ci(windows): detect untrusted root via structured signature status

The previous text match on signtool output was flaky: signtool interleaves
stdout (chain details) and stderr (error), so the wrapped "untrusted root"
phrase stayed contiguous for one file but was split for another, causing the
verify step to pass orca-slicer.exe but throw on OrcaSlicer.dll.

Use Get-AuthenticodeSignature instead, whose StatusMessage is a single clean
string, to decide the untrusted-root exception. signtool remains the strict
primary check; this only governs the -AllowUntrustedRoot test-cert path.

.github/workflows/build_all.yml

@@ -13,6 +13,8 @@ on:
      - 'localization/**'
      - 'resources/**'
      - ".github/workflows/build_*.yml"
+     - 'signpath/**'
+     - 'scripts/*.ps1'
      - 'scripts/flatpak/**'
 
   pull_request:
@@ -26,9 +28,11 @@ on:
      - '**/CMakeLists.txt'
      - 'version.inc'
      - ".github/workflows/build_*.yml"
+     - 'signpath/**'
      - 'build_linux.sh'
      - 'build_release_vs2022.bat'
      - 'build_release_macos.sh'
+     - 'scripts/*.ps1'
      - 'scripts/flatpak/**'
 
 

.github/workflows/build_orca.yml

@@ -292,6 +292,53 @@ jobs:
         #   WindowsSDKVersion: '10.0.26100.0\'
         run: .\build_release_vs.bat slicer
 
+      - name: Pack PDB
+        if: runner.os == 'Windows' && !vars.SELF_HOSTED
+        working-directory: ${{ github.workspace }}/build/src/Release
+        shell: cmd
+        run: '"C:/Program Files/7-Zip/7z.exe" a -m0=lzma2 -mx9 Debug_PDB_${{ env.ver }}_for_developers_only.7z  *.pdb'
+
+      - name: Upload unsigned Windows portable artifact for SignPath
+        id: upload-windows-portable
+        if: github.repository == 'OrcaSlicer/OrcaSlicer' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')) && runner.os == 'Windows' && !vars.SELF_HOSTED
+        uses: actions/upload-artifact@v7
+        with:
+          name: OrcaSlicer_Windows_${{ env.ver }}_portable_unsigned
+          path: ${{ github.workspace }}/build/OrcaSlicer
+          if-no-files-found: error
+
+      - name: Submit Windows portable artifact to SignPath
+        if: github.repository == 'OrcaSlicer/OrcaSlicer' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')) && runner.os == 'Windows' && !vars.SELF_HOSTED
+        uses: signpath/github-action-submit-signing-request@v2
+        with:
+          api-token: ${{ secrets.SIGNPATH_API_TOKEN }}
+          organization-id: ${{ secrets.SIGNPATH_ORGANIZATION_ID }}
+          project-slug: OrcaSlicer
+          signing-policy-slug: test-signing
+          artifact-configuration-slug: windows-portable-v1
+          github-artifact-id: ${{ steps.upload-windows-portable.outputs.artifact-id }}
+          wait-for-completion: true
+          output-artifact-directory: ${{ github.workspace }}/build/signpath/windows-portable
+
+      - name: Verify SignPath Windows portable signatures
+        if: github.repository == 'OrcaSlicer/OrcaSlicer' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')) && runner.os == 'Windows' && !vars.SELF_HOSTED
+        shell: pwsh
+        # -AllowUntrustedRoot is required while signing with the SignPath test
+        # certificate (self-signed). Remove it once signing-policy-slug switches
+        # to release-signing with a production CA-issued certificate.
+        run: ./scripts/verify-authenticode.ps1 -ArtifactDirectory '${{ github.workspace }}/build/signpath/windows-portable' -AllowUntrustedRoot
+
+      - name: Replace Windows portable bundle with signed output
+        if: github.repository == 'OrcaSlicer/OrcaSlicer' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')) && runner.os == 'Windows' && !vars.SELF_HOSTED
+        shell: pwsh
+        run: |
+          $source = Join-Path "${{ github.workspace }}" "build/signpath/windows-portable"
+          $destination = Join-Path "${{ github.workspace }}" "build/OrcaSlicer"
+          if (-not (Test-Path -LiteralPath $source -PathType Container)) {
+              throw "SignPath output directory not found: $source"
+          }
+          Get-ChildItem -LiteralPath $source -Force | Copy-Item -Destination $destination -Recurse -Force
+
       - name: Create installer Win
         if: runner.os == 'Windows' && !vars.SELF_HOSTED
         working-directory: ${{ github.workspace }}/build
@@ -301,14 +348,14 @@ jobs:
       - name: Pack app
         if: runner.os == 'Windows'
         working-directory: ${{ github.workspace }}/build
-        shell: cmd
-        run: '"C:/Program Files/7-Zip/7z.exe" a -tzip OrcaSlicer_Windows_${{ env.ver }}_portable.zip ${{ github.workspace }}/build/OrcaSlicer'
-
-      - name: Pack PDB
-        if: runner.os == 'Windows' && !vars.SELF_HOSTED
-        working-directory: ${{ github.workspace }}/build/src/Release
-        shell: cmd
-        run: '"C:/Program Files/7-Zip/7z.exe" a -m0=lzma2 -mx9 Debug_PDB_${{ env.ver }}_for_developers_only.7z  *.pdb'
+        shell: pwsh
+        run: |
+          $zipPath = "OrcaSlicer_Windows_${{ env.ver }}_portable.zip"
+          Remove-Item -LiteralPath $zipPath -Force -ErrorAction SilentlyContinue
+          & "C:/Program Files/7-Zip/7z.exe" a -tzip $zipPath "${{ github.workspace }}/build/OrcaSlicer"
+          if ($LASTEXITCODE -ne 0) {
+              exit $LASTEXITCODE
+          }
 
       - name: Upload artifacts Win zip
         if: runner.os == 'Windows'
@@ -316,6 +363,7 @@ jobs:
         with:
           name: OrcaSlicer_Windows_${{ env.ver }}_portable
           path: ${{ github.workspace }}/build/OrcaSlicer
+          if-no-files-found: error
 
       - name: Upload artifacts Win installer
         if: runner.os == 'Windows' && !vars.SELF_HOSTED

deps/Eigen/Eigen.cmake

@@ -1,11 +1,5 @@
-set(_eigen_extra_flags "")
-if (MSVC)
-    set(_eigen_extra_flags "-DCMAKE_CXX_FLAGS:STRING=/bigobj")
-endif ()
-
 orcaslicer_add_cmake_project(Eigen
     URL https://gitlab.com/libeigen/eigen/-/archive/5.0.1/eigen-5.0.1.zip
     URL_HASH SHA256=0dbb1f9e3aaad66f352c03227d8c983f6f0b49e0b07e71a7300f4abcc01aee12
-    CMAKE_ARGS "${_eigen_extra_flags}"
     DEPENDS dep_Boost dep_GMP dep_MPFR
 )

scripts/inventory-authenticode.ps1

@@ -0,0 +1,48 @@
+[CmdletBinding()]
+param(
+    [Parameter(Mandatory = $true)]
+    [ValidateScript({ Test-Path -LiteralPath $_ -PathType Container })]
+    [string]$ArtifactDirectory
+)
+
+$ErrorActionPreference = "Stop"
+
+function Get-RelativePath {
+    param(
+        [Parameter(Mandatory = $true)]
+        [string]$Root,
+
+        [Parameter(Mandatory = $true)]
+        [string]$Path
+    )
+
+    $rootWithSeparator = $Root.TrimEnd([IO.Path]::DirectorySeparatorChar, [IO.Path]::AltDirectorySeparatorChar) + [IO.Path]::DirectorySeparatorChar
+    $rootUri = [Uri]$rootWithSeparator
+    $pathUri = [Uri]$Path
+
+    [Uri]::UnescapeDataString($rootUri.MakeRelativeUri($pathUri).ToString()).Replace("/", [IO.Path]::DirectorySeparatorChar)
+}
+
+$artifactRoot = (Resolve-Path -LiteralPath $ArtifactDirectory).Path
+$binaries = Get-ChildItem -LiteralPath $artifactRoot -Recurse -File |
+    Where-Object { $_.Extension -in @(".exe", ".dll") } |
+    Sort-Object -Property FullName
+
+if (-not $binaries) {
+    Write-Warning "No .exe or .dll files found under '$artifactRoot'."
+    exit 0
+}
+
+$binaries | ForEach-Object {
+    $signature = Get-AuthenticodeSignature -LiteralPath $_.FullName
+
+    [pscustomobject]@{
+        RelativePath = Get-RelativePath -Root $artifactRoot -Path $_.FullName
+        Status = $signature.Status
+        SignatureType = $signature.SignatureType
+        Signer = if ($signature.SignerCertificate) { $signature.SignerCertificate.Subject } else { "" }
+        SignerThumbprint = if ($signature.SignerCertificate) { $signature.SignerCertificate.Thumbprint } else { "" }
+        Timestamped = [bool]$signature.TimeStamperCertificate
+        TimeStamper = if ($signature.TimeStamperCertificate) { $signature.TimeStamperCertificate.Subject } else { "" }
+    }
+} | Format-Table -AutoSize

scripts/verify-authenticode.ps1

@@ -0,0 +1,115 @@
+[CmdletBinding()]
+param(
+    [Parameter(Mandatory = $true)]
+    [ValidateScript({ Test-Path -LiteralPath $_ -PathType Container })]
+    [string]$ArtifactDirectory,
+
+    [string[]]$Files = @(
+        "orca-slicer.exe",
+        "OrcaSlicer.dll"
+    ),
+
+    [string]$SignToolPath,
+
+    # Accept signatures whose certificate chain terminates in an untrusted root.
+    # Required for the SignPath test certificate (self-signed). Do NOT pass this
+    # once a production CA-issued certificate is in use, so release builds enforce
+    # a fully trusted chain.
+    [switch]$AllowUntrustedRoot
+)
+
+$ErrorActionPreference = "Stop"
+
+function Resolve-SignToolPath {
+    param(
+        [string]$ExplicitPath
+    )
+
+    if ($ExplicitPath) {
+        if (Test-Path -LiteralPath $ExplicitPath -PathType Leaf) {
+            return (Resolve-Path -LiteralPath $ExplicitPath).Path
+        }
+
+        throw "SignTool was not found at '$ExplicitPath'."
+    }
+
+    $fromPath = Get-Command -Name "signtool.exe" -ErrorAction SilentlyContinue
+    if ($fromPath) {
+        return $fromPath.Source
+    }
+
+    $candidateRoots = @(
+        "${env:ProgramFiles(x86)}\Windows Kits\10\bin",
+        "${env:ProgramFiles}\Windows Kits\10\bin"
+    ) | Where-Object { $_ -and (Test-Path -LiteralPath $_ -PathType Container) }
+
+    foreach ($root in $candidateRoots) {
+        $candidate = Get-ChildItem -LiteralPath $root -Recurse -Filter "signtool.exe" -File -ErrorAction SilentlyContinue |
+            Where-Object { $_.FullName -match "\\(x64|arm64)\\signtool\.exe$" } |
+            Sort-Object -Property FullName -Descending |
+            Select-Object -First 1
+
+        if ($candidate) {
+            return $candidate.FullName
+        }
+    }
+
+    throw "signtool.exe was not found. Install the Windows SDK or pass -SignToolPath."
+}
+
+$artifactRoot = (Resolve-Path -LiteralPath $ArtifactDirectory).Path
+$signtool = Resolve-SignToolPath -ExplicitPath $SignToolPath
+
+Write-Host "Using SignTool: $signtool"
+Write-Host "Verifying Authenticode signatures in: $artifactRoot"
+
+foreach ($relativePath in $Files) {
+    $filePath = Join-Path $artifactRoot $relativePath
+    if (-not (Test-Path -LiteralPath $filePath -PathType Leaf)) {
+        throw "Expected signed file was not found: $filePath"
+    }
+
+    Write-Host "Verifying $relativePath"
+
+    # Capture signtool output without letting native stderr (redirected via 2>&1)
+    # raise a terminating NativeCommandError under $ErrorActionPreference = 'Stop'.
+    $previousErrorActionPreference = $ErrorActionPreference
+    $ErrorActionPreference = "Continue"
+    try {
+        $output = & $signtool verify /pa /all /tw /v $filePath 2>&1
+        $exitCode = $LASTEXITCODE
+    }
+    finally {
+        $ErrorActionPreference = $previousErrorActionPreference
+    }
+
+    $output | ForEach-Object { Write-Host $_ }
+
+    if ($exitCode -eq 0) {
+        continue
+    }
+
+    if ($AllowUntrustedRoot) {
+        # signtool interleaves its stdout (chain details) and stderr (the error)
+        # unpredictably, so the error text cannot be matched reliably. Use the
+        # structured Get-AuthenticodeSignature result instead: accept only when the
+        # file is genuinely signed and the sole problem is that the chain terminates
+        # in an untrusted root (i.e. the self-signed SignPath test certificate).
+        $signature = Get-AuthenticodeSignature -LiteralPath $filePath
+        $isSigned = ($signature.SignatureType -eq "Authenticode") -and ($null -ne $signature.SignerCertificate)
+        $untrustedRootOnly = $signature.StatusMessage -match "terminated in a root certificate which is not trusted"
+        if ($isSigned -and $untrustedRootOnly) {
+            Write-Host "  Accepted: '$relativePath' is signed but its certificate chains to an untrusted root (expected for the SignPath test certificate)."
+            continue
+        }
+    }
+
+    throw "SignTool verification failed for '$relativePath' with exit code $exitCode."
+}
+
+Write-Host "Authenticode verification passed."
+
+# signtool exits non-zero for the untrusted test-cert root even when we accept
+# it above, leaving $LASTEXITCODE = 1. The GitHub Actions pwsh wrapper exits
+# with that lingering code, so reset it to report success explicitly.
+exit 0

signpath/README.md

@@ -0,0 +1,16 @@
+# SignPath configurations
+
+This directory contains SignPath artifact configurations used by GitHub Actions.
+
+## `windows-portable-v1`
+
+`windows-portable-v1.xml` is the initial conservative Windows portable-bundle signing configuration. It signs only the two first-party binaries:
+
+- `orca-slicer.exe`
+- `OrcaSlicer.dll`
+
+Do not broaden this to all DLLs without first confirming ownership, provenance, and whether upstream vendor signatures should be verified instead.
+
+The Windows workflow uploads `${{ github.workspace }}/build/OrcaSlicer` with `actions/upload-artifact`. GitHub stores that artifact as a ZIP, and the uploaded directory contents are rooted at the ZIP root. Because of that, the SignPath configuration uses `<zip-file>` with `orca-slicer.exe` and `OrcaSlicer.dll` directly beneath it.
+
+The release portable ZIP is a separate archive created with 7-Zip from `${{ github.workspace }}/build/OrcaSlicer`; that archive keeps the top-level `OrcaSlicer/` folder. After SignPath returns the signed artifact, the workflow copies the signed files back into `build/OrcaSlicer` and recreates the portable release ZIP so the public ZIP layout stays unchanged.

signpath/windows-portable-v1.xml

@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="utf-8"?>
+<artifact-configuration xmlns="http://signpath.io/artifact-configuration/v1">
+  <zip-file>
+    <pe-file path="orca-slicer.exe">
+      <authenticode-sign />
+    </pe-file>
+
+    <pe-file path="OrcaSlicer.dll">
+      <authenticode-sign />
+    </pe-file>
+  </zip-file>
+</artifact-configuration>

src/libslic3r/Support/TreeSupport3D.cpp

@@ -124,9 +124,6 @@ static std::vector<std::pair<TreeSupportSettings, std::vector<size_t>>> group_me
 {
     std::vector<std::pair<TreeSupportSettings, std::vector<size_t>>> grouped_meshes;
 
-    // Orca: Recompute static mesh-group state for this support generation pass.
-    TreeSupportSettings::zero_top_z_gap = false;
-
     //FIXME this is ugly, it does not belong here.
     for (size_t object_id : print_object_ids) {
         const PrintObject       &print_object  = *print.get_object(object_id);
@@ -1607,14 +1604,9 @@ static Point move_inside_if_outside(const Polygons &polygons, Point from, int di
     if (settings.move) {
         increased = relevant_offset;
         if (overspeed > 0) {
-            coord_t safe_movement_distance =
+            const coord_t safe_movement_distance =
                 (current_elem.use_min_xy_dist ? config.xy_min_distance : config.xy_distance) +
                 (std::min(config.z_distance_top_layers, config.z_distance_bottom_layers) > 0 ? config.min_feature_size : 0);
-            // Orca:
-            // safe_movement_distance is used as the safe_offset_inc() step, so keep it non-zero
-            // to preserve branch movement with zero-clearance support settings.
-            if (safe_movement_distance == 0)
-                safe_movement_distance = scaled<coord_t>(0.1);
             // The difference to ensure that the result not only conforms to wall_restriction, but collision/avoidance is done later.
             // The higher last_safe_step_movement_distance comes exactly from the fact that the collision will be subtracted later.
             increased = safe_offset_inc(increased, overspeed, volumes.getWallRestriction(support_element_collision_radius(config, parent.state), layer_idx, parent.state.use_min_xy_dist),
@@ -1825,15 +1817,9 @@ static void increase_areas_one_layer(
              *  layer z-1:dddddxxxxxxxxxx
              *  For more detailed visualisation see calculateWallRestrictions
              */
-            coord_t safe_movement_distance =
+            const coord_t safe_movement_distance =
                 (elem.use_min_xy_dist ? config.xy_min_distance : config.xy_distance) +
                 (std::min(config.z_distance_top_layers, config.z_distance_bottom_layers) > 0 ? config.min_feature_size : 0);
-
-            // safe_movement_distance is used as a divisor and as the safe_offset_inc() step,
-            // so keep it non-zero to avoid division by zero and preserve branch movement.
-            if (safe_movement_distance == 0)
-                safe_movement_distance = scaled<coord_t>(0.1);
-
             if (ceiled_parent_radius == volumes.ceilRadius(projected_radius_increased, parent.state.use_min_xy_dist) ||
                 projected_radius_increased < config.increase_radius_until_radius)
                 // If it is guaranteed possible to increase the radius, the maximum movement speed can be increased, as it is assumed that the maximum movement speed is the one of the slower moving wall

src/slic3r/GUI/ConfigManipulation.cpp

@@ -836,6 +836,9 @@ void ConfigManipulation::toggle_print_fff_options(DynamicPrintConfig *config, co
     toggle_line("enable_tower_interface_cooldown_during_tower",
                 have_prime_tower && config->opt_bool("enable_tower_interface_features"));
 
+    for (auto el : {"wall_filament", "sparse_infill_filament", "solid_infill_filament", "wipe_tower_filament"})
+        toggle_line(el, !bSEMM);
+
     bool purge_in_primetower = preset_bundle->printers.get_edited_preset().config.opt_bool("purge_in_prime_tower");
 
     for (auto el : {"wipe_tower_rotation_angle", "wipe_tower_cone_angle",