From e80fcc48c45f04c570c9d29ffe61d6639a08547c Mon Sep 17 00:00:00 2001
From: lovasoa <contact@ophir.dev>
Date: Tue, 12 Aug 2025 10:12:51 +0200
Subject: [PATCH 1/2] Sign windows build with signpath.io

Thanks to signpath.io for providing us with a free windows signing certificate !

- Added permissions for actions read access.
- Implemented unsigned artifact upload for Windows.
- Integrated SignPath for signing requests and added signed artifact upload.
- Updated non-Windows artifact upload process.
---
 .github/workflows/release.yml | 35 ++++++++++++++++++++++++++++++++++-
 CHANGELOG.md                  |  4 ++++
 2 files changed, 38 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 29be7ff7..1250d44f 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -11,6 +11,7 @@ name: Create Release
 
 permissions:
   contents: write
+  actions: read
 
 jobs:
   build-macos-windows:
@@ -35,7 +36,39 @@ jobs:
         uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6
       - name: Build
         run: cargo build --profile superoptimized --locked --target ${{ matrix.target }}
-      - uses: actions/upload-artifact@v4
+      - name: Upload unsigned Windows artifact
+        if: matrix.os == 'windows-latest'
+        id: upload_unsigned
+        uses: actions/upload-artifact@v4
+        with:
+          name: unsigned-windows
+          path: target/${{ matrix.target }}/superoptimized/sqlpage.exe
+          if-no-files-found: error
+
+      - name: Submit signing request to SignPath
+        if: matrix.os == 'windows-latest'
+        id: signpath
+        uses: signpath/github-action-submit-signing-request@v1.1
+        with:
+          api-token: ${{ secrets.SIGNPATH_API_TOKEN }}
+          organization-id: '45fd8443-c7ca-4d29-a68b-608948185335'
+          project-slug: 'sqlpage'
+          signing-policy-slug: 'test-signing'
+          github-artifact-id: ${{ steps.upload_unsigned.outputs.artifact-id }}
+          wait-for-completion: true
+          output-artifact-directory: './signed-windows'
+
+      - name: Upload signed Windows artifact
+        if: matrix.os == 'windows-latest'
+        uses: actions/upload-artifact@v4
+        with:
+          name: sqlpage windows-latest
+          path: signed-windows/sqlpage.exe
+          if-no-files-found: error
+
+      - name: Upload artifact (non-Windows)
+        if: matrix.os != 'windows-latest'
+        uses: actions/upload-artifact@v4
         with:
           name: sqlpage ${{ matrix.os }}
           path: target/${{ matrix.target }}/superoptimized/sqlpage${{ matrix.binary_extension }}
diff --git a/CHANGELOG.md b/CHANGELOG.md
index f01aa27e..21b028f6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # CHANGELOG.md
 
+## unreleased
+ - We now cryptographically sign the Windows app during releases, which proves the file hasn’t been tampered with. Once the production certificate is active, Windows will show a "verified publisher" and should stop showing screens saying "This app might harm your device", "Windows protected your PC" or "Are you sure you want to run this application ?". 
+   - Thanks to https://signpath.io for providing us with a windows signing certificate !
+
 ## v0.36.1
  - Fix regression introduced in v0.36.0: PostgreSQL money values showed as 0.0
    - The recommended way to display money values in postgres is still to format them in the way you expect in SQL. See https://github.com/sqlpage/SQLPage/issues/983

From e6ff9e27a9205640afcbf3479c051b04b9ff4582 Mon Sep 17 00:00:00 2001
From: lovasoa <contact@ophir.dev>
Date: Mon, 1 Sep 2025 15:03:26 +0200
Subject: [PATCH 2/2] release signing + link to signpath from README

---
 .github/workflows/release.yml | 2 +-
 README.md                     | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 1250d44f..de671e73 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -53,7 +53,7 @@ jobs:
           api-token: ${{ secrets.SIGNPATH_API_TOKEN }}
           organization-id: '45fd8443-c7ca-4d29-a68b-608948185335'
           project-slug: 'sqlpage'
-          signing-policy-slug: 'test-signing'
+          signing-policy-slug: 'release-signing'
           github-artifact-id: ${{ steps.upload_unsigned.outputs.artifact-id }}
           wait-for-completion: true
           output-artifact-directory: './signed-windows'
diff --git a/README.md b/README.md
index eaf62d14..051ca3f4 100644
--- a/README.md
+++ b/README.md
@@ -322,3 +322,10 @@ We welcome contributions! SQLPage is built with Rust and uses
 vanilla javascript for its frontend parts.
 
 Check out our [Contributing Guide](./CONTRIBUTING.md) for detailed instructions on development setup, testing, and pull request process.
+
+# Code signing policy
+
+Our windows binaries are digitally signed, so they should be recognized as safe by Windows.
+Free code signing provided by [SignPath.io](https://about.signpath.io/), certificate by [SignPath Foundation](https://signpath.org/). [Contributors](https://github.com/sqlpage/SQLPage/graphs/contributors), [Owners](https://github.com/orgs/sqlpage/people?query=role%3Aowner).
+
+This program will not transfer any information to other networked systems unless specifically requested by the user or the person installing or operating it
\ No newline at end of file