Enable MSI signing via SignPath Foundation

.github/actions/generate-release-notes/action.yml

@@ -133,5 +133,13 @@ runs:
         [ -n "$NEW_CONTRIBUTORS" ] && echo "$NEW_CONTRIBUTORS" >> "$RELEASE_NOTES_FILE" && echo "" >> "$RELEASE_NOTES_FILE"
         [ -n "$FULL_CHANGELOG" ] && echo "$FULL_CHANGELOG" >> "$RELEASE_NOTES_FILE"
 
+        # Code signing policy note
+        {
+          echo ""
+          echo "---"
+          echo ""
+          echo "> Windows installers are signed. Free code signing provided by [SignPath.io](https://signpath.io), certificate by [SignPath Foundation](https://signpath.org). See our [Code Signing Policy](https://github.com/$REPO#code-signing-policy)."
+        } >> "$RELEASE_NOTES_FILE"
+
         echo "release_notes_file=$RELEASE_NOTES_FILE" >> $GITHUB_OUTPUT
         cat "$RELEASE_NOTES_FILE"

.github/workflows/cpp_server_build_test_release.yml

@@ -8,9 +8,16 @@ on:
   pull_request:
   merge_group:
   workflow_dispatch:
+    inputs:
+      enable_signing:
+        description: 'Enable MSI signing with SignPath (for testing)'
+        required: false
+        default: false
+        type: boolean
 
 permissions:
   contents: write
+  actions: read  # Required for SignPath to read workflow/job details
 
 jobs:
   # ========================================================================
@@ -20,6 +27,8 @@ jobs:
   build-lemonade-server-installer:
     name: Build Lemonade Server Installer
     runs-on: windows-latest
+    outputs:
+      unsigned-artifact-id: ${{ steps.upload-unsigned-msi.outputs.artifact-id }}
     steps:
       - uses: actions/checkout@v4
         with:
@@ -256,6 +265,7 @@ jobs:
           Write-Host "Installers created successfully!" -ForegroundColor Green
 
       - name: Upload Lemonade Server Installers
+        id: upload-unsigned-msi
         uses: actions/upload-artifact@v4
         with:
           name: Lemonade_Server_MSI
@@ -264,6 +274,55 @@ jobs:
             lemonade.msi
           retention-days: 7
 
+  sign-msi-installers:
+    name: Sign MSI Installers with SignPath
+    runs-on: windows-latest
+    needs: build-lemonade-server-installer
+    # Sign on tag pushes (releases) or when manually enabled via workflow_dispatch
+    if: startsWith(github.ref, 'refs/tags/v') || inputs.enable_signing == true
+    steps:
+      - name: Sign MSI Installers with SignPath
+        id: sign-msi
+        uses: signpath/github-action-submit-signing-request@v2
+        with:
+          api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
+          organization-id: '8103545b-7814-4edc-86d6-a91dc2a2291b'
+          project-slug: 'lemonade'
+          signing-policy-slug: 'release-signing'
+          github-artifact-id: '${{ needs.build-lemonade-server-installer.outputs.unsigned-artifact-id }}'
+          wait-for-completion: true
+          wait-for-completion-timeout-in-seconds: 3600
+          output-artifact-directory: 'signed-msi'
+          parameters: |
+            version: "${{ startsWith(github.ref, 'refs/tags/') && github.ref_name || 'test' }}"
+
+      - name: Verify Signed MSI Files
+        shell: PowerShell
+        run: |
+          Write-Host "Verifying signed MSI files..." -ForegroundColor Cyan
+
+          if (-not (Test-Path "signed-msi\lemonade-server-minimal.msi")) {
+              Write-Host "ERROR: Signed lemonade-server-minimal.msi not found!" -ForegroundColor Red
+              exit 1
+          }
+
+          if (-not (Test-Path "signed-msi\lemonade.msi")) {
+              Write-Host "ERROR: Signed lemonade.msi not found!" -ForegroundColor Red
+              exit 1
+          }
+
+          Write-Host "Signed MSI files verified!" -ForegroundColor Green
+          Get-ChildItem -Path "signed-msi" -Recurse | Format-Table Name, Length
+
+      - name: Upload Signed MSI Installers
+        uses: actions/upload-artifact@v4
+        with:
+          name: Lemonade_Server_MSI_Signed
+          path: |
+            signed-msi/lemonade-server-minimal.msi
+            signed-msi/lemonade.msi
+          retention-days: 7
+
   build-lemonade-server-deb:
     name: Build Lemonade Server .deb Package
     runs-on: ubuntu-latest
@@ -326,6 +385,8 @@ jobs:
     name: Test .exe - ${{ matrix.name }}
     runs-on: ${{ matrix.runner }}
     needs: build-lemonade-server-installer
+    # Skip inference tests when signing is enabled (tag pushes or manual workflow_dispatch)
+    if: ${{ !startsWith(github.ref, 'refs/tags/') && inputs.enable_signing != true }}
     strategy:
       fail-fast: false
       matrix:
@@ -460,6 +521,8 @@ jobs:
     name: Test .deb - ${{ matrix.name }}
     runs-on: ${{ matrix.runner }}
     needs: build-lemonade-server-deb
+    # Skip inference tests when signing is enabled (tag pushes or manual workflow_dispatch)
+    if: ${{ !startsWith(github.ref, 'refs/tags/') && inputs.enable_signing != true }}
     strategy:
       fail-fast: false
       matrix:
@@ -684,11 +747,9 @@ jobs:
     name: Create GitHub Release
     runs-on: ubuntu-latest
     needs:
-      - build-lemonade-server-installer
+      - sign-msi-installers
       - build-lemonade-server-deb
       - build-lemonade-deb-full
-      - test-exe-inference
-      - test-deb-inference
       - test-cli-endpoints
     if: startsWith(github.ref, 'refs/tags/v')
     env:
@@ -699,10 +760,10 @@ jobs:
         with:
           sparse-checkout: .github
 
-      - name: Download Lemonade Server Installer (Windows)
+      - name: Download Signed Lemonade Server Installer (Windows)
         uses: actions/download-artifact@v4
         with:
-          name: Lemonade_Server_MSI
+          name: Lemonade_Server_MSI_Signed
           path: .
 
       - name: Download Lemonade Server .deb Package (Linux - Minimal)
@@ -743,4 +804,4 @@ jobs:
             lemonade.msi
             lemonade-server-minimal_${{ env.LEMONADE_VERSION }}_amd64.deb
             lemonade_${{ env.LEMONADE_VERSION }}_amd64.deb
-          fail_on_unmatched_files: true
+          fail_on_unmatched_files: true

README.md

@@ -215,6 +215,15 @@ New contributors can find beginner-friendly issues tagged with "Good First Issue
 
 This is a community project maintained by @amd-pworfolk @bitgamma @danielholanda @jeremyfowers @Geramy @ramkrishna2910 @siavashhub @sofiageo @vgodsoe, and sponsored by AMD. You can reach us by filing an [issue](https://github.com/lemonade-sdk/lemonade/issues), emailing [lemonade@amd.com](mailto:lemonade@amd.com), or joining our [Discord](https://discord.gg/5xXzkMu8Zk).
 
+## Code Signing Policy
+
+Free code signing provided by [SignPath.io](https://signpath.io), certificate by [SignPath Foundation](https://signpath.org).
+
+- **Committers and reviewers**: [Maintainers](#maintainers) of this repo
+- **Approvers**: [Owners](https://github.com/orgs/lemonade-sdk/people?query=role%3Aowner)
+
+**Privacy policy**: This program will not transfer any information to other networked systems unless specifically requested by the user or the person installing or operating it. When the user requests it, Lemonade downloads AI models from [Hugging Face Hub](https://huggingface.co/) (see their [privacy policy](https://huggingface.co/privacy)).
+
 ## License and Attribution
 
 This project is: