From fa5af0ed1f594c55a89860d79fc9ef26b548a4d8 Mon Sep 17 00:00:00 2001
From: Jay Lee <jay0lee@gmail.com>
Date: Fri, 13 Feb 2026 12:46:15 -0500
Subject: [PATCH 1/6] [actions] switch Apple notary auth to using a key instead
 of ASP.

---
 .github/workflows/build.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index cf4f62ed..18a7e8d3 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -631,7 +631,11 @@ jobs:
           # name it something we can track and link in Apple's notarize process
           zipfilename="./gam-${RUNNER_ARCH}-${GITHUB_RUN_ID}-${GITHUB_RUN_NUMBER}.zip"
           zip -r "$zipfilename" "$gampath"
-          xcrun notarytool submit --apple-id "jay0lee@gmail.com" --password "$ASP_NOTARIZE" --team-id GZ85H2DRLM "$zipfilename"
+          export KEY_FILE="$(mktemp).p8"
+          trap 'rm -f "$KEY_FILE"' EXIT
+          echo "$APPLE_KEY" > "$KEY_FILE"
+          xcrun notarytool submit "$zipfilename" --key "$KEY_FILE" --key-id "$APPLE_KEY_ID" --issuer "$APPLE_ISSUER_ID"
+          rm -v "$KEY_FILE"
           rm -v "$zipfilename"
 
       - name: Basic Tests all jobs

From 01122642917076121eabfa30aec4c3b3c7e01239 Mon Sep 17 00:00:00 2001
From: Jay Lee <jay0lee@gmail.com>
Date: Fri, 13 Feb 2026 12:59:04 -0500
Subject: [PATCH 2/6] [actions] update env variables for apply notary

---
 .github/workflows/build.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 18a7e8d3..5c9fbed4 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -625,7 +625,9 @@ jobs:
       - name: MacOS send GAM binary for Apple notarization
         if: runner.os == 'macOS'
         env:
-          ASP_NOTARIZE: ${{ secrets.ASP_NOTARIZE }}
+          APPLE_KEY: ${{ secrets.APPLE_KEY }}
+          APPLE_KEY_ID: ${{ secrets.APPLE_KEY_ID }}
+          APPLE_ISSUER_ID: ${{ secrets.APPLE_ISSUER_ID }}
         run: |
           # Apple wants some kind of "package" submitted so just add gam to a .zip
           # name it something we can track and link in Apple's notarize process

From 24a58c8edc0fa5ba22effc2aa5a7c60ead80823c Mon Sep 17 00:00:00 2001
From: Jay Lee <jay0lee@gmail.com>
Date: Fri, 13 Feb 2026 14:18:03 -0500
Subject: [PATCH 3/6] [actions] use VS Code 2026 on Win x64

---
 .github/workflows/build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 5c9fbed4..1c4a3ed9 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -91,7 +91,7 @@ jobs:
             freethreaded: false
             goal: build
             name: Build Arm MacOS 26
-          - os: windows-2025
+          - os: windows-2025-vs2026
             jid: 12
             freethreaded: false
             goal: build

From 2ed23c8f5554ec38d1238343e12f1f111f637b33 Mon Sep 17 00:00:00 2001
From: Jay Lee <jay0lee@gmail.com>
Date: Fri, 13 Feb 2026 16:30:11 -0500
Subject: [PATCH 4/6] Update build.yml

---
 .github/workflows/build.yml | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 1c4a3ed9..07629a10 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -675,10 +675,9 @@ jobs:
         if: runner.os == 'Windows'
         shell: pwsh
         run: |
-          #$url = "https://files.certum.eu/software/SimplySignDesktop/Windows/9.3.2.67/SimplySignDesktop-9.3.2.67-64-bit-en.msi"
-          #$file = "SimplySignDesktop-9.3.2.67-64-bit-en.msi"
-          $url = "https://files.certum.eu/software/SimplySignDesktop/Windows/9.3.4.72/SimplySignDesktop-9.3.4.72-64-bit-en.msi"
-          $file = "SimplySignDesktop-9.3.4.72-64-bit-en.msi"
+          #$url = "https://files.certum.eu/software/SimplySignDesktop/Windows/9.3.4.72/SimplySignDesktop-9.3.4.72-64-bit-en.msi"
+          $url = "https://www.files.certum.eu/software/SimplySignDesktop/Windows/9.4.0.84/SimplySignDesktop-9.4.0.84-64-bit-en.msi"
+          $file = "SimplySignDesktop.msi"
           Invoke-WebRequest $url -OutFile $file
           $log = "install.log" 
           $procMain = Start-Process "msiexec" "/i `"$file`" /qn /l*! `"$log`"" -NoNewWindow -PassThru

From 6702e4db307d15accf99fa419ab38f58091481be Mon Sep 17 00:00:00 2001
From: Jay Lee <jay0lee@gmail.com>
Date: Fri, 13 Feb 2026 16:48:41 -0500
Subject: [PATCH 5/6] [actions]: custom cryptography wheel for win arm64

---
 .github/workflows/build.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 07629a10..a30b9a9f 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -517,6 +517,12 @@ jobs:
           echo "--pip debug verbose--"
           "$PYTHON" -m pip debug --verbose
           echo "--------"
+          elif ([ "${RUNNER_OS}" == "Windows" ] && [ "$RUNNER_ARCH" == "ARM64" ]); then
+            # custom cryptography wheel for win arm64 since the project doesn't provide one:
+            # https://github.com/pyca/cryptography/issues/14293
+            gh release download --repo "jay0lee/cryptography-wheels" --pattern "*win_arm64.whl" --clobber --output cryptography-win_arm64.whl
+            "$PYTHON" -m pip install cryptography-win_arm64.whl
+          fi
           "$PYTHON" -m pip install -vvv --upgrade ..[yubikey]
           echo "after everything..."
           "$PYTHON" -m pip list

From 13c6893b67a7975037ad372b1e1dc72984e8983d Mon Sep 17 00:00:00 2001
From: Jay Lee <jay0lee@gmail.com>
Date: Fri, 13 Feb 2026 17:02:46 -0500
Subject: [PATCH 6/6] Update build.yml

---
 .github/workflows/build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index a30b9a9f..e1c11d02 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -517,7 +517,7 @@ jobs:
           echo "--pip debug verbose--"
           "$PYTHON" -m pip debug --verbose
           echo "--------"
-          elif ([ "${RUNNER_OS}" == "Windows" ] && [ "$RUNNER_ARCH" == "ARM64" ]); then
+          if ([ "$RUNNER_OS" == "Windows" ] && [ "$RUNNER_ARCH" == "ARM64" ]); then
             # custom cryptography wheel for win arm64 since the project doesn't provide one:
             # https://github.com/pyca/cryptography/issues/14293
             gh release download --repo "jay0lee/cryptography-wheels" --pattern "*win_arm64.whl" --clobber --output cryptography-win_arm64.whl