Code signing

[gomarcd]

For signing Windows releases, Azure Trusted Signing identity validation is pending. Current file is just an exe that loads the app. Will look at making an exe or MSI installer, and will look at the Microsoft app store as well. Current file is already GPG signed.

Apple binaries are already signed, notarized and stapled per Apple process with their cert, as well as GPG signed. Availability on Apple's App Store is pending.

Linux: a working binary is already provided and GPG signed, source already available in zip and tar.gz - will look at making AppImage + .deb + .rpm available. May look at apt repositories.

[gomarcd]

Code Signing

Implemented the following code signing as of 81d9c2f:

✅ Apple code signing, notarization and ticket stapling

✅ GPG signing

Azure validation remains pending, will update pipeline to automatically sign Windows binaries once that is complete.

SHA256 Checksums

In addition to GPG .sig signature files alongside their respective signed binaries, .sha256 checksums are included. Checksum hash per file included in release notes for convenience, as well as instructions on how to verify GPG signature and SHA256 checksums in the README.md#Security.

[gomarcd]

Azure is a bust, despite uploading all the required documents they kept requesting the same documents over and over, and rejected the application with no option to connect to a human being anywhere in the experience. Then I found in the fineprint, they apparently require a registered corp with 3 years of history in order to be approved... So instead, SSL.com verification is under way now.

[gomarcd]

Windows code signing has been implemented as of v0.0.10

However there still need additional steps to get rid of purple warning despite proper code signing. App has been submitted for manual review by Microsoft.

[gomarcd]

The application installer is still being flagged as unrecognised with the purple warning screen in Windows despite proper code signing. Attempts to package it with WinGet are being blocked due to triggering virus false positives.

Application installer has been submitted to Microsoft here: https://www.microsoft.com/en-us/wdsi/submission/7c3417c4-d6d1-40d7-813e-a0e925d50247

Virustotal.com here

[gomarcd]

The application installer is still being flagged as unrecognised with the purple warning screen in Windows despite proper code signing. Attempts to package it with WinGet are being blocked due to triggering virus false positives.

Application installer has been submitted to Microsoft here: https://www.microsoft.com/en-us/wdsi/submission/7c3417c4-d6d1-40d7-813e-a0e925d50247

Virustotal.com here

Submission remains pending with Microsoft, as does Azure's help with Trusted Signing identity validation failures.