Context
PR #731 implements the desktop installer per the desktop installer plan. Phase H wires the SignPath GitHub Action into .github/workflows/build-installers.yml and ships a .signpath/policies/gaia.policy declaring the project signing rules. The signing flow activates the moment the secrets are added — no further code changes required.
What needs to happen
-
Apply for SignPath OSS Foundation at https://signpath.io/solutions/open-source-community
- Application form points at
https://github.com/amd/gaia
- Reference the code signing admin guide for the configuration we expect
- Approval typically takes ~1 week
-
After approval, configure the SignPath dashboard:
- Project slug:
gaia-agent-ui
- Signing policy slug:
release-signing
- Artifact configuration slug:
gaia-installer
- Trusted build system: GitHub
- Repository:
amd/gaia
- Workflow:
.github/workflows/build-installers.yml
- Branch/tag pattern:
refs/tags/v*
- Approval mode: Automatic
-
Add GitHub Action secrets in the amd/gaia repo settings:
SIGNPATH_API_TOKEN — issued by SignPath after onboardingSIGNPATH_ORG_ID — your SignPath organization UUID
-
Test by pushing a release candidate tag (v0.17.2-rc.1). The workflow should sign the NSIS installer automatically and the resulting .exe should pass:
signtool verify /pa /v "GAIA Agent UI-0.17.2-rc.1-x64-Setup.exe"
Until this lands
Windows users see the SmartScreen "unrecognized publisher" warning the first time they run the installer. The installation troubleshooting guide documents the bypass step (More info → Run anyway).
This is the leading cause of install abandonment for unsigned consumer apps, so we should land signing before announcing v0.17.2 as the recommended install path.
Cost
Free for OSS via the SignPath Foundation tier.
See also
Context
PR #731 implements the desktop installer per the desktop installer plan. Phase H wires the SignPath GitHub Action into
.github/workflows/build-installers.ymland ships a.signpath/policies/gaia.policydeclaring the project signing rules. The signing flow activates the moment the secrets are added — no further code changes required.What needs to happen
Apply for SignPath OSS Foundation at https://signpath.io/solutions/open-source-community
https://github.com/amd/gaiaAfter approval, configure the SignPath dashboard:
gaia-agent-uirelease-signinggaia-installeramd/gaia.github/workflows/build-installers.ymlrefs/tags/v*Add GitHub Action secrets in the
amd/gaiarepo settings:SIGNPATH_API_TOKEN— issued by SignPath after onboardingSIGNPATH_ORG_ID— your SignPath organization UUIDTest by pushing a release candidate tag (
v0.17.2-rc.1). The workflow should sign the NSIS installer automatically and the resulting.exeshould pass:Until this lands
Windows users see the SmartScreen "unrecognized publisher" warning the first time they run the installer. The installation troubleshooting guide documents the bypass step (More info → Run anyway).
This is the leading cause of install abandonment for unsigned consumer apps, so we should land signing before announcing v0.17.2 as the recommended install path.
Cost
Free for OSS via the SignPath Foundation tier.
See also
docs/plans/desktop-installer.mdx§7 Phase Hdocs/deployment/code-signing.mdx