From dd5db8e7a8b503df50cf37507e8c4f1f6a211e45 Mon Sep 17 00:00:00 2001
From: Kaleb Luedtke <kaleb.carver.luedtke@jci.com>
Date: Thu, 26 Mar 2026 21:57:37 -0500
Subject: [PATCH 1/3] Add TimestampServer for signing and quote paths

---
 src/WinGetSourceCreator/Helpers.cs         | 14 +++++++++-----
 src/WinGetSourceCreator/Model/Signature.cs |  5 +++++
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/src/WinGetSourceCreator/Helpers.cs b/src/WinGetSourceCreator/Helpers.cs
index 77d21a5ea4..7e34735064 100644
--- a/src/WinGetSourceCreator/Helpers.cs
+++ b/src/WinGetSourceCreator/Helpers.cs
@@ -36,12 +36,16 @@ public static void SignFile(string fileToSign, Signature signature)
 
             string pathToSDK = SDKDetector.Instance.LatestSDKBinPath;
             string signtoolExecutable = Path.Combine(pathToSDK, "signtool.exe");
-            string command = $"sign /a /fd sha256 /f {signature.CertFile} ";
+            string command = $"sign /a /fd sha256 /f \"{signature.CertFile}\" ";
             if (!string.IsNullOrEmpty(signature.Password))
             {
                 command += $"/p {signature.Password} ";
             }
-            command += fileToSign;
+            if (!string.IsNullOrEmpty(signature.TimestampServer))
+            {
+                command += $"/tr {signature.TimestampServer} /td sha256 ";
+            }
+            command += $"\"{fileToSign}\"";
             RunCommand(signtoolExecutable, command);
         }
 
@@ -81,7 +85,7 @@ public static void Unpack(string package, string outDir)
 
             string pathToSDK = SDKDetector.Instance.LatestSDKBinPath;
             string makeappxExecutable = Path.Combine(pathToSDK, "makeappx.exe");
-            string args = $"unpack /nv /p {package} /d {outDir}";
+            string args = $"unpack /nv /p \"{package}\" /d \"{outDir}\"";
             Process p = new Process
             {
                 StartInfo = new ProcessStartInfo(makeappxExecutable, args)
@@ -99,7 +103,7 @@ public static void PackWithMappingFile(string outputPackage, string mappingFile)
 
             string pathToSDK = SDKDetector.Instance.LatestSDKBinPath;
             string makeappxExecutable = Path.Combine(pathToSDK, "makeappx.exe");
-            string args = $"pack /o /nv /f {mappingFile} /p {outputPackage}";
+            string args = $"pack /o /nv /f \"{mappingFile}\" /p \"{outputPackage}\"";
             RunCommand(makeappxExecutable, args);
         }
 
@@ -117,7 +121,7 @@ public static void Pack(string outputPackage, string directoryToPack)
 
             string pathToSDK = SDKDetector.Instance.LatestSDKBinPath;
             string makeappxExecutable = Path.Combine(pathToSDK, "makeappx.exe");
-            string args = $"pack /o /d {directoryToPack} /p {outputPackage}";
+            string args = $"pack /o /d \"{directoryToPack}\" /p \"{outputPackage}\"";
             RunCommand(makeappxExecutable, args);
         }
 
diff --git a/src/WinGetSourceCreator/Model/Signature.cs b/src/WinGetSourceCreator/Model/Signature.cs
index 47aa5743a9..817af8822a 100644
--- a/src/WinGetSourceCreator/Model/Signature.cs
+++ b/src/WinGetSourceCreator/Model/Signature.cs
@@ -13,6 +13,11 @@ public class Signature
         // The publisher for the AppxPackage Identity Name property.
         public string? Publisher { get; set; }
 
+        // RFC 3161 timestamp server URL (e.g. http://timestamp.digicert.com).
+        // When set, a countersignature timestamp is added so the signature remains
+        // valid after the signing certificate expires.
+        public string? TimestampServer { get; set; }
+
         internal void Validate()
         {
             if (string.IsNullOrEmpty(this.CertFile))

From 9f12313d21ff143a1ef8d41c13ca35e1056f7b36 Mon Sep 17 00:00:00 2001
From: Kaleb Luedtke <kaleb.carver.luedtke@jci.com>
Date: Thu, 26 Mar 2026 22:01:22 -0500
Subject: [PATCH 2/3] Update Release Notes

---
 doc/ReleaseNotes.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/doc/ReleaseNotes.md b/doc/ReleaseNotes.md
index cf22c48572..b325c92b48 100644
--- a/doc/ReleaseNotes.md
+++ b/doc/ReleaseNotes.md
@@ -38,4 +38,5 @@ The PowerShell module now automatically uses `GH_TOKEN` or `GITHUB_TOKEN` enviro
 
 ## Bug Fixes
 
-<!-- Nothing yet! -->
+* `SignFile` in `WinGetSourceCreator` now supports an optional RFC 3161 timestamp server via the new `TimestampServer` property on the `Signature` model. When set, `signtool.exe` is called with `/tr <url> /td sha256`, embedding a countersignature timestamp so that signed packages remain valid after the signing certificate expires.
+* File and directory paths passed to `signtool.exe` and `makeappx.exe` are now quoted, fixing failures when paths contain spaces.

From f36c4f51108ce8ac83eaef4b8fb76aac7c396dce Mon Sep 17 00:00:00 2001
From: Kaleb Luedtke <kaleb.carver.luedtke@jci.com>
Date: Thu, 26 Mar 2026 22:13:01 -0500
Subject: [PATCH 3/3] Spelling

---
 .github/actions/spelling/expect.txt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/actions/spelling/expect.txt b/.github/actions/spelling/expect.txt
index d64f597bb2..dde4d3c712 100644
--- a/.github/actions/spelling/expect.txt
+++ b/.github/actions/spelling/expect.txt
@@ -138,6 +138,7 @@ devhome
 DFX
 DHAVE
 dic
+digicert
 diskfull
 DISPLAYCATALOG
 DMC