xetup

x9/xetup

History

X9 Dev 853908bedd ci: sign xetup.exe via Azure Trusted Signing (jsign) Add a signing step after the build that authenticates the Entra service principal (client_credentials), fetches a Trusted Signing access token, and signs xetup.exe with jsign using the X9.cz s.r.o. certificate profile plus an RFC3161 timestamp (timestamp.acs.microsoft.com). jsign is pinned by version and sha256. Trusted Signing certs are short-lived (~3 days); the timestamp keeps the signature valid past expiry, so timestamping must succeed and the step fails hard otherwise. Only AZURE_CLIENT_SECRET needs to be set as a Forgejo Actions secret; the non-secret identifiers are inlined in the workflow. gitignore the local manual-signing helpers (sign.sh) and the .unsigned build backup. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-05-29 15:00:12 +02:00
..
release.yml	ci: sign xetup.exe via Azure Trusted Signing (jsign)	2026-05-29 15:00:12 +02:00

X9 Dev 853908bedd ci: sign xetup.exe via Azure Trusted Signing (jsign)

Add a signing step after the build that authenticates the Entra service
principal (client_credentials), fetches a Trusted Signing access token, and
signs xetup.exe with jsign using the X9.cz s.r.o. certificate profile plus an
RFC3161 timestamp (timestamp.acs.microsoft.com). jsign is pinned by version
and sha256. Trusted Signing certs are short-lived (~3 days); the timestamp
keeps the signature valid past expiry, so timestamping must succeed and the
step fails hard otherwise.

Only AZURE_CLIENT_SECRET needs to be set as a Forgejo Actions secret; the
non-secret identifiers are inlined in the workflow.

gitignore the local manual-signing helpers (sign*.sh) and the *.unsigned
build backup.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-05-29 15:00:12 +02:00

release.yml

ci: sign xetup.exe via Azure Trusted Signing (jsign)

2026-05-29 15:00:12 +02:00