Files
2026-07-13 13:12:33 +08:00

125 lines
5.0 KiB
Markdown

# OpenSquilla Code Signing Policy
This policy documents the current code signing status for OpenSquilla release
artifacts and the rules for any future signing workflow.
## Current Status
Windows release builds are currently unsigned. The Windows desktop installer,
updater metadata, and checksums are built and published without a Windows
code-signing certificate. Download pages and release notes must not claim Windows code signing
until a signing workflow has been approved, enabled, and verified for the
specific release artifact.
macOS release packaging is handled separately through the Apple signing and
notarization path configured by maintainers for macOS artifacts. This document's
planned SignPath section applies to Windows code signing for open-source
community release artifacts.
## User Verification
Users should download OpenSquilla release artifacts from the official GitHub
Releases page and compare file hashes against the published `SHA256SUMS` file
for the same release. A matching checksum verifies that the downloaded bytes
match the bytes published by the project; it does not imply Windows Authenticode
code signing while Windows builds remain unsigned.
## Future SignPath Foundation Plan
OpenSquilla is preparing to apply for free open-source Windows code signing
through SignPath Foundation. This is not enabled yet.
If the project is approved and signing is enabled, the affected open-source
community release artifacts may show `SignPath Foundation` as the Windows
publisher. Because approval is still pending, the following attribution is a
planned signing disclosure and does not claim that current Windows artifacts are
signed:
Free code signing provided by SignPath.io, certificate by SignPath Foundation.
The SignPath Foundation path will apply only to OpenSquilla open-source
community artifacts that are released under the project's OSI-approved license
and that do not include proprietary or commercial-only components.
## Privacy Policy
OpenSquilla's privacy policy is published at [`PRIVACY.md`](../PRIVACY.md). It
describes local data, provider requests, network observability, logs, release
downloads, and deletion. Non-user-initiated network observability can be
disabled before startup with:
```sh
OPENSQUILLA_PRIVACY_DISABLE_NETWORK_OBSERVABILITY=true
```
or with:
```toml
[privacy]
disable_network_observability = true
```
Legacy compatibility environment variables remain honored:
```sh
OPENSQUILLA_TELEMETRY_DISABLED=true
OPENSQUILLA_UPDATE_CHECK_DISABLED=true
```
## Commercial Builds
This policy does not restrict future commercial editions, enterprise builds,
hosted services, support offerings, or proprietary add-ons from using a
separate commercial code-signing certificate or a separate commercial signing
service. Commercial or proprietary release artifacts must not be signed with
the SignPath Foundation certificate path unless they independently satisfy the
foundation program requirements.
## Release Build Requirements
Any future Windows signing workflow must run before updater metadata, blockmaps,
and `SHA256SUMS` are finalized. Signing an `.exe` after `latest.yml`,
`.blockmap`, or `SHA256SUMS` has been generated changes the installer bytes and
invalidates those release metadata files.
Before enabling Windows signing, maintainers must verify:
- the signing provider and certificate are approved for the exact artifact type
- the build runs from the trusted release workflow
- release signing requires maintainer approval
- team members with release or signing access use multi-factor authentication
- if network observability or any other non-user-specified network transfer
remains enabled by default, the installer displays the privacy policy and
exposes the unified network observability disable switch before startup
- signed artifacts, updater metadata, blockmaps, and checksums are generated
from the same final bytes
- release notes and download pages accurately describe the signing status
## Roles And Approval
Repository: <https://github.com/opensquilla/opensquilla>
Initial committers and reviewers:
- [@Open-Squilla](https://github.com/Open-Squilla)
Initial SignPath approvers:
- [@Open-Squilla](https://github.com/Open-Squilla)
OpenSquilla maintainers are responsible for release approval, release notes, and
final publication. If SignPath signing is enabled later, SignPath approvers will
approve signing requests only for the open-source community artifacts covered by
this policy. Additional committers, reviewers, or SignPath approvers must be
listed in this policy before they approve release signing requests. All
committers, reviewers, and approvers must use multi-factor authentication for
GitHub and SignPath access.
## Revocation Or Incident Response
If a signed artifact is found to be incorrect, compromised, or outside the
approved signing scope, maintainers will stop distributing the affected asset,
publish a corrected release or advisory, and request revocation through the
signing provider when appropriate. Unsigned artifacts remain covered by the
project's normal release correction and checksum replacement process.