GitHub Action

Quick start

name: Build and Sign

on:
  push:
    tags: ["v*"]

jobs:
  build-and-sign:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Build
        run: dotnet publish -r win-x64 -c Release -o ./dist

      - name: Sign with Qwick Cert
        uses: qwickcert/sign-action@v1
        with:
          api-key: ${{ secrets.QWICK_API_KEY }}
          files: ./dist/MyApp.exe

      - name: Upload artifact
        uses: actions/upload-artifact@v4
        with:
          name: signed-binary
          path: ./dist/MyApp.exe

Inputs

Outputs

Examples

Cross-compile on Ubuntu, sign in the same job

Build a .NET application for Windows on a Linux runner and sign the output — no Windows runner required.

jobs:
  build-and-sign:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: dotnet publish -r win-x64 -c Release -o dist/
      - uses: qwickcert/sign-action@v1
        with:
          api-key: ${{ secrets.QWICK_API_KEY }}
          files: dist/myapp.exe

Sign multiple file types with glob patterns

- uses: qwickcert/sign-action@v1
  with:
    api-key: ${{ secrets.QWICK_API_KEY }}
    files: |
      dist/**/*.exe
      dist/**/*.dll

Build on Windows with post-sign verification

On Windows runners, signature verification via signtool.exe is enabled by default.

jobs:
  build-and-sign:
    runs-on: windows-latest
    steps:
      - uses: actions/checkout@v4
      - run: msbuild /p:Configuration=Release
      - uses: qwickcert/sign-action@v1
        with:
          api-key: ${{ secrets.QWICK_API_KEY }}
          files: dist/**/*.exe

Sign an MSI installer

jobs:
  build-and-sign:
    runs-on: windows-latest
    steps:
      - uses: actions/checkout@v4
      - run: msbuild installer.wixproj /p:Configuration=Release
      - uses: qwickcert/sign-action@v1
        with:
          api-key: ${{ secrets.QWICK_API_KEY }}
          files: output/*.msi

Rust cross-compile on macOS

jobs:
  build-and-sign:
    runs-on: macos-latest
    steps:
      - uses: actions/checkout@v4
      - run: |
          rustup target add x86_64-pc-windows-gnu
          cargo build --release --target x86_64-pc-windows-gnu
      - uses: qwickcert/sign-action@v1
        with:
          api-key: ${{ secrets.QWICK_API_KEY }}
          files: target/x86_64-pc-windows-gnu/release/*.exe

Other CI systems

For Azure DevOps, GitLab CI, Jenkins, or any other CI system, install the CLI directly and authenticate with an API key:

npm install -g qwickcert
QWICK_API_KEY=qwick_ak_... qwick sign "./dist/*.exe" "./dist/*.dll"

Create API keys from the dashboard or via qwick apikey create. See the CLI reference for the full list of commands and flags.

Setting up secrets

1. Go to your Qwick Cert dashboard → API Keys → Create a new key.
2. Copy the key (starts with qwick_ak_).
3. In your GitHub repo, go to Settings → Secrets and variables → Actions.
4. Add a new repository secret named QWICK_API_KEY with the copied value.

Security

• Your API key is passed as an environment variable and is never logged or exposed in workflow output.
• API keys have mandatory expiration (6 months default, 24 months maximum) matching Microsoft's Azure credential policy.
• Only the file hash (32 bytes) is sent to the Qwick Cert API — file contents never leave the runner.
• Signing credentials are short-lived and revoked immediately after each operation.
• All communication uses HTTPS/TLS.
• All signing operations are recorded in your Qwick Cert audit trail with the API key used.