From 33b4aa5ba36e2ee24662c5fda71d840b4f325f26 Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Thu, 25 Jun 2026 00:23:58 +0200 Subject: [PATCH 1/6] Revert "Revert #4169 and fix ps1 files not signed" This reverts commit 1879c6fa77cdbc12605715ba70c7e55983e2af5d. --- .github/workflows/win-exe.yml | 31 ------------------------------- 1 file changed, 31 deletions(-) diff --git a/.github/workflows/win-exe.yml b/.github/workflows/win-exe.yml index 1c8af5ebf..bfe702ab3 100644 --- a/.github/workflows/win-exe.yml +++ b/.github/workflows/win-exe.yml @@ -234,17 +234,6 @@ jobs: tenant-id: ${{ secrets.AZURE_TENANT_ID }} client-id: ${{ secrets.AZURE_CLIENT_ID }} client-secret: ${{ secrets.AZURE_CLIENT_SECRET }} - - name: Sign DLLs with Actalis CodeSigner - if: inputs.sign || github.event_name == 'release' - uses: skymatic/workflows/.github/actions/win-sign-action@957d3c2c08c56855fdac41e5afb9a7aca8c30dd9 # no specific version - with: - base-dir: 'appdir' - file-extensions: 'dll,exe,ps1' - recursive: true - sign-description: 'Cryptomator' - sign-url: 'https://cryptomator.org' - username: ${{ secrets.WIN_CODESIGN_USERNAME }} - password: ${{ secrets.WIN_CODESIGN_PW }} - name: Replace DLLs inside jars with signed ones shell: pwsh run: | @@ -429,16 +418,6 @@ jobs: tenant-id: ${{ secrets.AZURE_TENANT_ID }} client-id: ${{ secrets.AZURE_CLIENT_ID }} client-secret: ${{ secrets.AZURE_CLIENT_SECRET }} - - name: Sign burn engine with Actalis CodeSigner - if: inputs.sign || github.event_name == 'release' - uses: skymatic/workflows/.github/actions/win-sign-action@957d3c2c08c56855fdac41e5afb9a7aca8c30dd9 # no specific version - with: - base-dir: 'tmp' - file-extensions: 'exe' - sign-description: 'Cryptomator Bundle Installer' - sign-url: 'https://cryptomator.org' - username: ${{ secrets.WIN_CODESIGN_USERNAME }} - password: ${{ secrets.WIN_CODESIGN_PW }} - name: Reattach signed burn engine to installer if: inputs.sign || github.event_name == 'schedule' shell: pwsh @@ -456,16 +435,6 @@ jobs: tenant-id: ${{ secrets.AZURE_TENANT_ID }} client-id: ${{ secrets.AZURE_CLIENT_ID }} client-secret: ${{ secrets.AZURE_CLIENT_SECRET }} - - name: Sign installer with Actalis CodeSigner - if: inputs.sign || github.event_name == 'release' - uses: skymatic/workflows/.github/actions/win-sign-action@957d3c2c08c56855fdac41e5afb9a7aca8c30dd9 # no specific version - with: - base-dir: 'installer' - file-extensions: 'exe' - sign-description: 'Cryptomator Bundle Installer' - sign-url: 'https://cryptomator.org' - username: ${{ secrets.WIN_CODESIGN_USERNAME }} - password: ${{ secrets.WIN_CODESIGN_PW }} - id: sha256sum run: | read -ra CMD_OUTPUT < <(sha256sum installer/Cryptomator-*.exe) From 1b5319f706ed89d179127aaf1cbfc14829a577f3 Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Thu, 25 Jun 2026 00:31:19 +0200 Subject: [PATCH 2/6] check ps1 scripts after signing Signed-off-by: Armin Schrenk --- .github/workflows/win-exe.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/win-exe.yml b/.github/workflows/win-exe.yml index bfe702ab3..f0307811d 100644 --- a/.github/workflows/win-exe.yml +++ b/.github/workflows/win-exe.yml @@ -234,6 +234,13 @@ jobs: tenant-id: ${{ secrets.AZURE_TENANT_ID }} client-id: ${{ secrets.AZURE_CLIENT_ID }} client-secret: ${{ secrets.AZURE_CLIENT_SECRET }} + - name: Upload artifacts + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: ps1-${{ matrix.arch }} + path: | + appdir/Cryptomator/*.ps1 + if-no-files-found: error - name: Replace DLLs inside jars with signed ones shell: pwsh run: | From 9bb19b013053431efee9dcaf8ddb859036f22491 Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Thu, 25 Jun 2026 00:51:46 +0200 Subject: [PATCH 3/6] extra sign steps for ps1 Signed-off-by: Armin Schrenk --- .github/workflows/win-exe.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.github/workflows/win-exe.yml b/.github/workflows/win-exe.yml index f0307811d..296f83385 100644 --- a/.github/workflows/win-exe.yml +++ b/.github/workflows/win-exe.yml @@ -229,11 +229,23 @@ jobs: uses: ./.github/actions/win-sign-action with: base-dir: ${{ github.workspace }}\appdir + file-extensions: 'exe,dll' recursive: true append-signature: true tenant-id: ${{ secrets.AZURE_TENANT_ID }} client-id: ${{ secrets.AZURE_CLIENT_ID }} client-secret: ${{ secrets.AZURE_CLIENT_SECRET }} + - name: Sign Scripts with Azure Trusted Signing + if: inputs.sign || github.event_name == 'schedule' + uses: ./.github/actions/win-sign-action + with: + base-dir: ${{ github.workspace }}\appdir\Cryptomator + file-extensions: 'ps1' + recursive: false + append-signature: true + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + client-id: ${{ secrets.AZURE_CLIENT_ID }} + client-secret: ${{ secrets.AZURE_CLIENT_SECRET }} - name: Upload artifacts uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: From 1fd44ff6515f6ad37bf1f6a796fc565c6ef9cc8f Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Thu, 25 Jun 2026 01:10:10 +0200 Subject: [PATCH 4/6] for scripts, do not append signature Signed-off-by: Armin Schrenk --- .github/workflows/win-exe.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/win-exe.yml b/.github/workflows/win-exe.yml index 296f83385..1207b96fc 100644 --- a/.github/workflows/win-exe.yml +++ b/.github/workflows/win-exe.yml @@ -242,7 +242,7 @@ jobs: base-dir: ${{ github.workspace }}\appdir\Cryptomator file-extensions: 'ps1' recursive: false - append-signature: true + append-signature: false tenant-id: ${{ secrets.AZURE_TENANT_ID }} client-id: ${{ secrets.AZURE_CLIENT_ID }} client-secret: ${{ secrets.AZURE_CLIENT_SECRET }} From 409209fd894673fcdf8b3c620265080e46bdd6ee Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Thu, 25 Jun 2026 10:09:48 +0200 Subject: [PATCH 5/6] [skip ci] update changelog Signed-off-by: Armin Schrenk --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 512d9339b..948c64a26 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -24,6 +24,7 @@ Changes to prior versions can be found on the [Github release page](https://gith * Refactored release pipeline to allow immutable releases ([#4205](https://github.com/cryptomator/cryptomator/pull/4205)) * Updated to JDK 26.0.1 ([#4244](https://github.com/cryptomator/cryptomator/pull/4244)) * Updated to JavaFX 25.0.3 ([#4255](https://github.com/cryptomator/cryptomator/pull/4255)) +* Drop signing with Actalis issued certificate ([#4169](https://github.com/cryptomator/cryptomator/pull/4169), [#4262](https://github.com/cryptomator/cryptomator/pull/4262)) * Updated dependencies: - `org.cryptomator:webdav-nio-adapter` from 3.0.1 to 3.0.2 - `org.cryptomator:integrations-api` from 1.8.0 to 1.9.0 From 38bdf6d0e476ced9fabfa59ac644f85eebff1f91 Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Thu, 25 Jun 2026 10:14:42 +0200 Subject: [PATCH 6/6] cleanup workflow Signed-off-by: Armin Schrenk --- .github/workflows/win-exe.yml | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/.github/workflows/win-exe.yml b/.github/workflows/win-exe.yml index 1207b96fc..fb069da99 100644 --- a/.github/workflows/win-exe.yml +++ b/.github/workflows/win-exe.yml @@ -242,17 +242,10 @@ jobs: base-dir: ${{ github.workspace }}\appdir\Cryptomator file-extensions: 'ps1' recursive: false - append-signature: false + append-signature: false # Powershell scripts cannot be signed in append mode, see #4260 tenant-id: ${{ secrets.AZURE_TENANT_ID }} client-id: ${{ secrets.AZURE_CLIENT_ID }} client-secret: ${{ secrets.AZURE_CLIENT_SECRET }} - - name: Upload artifacts - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 - with: - name: ps1-${{ matrix.arch }} - path: | - appdir/Cryptomator/*.ps1 - if-no-files-found: error - name: Replace DLLs inside jars with signed ones shell: pwsh run: |