@@ -202,11 +202,68 @@ jobs:
202202 /p:Configuration=Release `
203203 /p:Platform=x64
204204
205+ # -------------------------------------------------
206+ # Stage Windows PE files for signing
207+ # -------------------------------------------------
208+ - name : Stage Windows PE files for signing
209+ if : ${{ env.MODE != 'sanity' }}
210+ shell : pwsh
211+ run : |
212+ New-Item -ItemType Directory -Force to-sign | Out-Null
213+ # All signable DLLs are produced in dll/release, the shell EXEs in
214+ # lib/release (same paths package-windows collects from). Names are
215+ # unique across the variants, so a flat staging dir is collision-free.
216+ Copy-Item bin/vc17/dll/release/sqlite3mc*.dll to-sign/ -ErrorAction SilentlyContinue
217+ Copy-Item bin/vc17/lib/release/sqlite3mc_shell*.exe to-sign/ -ErrorAction SilentlyContinue
218+ Get-ChildItem to-sign
219+
220+ # -------------------------------------------------
221+ # Upload unsigned PE files
222+ # -------------------------------------------------
223+ - name : Upload unsigned PE files
224+ id : upload-unsigned-pe
225+ if : ${{ env.MODE != 'sanity' }}
226+ uses : actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
227+ with :
228+ name : unsigned-windows-pe # must NOT start with sqlite3mc- (intermediate)
229+ path : to-sign
230+ if-no-files-found : error
231+
232+ # -------------------------------------------------
233+ # Submit signing request (SignPath)
234+ # -------------------------------------------------
235+ - name : Submit signing request (SignPath)
236+ if : ${{ env.MODE != 'sanity' }}
237+ uses : signpath/github-action-submit-signing-request@b9d91eadd323de506c0c81cf0c7fe7438f3360fd # v2.2
238+ with :
239+ api-token : ' ${{ secrets.SIGNPATH_API_TOKEN }}'
240+ organization-id : ' ${{ vars.SIGNPATH_ORGANIZATION_ID }}'
241+ project-slug : ' SQLite3MultipleCiphers'
242+ artifact-configuration-slug : ' windows-binaries'
243+ signing-policy-slug : ${{ env.MODE == 'release' && 'release-signing' || 'test-signing' }}
244+ github-artifact-id : ' ${{ steps.upload-unsigned-pe.outputs.artifact-id }}'
245+ wait-for-completion : true
246+ # release-signing typically requires manual approval -> wait longer
247+ wait-for-completion-timeout-in-seconds : 1800
248+ output-artifact-directory : ' signed'
249+
250+ # -------------------------------------------------
251+ # Restore signed PE files
252+ # -------------------------------------------------
253+ - name : Restore signed PE files
254+ if : ${{ env.MODE != 'sanity' }}
255+ shell : pwsh
256+ run : |
257+ # SignPath returns the same file names; put the signed DLLs/EXEs back
258+ # exactly where package-windows picks them up.
259+ Copy-Item signed/sqlite3mc*.dll bin/vc17/dll/release/ -Force
260+ Copy-Item signed/sqlite3mc_shell*.exe bin/vc17/lib/release/ -Force
261+
205262 # -------------------------------------------------
206263 # Upload Win32 and Win64 binaries
207264 # -------------------------------------------------
208265 - name : Upload build output
209- uses : actions/upload-artifact@v7
266+ uses : actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
210267 with :
211268 name : build-output
212269 path : |
@@ -402,18 +459,34 @@ jobs:
402459 sdkmanager "ndk;26.3.11579264"
403460
404461 # -------------------------------------------------
405- # Install Fossil
462+ # Download and verify Fossil
463+ # --------------
464+ # SHA3-256 checksum (retrieved from https://www3.fossil-scm.org/home/uvlist on 2026-06-08)
465+ # fossil-linux-x64-2.28.tar.gz cbd89e653e1b797802f2ee5bb55d6ad4959291ec6d6eb192c79ff62d9a224c33
406466 # -------------------------------------------------
407- - name : Install Fossil
467+ - name : Download and verify Fossil
408468 shell : bash
409469 run : |
410470 set -euo pipefail
411471
412472 FOSSIL_VERSION="2.28"
473+ FOSSIL_SHA3="cbd89e653e1b797802f2ee5bb55d6ad4959291ec6d6eb192c79ff62d9a224c33"
413474
414475 curl -fL --retry 3 --retry-delay 5 -o fossil.tar.gz \
415476 https://www.fossil-scm.org/home/uv/fossil-linux-x64-$FOSSIL_VERSION.tar.gz
416477
478+ python3 scripts/verify_sha3.py \
479+ fossil.tar.gz \
480+ "${FOSSIL_SHA3}"
481+
482+ # -------------------------------------------------
483+ # Install Fossil
484+ # -------------------------------------------------
485+ - name : Install Fossil
486+ shell : bash
487+ run : |
488+ set -euo pipefail
489+
417490 tar -xzf fossil.tar.gz
418491 sudo mv fossil /usr/local/bin/
419492 fossil version
@@ -778,18 +851,34 @@ jobs:
778851 python scripts/build_context.py
779852
780853 # -------------------------------------------------
781- # Install Fossil
854+ # Download and verify Fossil
855+ # --------------
856+ # SHA3-256 checksum (retrieved from https://www3.fossil-scm.org/home/uvlist on 2026-06-08)
857+ # fossil-linux-x64-2.28.tar.gz cbd89e653e1b797802f2ee5bb55d6ad4959291ec6d6eb192c79ff62d9a224c33
782858 # -------------------------------------------------
783- - name : Install Fossil
859+ - name : Download and verify Fossil
784860 shell : bash
785861 run : |
786862 set -euo pipefail
787863
788864 FOSSIL_VERSION="2.28"
865+ FOSSIL_SHA3="cbd89e653e1b797802f2ee5bb55d6ad4959291ec6d6eb192c79ff62d9a224c33"
789866
790867 curl -fL --retry 3 --retry-delay 5 -o fossil.tar.gz \
791868 https://www.fossil-scm.org/home/uv/fossil-linux-x64-$FOSSIL_VERSION.tar.gz
792869
870+ python3 scripts/verify_sha3.py \
871+ fossil.tar.gz \
872+ "${FOSSIL_SHA3}"
873+
874+ # -------------------------------------------------
875+ # Install Fossil
876+ # -------------------------------------------------
877+ - name : Install Fossil
878+ shell : bash
879+ run : |
880+ set -euo pipefail
881+
793882 tar -xzf fossil.tar.gz
794883 sudo mv fossil /usr/local/bin/
795884 fossil version
0 commit comments