Using SignPath Foundation for Free Code Signing of Open Source Projects #162
Description
Hello,
First of all, thank you for the awesome tool.
I recently discovered that SignPath Foundation offers free code signing for open source projects like mine, ExplorerTabUtility. You might want to check it out and see if it fits your needs.
Although it might look complicated at first, the implementation is quite straightforward. Here’s a clear step-by-step guide to help you get started.
Step 1: Review Terms and Apply
Before anything, carefully review their terms to ensure they work for your project.
You need to fill out their application form and send it via email. Once accepted, you can proceed to the next steps.
Step 2: Create an Artifact Configuration
An Artifact Configuration specifies the type of files you want to sign.
In my case, I publish 6 versions as portable .zip files and one installer .exe file.
My GitHub workflow builds all 6 versions, zips each one, and then bundles all of them together in a single zip file.
The structure looks like this:
Zip > 6 .zip files > artifact files (.dll, .exe, etc.)
Artifact Configuration for signing inner ZIP files
<?xml version="1.0" encoding="utf-8"?>
<artifact-configuration xmlns="http://signpath.io/artifact-configuration/v1">
<zip-file>
<!-- This is the outer ZIP containing all artifact ZIPs -->
<zip-file-set>
<include path="**/*.zip" max-matches="unbounded" />
<for-each>
<!-- Find and sign ExplorerTabUtility EXEs and DLLs in each inner ZIP -->
<pe-file-set>
<include path="**/*ExplorerTabUtility.exe" max-matches="unbounded" />
<include path="**/*ExplorerTabUtility.dll" min-matches="0" max-matches="unbounded" />
<for-each>
<authenticode-sign />
</for-each>
</pe-file-set>
</for-each>
</zip-file-set>
</zip-file>
</artifact-configuration>Step 3: Sign the Installer
After signing the individual files inside the ZIPs, I then build the installer, which contains all of the .zip files. Since GitHub sends files as .zip even if it was only one file, I had to use a different configuration for signing the installer.
Artifact Configuration for signing the installer
<?xml version="1.0" encoding="utf-8"?>
<artifact-configuration xmlns="http://signpath.io/artifact-configuration/v1">
<zip-file>
<!-- Recursively search application files anywhere in the structure -->
<pe-file-set>
<include path="**/*ExplorerTabUtility_*_Setup.exe" min-matches="0" max-matches="unbounded" />
<for-each>
<authenticode-sign />
</for-each>
</pe-file-set>
</zip-file>
</artifact-configuration>I hope this guide helps you get started with free code signing using SignPath Foundation. If you have any questions or need further assistance, feel free to ask!