artifact config and forking instructions added

Author: stefan-wenig

.signpath/artifact-configurations/default.xml

@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="utf-8"?>
+<artifact-configuration xmlns="http://signpath.io/artifact-configuration/v1">
+  <zip-file>
+    
+    <msi-file path="DemoExample.msi">
+      <directory path="application/SignPath Demo">
+        
+        <pe-file-set>
+          <include path="Microsoft.*.dll" min-matches="0" max-matches="unbounded" />
+          <include path="Microsoft.*.exe" min-matches="0" max-matches="unbounded" />
+          <for-each>
+            <authenticode-verify />
+          </for-each>
+        </pe-file-set>
+        
+        <pe-file-set>
+          <include path="Serilog.dll" product-name="Serilog" min-matches="0" />
+          <include path="Serilog.AspNetCore.dll" product-name="Serilog" product-version="7.0.0" min-matches="0" />
+        </pe-file-set>
+
+        <pe-file-set>
+          <include path="DemoExample.dll" />
+          <include path="DemoExample.exe" />
+          <for-each>
+            <authenticode-sign />
+          </for-each>
+        </pe-file-set>
+
+      </directory>
+      <authenticode-sign />
+    </msi-file>
+    
+    <xml-file path="bom.xml" root-element-namespace="http://cyclonedx.org/schema/bom/1.5" root-element-name="bom">
+      <xml-sign/>
+    </xml-file>
+    
+  </zip-file>
+</artifact-configuration>

README.md

@@ -6,12 +6,33 @@ Signing is invoked in the `sign` step of [.github/workflows/build-and-sign.yml](
 
 See [github.com/SignPath/github-actions](https://github.com/SignPath/github-actions) for a full documentation of SignPath actions.
 
+## Policy demonstrations
+
 This project demonstrates the following attempts to violate SignPath policies and how they are averted on the control plane:
 
 * This step selects the appropriate [signing policy] depending on the branch name. The actual branch must match the branch condition of the selected signing policy. The [`attempt-signing-release`] branch demonstrates how SignPath will detect incorrect attempts.
 * The [`release/malicious-dll`] branch demonstrates how SignPath will detect content-level violations of the [artifact configuration].
 
+## Configuration
+
+To use this demo with your own SignPath subscription, you need to get access to SignPath's GitHub Actions preview. Please contact [email protected].
+
+* Fork this repository
+* In your SignPath organization, create a project with 
+  * Slug: `Demo_Application` 
+  * Repository URL: URL of your forked repository
+  * Trusted Build Systems: Link _GitHub Actions (Preview)_
+  * Add the following artifact configuration as default: [.signpath/artifact-configurations/default.xml](.signpath/artifact-configurations/default.xml)
+  * Add a `test-signing` signing policy
+  * Add a `release-signing` signing policy with origin verification enabled and restricted to `main` and `release/*` branches
+* Create an [API token] in SignPath and add it as a GitHub Actions secret `SIGNPATH_API_TOKEN` (make sure the user is a submitter in your signing policies)
+* Add your SignPath organization ID as a GitHub Actions variable `SIGNPATH_ORGANIZATION_ID` 
+* Enable Actions for your repository
+
+
 [signing policy]: https://about.signpath.io/documentation/projects#signing-policies
 [artifact configuration]: https://about.signpath.io/documentation/projects#artifact-configurations
 [`attempt-signing-release`]: https://github.com/SignPath/github-actions-demo/blob/feature/attempt-signing-release/.github/workflows/build-and-sign.yml#L46
 [`release/malicious-dll`]: https://github.com/SignPath/github-actions-demo/blob/release/malicious-dll/src/Build.ps1#L4
+
+[API token]: https://about.signpath.io/documentation/users#interactive-api-token