From 148a28c9150c42bd90c170d949f8cb4236790453 Mon Sep 17 00:00:00 2001
From: Nando Vieira <me@fnando.com>
Date: Wed, 14 Jan 2026 15:36:30 -0300
Subject: [PATCH 1/2] Sign windows installer.

---
 .github/workflows/binaries.yml | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/.github/workflows/binaries.yml b/.github/workflows/binaries.yml
index bee5c75c74..2970f16f79 100644
--- a/.github/workflows/binaries.yml
+++ b/.github/workflows/binaries.yml
@@ -104,25 +104,47 @@ jobs:
           echo "STELLAR_CLI_INSTALLER_BASENAME=${installer_basename}" >> $GITHUB_ENV
           echo "STELLAR_CLI_INSTALLER=${installer_basename}.exe" >> $GITHUB_ENV
           echo "ARTIFACT_NAME=stellar-cli-${version}-x86_64-pc-windows-msvc.tar.gz" >> $GITHUB_ENV
+          echo "SM_CLIENT_CERT_FILE=D:\\sm_client_cert.p12" >> "$GITHUB_ENV"
 
       - name: Download Artifact
         uses: actions/download-artifact@v5
         with:
           name: ${{ env.ARTIFACT_NAME }}
+
       - name: Uncompress Artifact
         run: tar xvf ${{ env.ARTIFACT_NAME }}
+
       - shell: powershell
         run: winget install --id JRSoftware.InnoSetup --scope machine --silent --accept-package-agreements --accept-source-agreements --force
+
       - shell: powershell
         run: |
           $innoPath = "C:\Program Files (x86)\Inno Setup 6"
           echo $innoPath | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
+
       - name: Build Installer
         shell: powershell
         run: |
           $Env:STELLAR_CLI_VERSION = "${{ env.VERSION }}"
           ISCC.exe installer.iss
           mv Output/stellar-installer.exe ${{ env.STELLAR_CLI_INSTALLER }}
+
+      - name: Setup SM_CLIENT_CERT_FILE
+        run: |
+          echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/sm_client_cert.p12
+        shell: bash
+
+      - name: Setup Software Trust Manager
+        if:
+          github.event_name == 'release' || github.ref == 'refs/heads/main' ||
+          startsWith(github.ref, 'refs/heads/release/') || startsWith(github.head_ref, 'release/')
+        id: stm-setup
+        uses: digicert/code-signing-software-trust-action@v1.0.1
+        with:
+          simple-signing-mode: true
+          keypair-alias: key_1412258126
+          input: ${{ env.STELLAR_CLI_INSTALLER }}
+
       - name: Upload Artifact
         uses: ./.github/actions/artifact-upload
         with:

From 8d4ac9e29ca93df5cd22627762a4ae9c2209e7fb Mon Sep 17 00:00:00 2001
From: Nando Vieira <me@fnando.com>
Date: Wed, 14 Jan 2026 17:26:10 -0300
Subject: [PATCH 2/2] Do not sign on merge.

---
 .github/workflows/binaries.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/binaries.yml b/.github/workflows/binaries.yml
index 2970f16f79..3fa3e11bd5 100644
--- a/.github/workflows/binaries.yml
+++ b/.github/workflows/binaries.yml
@@ -136,8 +136,7 @@ jobs:
 
       - name: Setup Software Trust Manager
         if:
-          github.event_name == 'release' || github.ref == 'refs/heads/main' ||
-          startsWith(github.ref, 'refs/heads/release/') || startsWith(github.head_ref, 'release/')
+          github.event_name == 'release' || startsWith(github.ref, 'refs/heads/release/') || startsWith(github.head_ref, 'release/')
         id: stm-setup
         uses: digicert/code-signing-software-trust-action@v1.0.1
         with: