          path: 'signed-artifacts/'
         if: always()
       - name: download windows64
         uses: actions/download-artifact@v4
         with:
           name: 'inkstitch-windows64'
-          path: 'artifacts/'
+          path: 'signed-artifacts/'
         if: always()
       - name: download macx86
         uses: actions/download-artifact@v4
@@ -604,3 +645,5 @@ jobs:
             artifacts/*.tar.xz
             artifacts/*.sh
             artifacts/*.zip
+            signed-artifacts/*.exe
+            signed-artifacts/*.zip

bin/windows-binaries-signing

@@ -0,0 +1,39 @@
+set -e
+# check for release
+if [[ "${GITHUB_REF}" =~ ^refs/tags/v[0-9.]+$ ]]; then
+    SIGNING_POLICY="release-signing"
+else
+    SIGNING_POLICY="test-signing"
+fi
+# upload artifact of inkstitch.exe
+upload_exe=$(curl -H "Authorization: Bearer $secrets.SIGNPATH_API_TOKEN" \
+     -F "ProjectSlug=inkstitch" \
+     -F "SigningPolicySlug=$SIGNING_POLICY" \
+     -F "Artifact=@dist/inkstitch/bin/inkstitch.exe" \
+     https://app.signpath.io/API/v1/6b880880-2af8-4cf3-a8e7-1b4977c593df/SigningRequests | jq -r '.SigningRequestId')
+# create directory for zip and installer build
+mkdir signed-artifact
+
+# download of signed inkstitch.exe 
+curl -H "Authorization: Bearer $secrets.SIGNPATH_API_TOKEN" \
+    -o signed-artifacts \
+    https://app.signpath.io/API/v1/6b880880-2af8-4cf3-a8e7-1b4977c593df/SigningRequests/$upload_exe/SignedArtifact
+
+# move signed inkstitch.exe to dist for installer
+mv  -f signed-artifacts/inkstitch.exe dist/inkstitch/bin/inkstitch.exe
+
+# build the institch installer
+bash bin/build-windows-installer
+
+# upload artifact of inkstitch installer
+upload_installer=$(curl -H "Authorization: Bearer $secrets.SIGNPATH_API_TOKEN" \
+     -F "ProjectSlug=inkstitch" \
+     -F "SigningPolicySlug=$SIGNING_POLICY" \
+     -F "ArtifactConfigurationSlug=windows-installer-config" \
+     -F "Artifact=@artifacts" \
+     https://app.signpath.io/API/v1/6b880880-2af8-4cf3-a8e7-1b4977c593df/SigningRequests | jq -r '.SigningRequestId')
+
+# download of signed inkstitch installer 
+curl -H "Authorization: Bearer $secrets.SIGNPATH_API_TOKEN" \
+    -o signed-artifacts \
+    https://app.signpath.io/API/v1/6b880880-2af8-4cf3-a8e7-1b4977c593df/SigningRequests/$upload_installer/SignedArtifact