From f8158cb8037b3caeb5fc752f5fc1d00cb7146fca Mon Sep 17 00:00:00 2001
From: Andrew Nester <andrew.nester.dev@gmail.com>
Date: Thu, 26 Mar 2026 13:30:50 +0100
Subject: [PATCH 1/2] Lock AzureSignTool to 7.0.1

---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b53af55ed3..6f018293e0 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -101,7 +101,7 @@ jobs:
       - name: Install AzureSignTool
         shell: pwsh
         run: |
-          dotnet tool install --global AzureSignTool
+          dotnet tool install --global AzureSignTool --version 7.0.1
 
       - name: Run GoReleaser for Windows
         uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0

From 2e37d1ad61cb4bb7508c7846a7a31fbaee9df45a Mon Sep 17 00:00:00 2001
From: Andrew Nester <andrew.nester@databricks.com>
Date: Fri, 27 Mar 2026 10:58:46 +0100
Subject: [PATCH 2/2] added comment

---
 .github/workflows/release.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6f018293e0..8d88e4222b 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -98,6 +98,9 @@ jobs:
           echo "::add-mask::$accessToken"
           echo "AZURE_VAULT_TOKEN=$accessToken" >> $env:GITHUB_ENV
 
+      # AzureSignTool is installed from nuget.org (https://www.nuget.org/packages/AzureSignTool/7.0.1)
+      # Security: On Windows, NuGet verifies repository signatures by default. The package is
+      # version-pinned and pulled over HTTPS from nuget.org's CDN. Source: https://github.com/vcsjones/AzureSignTool
       - name: Install AzureSignTool
         shell: pwsh
         run: |