Skip to content

Commit c71fd6e

Browse files
committed
Drop release code-signing; publish unsigned releases
1 parent 8423acf commit c71fd6e

3 files changed

Lines changed: 5 additions & 46 deletions

File tree

.github/workflows/build.yml

Lines changed: 1 addition & 40 deletions
Original file line numberDiff line numberDiff line change
@@ -744,45 +744,6 @@ jobs:
744744
name: please-tweak-windows-exe
745745
path: ./artifacts
746746

747-
- name: Sign release EXE (Authenticode)
748-
if: steps.version.outputs.release == 'true'
749-
run: |
750-
if ([string]::IsNullOrWhiteSpace($env:CODE_SIGN_PFX_BASE64) -or
751-
[string]::IsNullOrWhiteSpace($env:CODE_SIGN_PASSWORD)) {
752-
Write-Error "The protected release environment must provide CODE_SIGN_PFX_BASE64 and CODE_SIGN_PASSWORD."
753-
exit 1
754-
}
755-
756-
$pfx = Join-Path $env:RUNNER_TEMP 'ptw-codesign.pfx'
757-
try {
758-
[IO.File]::WriteAllBytes($pfx, [Convert]::FromBase64String($env:CODE_SIGN_PFX_BASE64))
759-
$signtool = Get-ChildItem "${env:ProgramFiles(x86)}\Windows Kits\10\bin" -Recurse -Filter signtool.exe |
760-
Where-Object { $_.FullName -match '\\x64\\' } | Select-Object -Last 1
761-
if (-not $signtool) { throw "signtool.exe not found on the runner" }
762-
763-
& $signtool.FullName sign /f $pfx /p $env:CODE_SIGN_PASSWORD /fd SHA256 `
764-
/tr http://timestamp.digicert.com /td SHA256 "./artifacts/PleaseTweakWindows.exe"
765-
if ($LASTEXITCODE -ne 0) { throw "signtool failed (exit $LASTEXITCODE)" }
766-
}
767-
finally {
768-
Remove-Item $pfx -Force -ErrorAction SilentlyContinue
769-
}
770-
env:
771-
CODE_SIGN_PFX_BASE64: ${{ secrets.CODE_SIGN_PFX_BASE64 }}
772-
CODE_SIGN_PASSWORD: ${{ secrets.CODE_SIGN_PASSWORD }}
773-
shell: pwsh
774-
775-
- name: Verify release signature
776-
if: steps.version.outputs.release == 'true'
777-
run: |
778-
$signature = Get-AuthenticodeSignature "./artifacts/PleaseTweakWindows.exe"
779-
if ($signature.Status -ne 'Valid') {
780-
Write-Error "Release EXE is not validly Authenticode-signed: $($signature.StatusMessage)"
781-
exit 1
782-
}
783-
Write-Host "[+] Valid release signature: $($signature.SignerCertificate.Subject)"
784-
shell: pwsh
785-
786747
- name: Create distribution package
787748
if: steps.version.outputs.release == 'true'
788749
run: |
@@ -833,7 +794,7 @@ jobs:
833794
- name: Generate SHA256SUMS
834795
if: steps.version.outputs.release == 'true'
835796
run: |
836-
# Publish an archive checksum in addition to the EXE's Authenticode signature.
797+
# Publish an archive checksum so downloads can be verified.
837798
$h = (Get-FileHash -Algorithm SHA256 -Path "PleaseTweakWindows.zip").Hash
838799
"$h PleaseTweakWindows.zip" | Out-File -Encoding ascii -FilePath "SHA256SUMS.txt"
839800
Get-Content "SHA256SUMS.txt"

CONTRIBUTING.md

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -28,8 +28,7 @@ dotnet test PleaseTweakWindows.sln
2828

2929
Production releases are created only from an explicit `v<Version>` tag. The tag must match
3030
`<Version>` in `PleaseTweakWindows.csproj`; ordinary pushes to `main` build and test but never publish.
31-
Tagged releases also require `CODE_SIGN_PFX_BASE64` and `CODE_SIGN_PASSWORD` secrets in the
32-
protected `release` environment; the workflow refuses to publish an unsigned EXE.
31+
Release EXEs are not code-signed; downloads are verified against the published `SHA256SUMS.txt`.
3332

3433
## Project Structure
3534

README.md

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -16,9 +16,8 @@ This tool modifies Windows registry settings, services, and system configuration
1616

1717
## Verifying your download
1818

19-
Releases through v2.1.2 were not Authenticode-signed. Starting with v2.1.3, the release workflow
20-
refuses to publish a tag unless the EXE has a valid Authenticode signature. Development artifacts
21-
may remain unsigned. Always verify the archive against the checksum from the same release:
19+
Releases are not code-signed, so Windows SmartScreen may warn the first time you run the EXE — that
20+
is expected. Verify the archive against the checksum published with the same release:
2221

2322
```powershell
2423
# Compare against SHA256SUMS.txt from the same release
@@ -117,7 +116,7 @@ Build.bat
117116
`Build.bat` runs `dotnet test``dotnet publish -c Release -r win-x64 --self-contained -p:PublishSingleFile=true` → packages the EXE, project notices, and dependency licenses under `dist\PleaseTweakWindows\` → zips it. Scripts are embedded inside the EXE; no loose `scripts\` folder ships with the release.
118117

119118
This local package is unsigned. Production releases are created by the tagged GitHub Actions
120-
workflow, which requires and verifies the project code-signing certificate.
119+
workflow and are also unsigned; verify them against the published `SHA256SUMS.txt`.
121120

122121
## Logging & Privacy
123122

0 commit comments

Comments
 (0)