Code Signing Policy
Last updated: 2026-06-14 · Signed by SignPath Foundation
Signing Team
| Role | Member |
|---|---|
| Author | Stan Wu |
| Reviewer | Stan Wu |
| Approver | Stan Wu |
Signed Artifacts
Windows installers (.exe, .msi) are signed for each official release. Linux packages (.deb, .rpm) and source code are not covered by this signing policy.
Policy
- All signing requests require manual approval by the Approver before execution.
- Signing is performed only on artifacts produced by the official GitHub Actions release workflow.
- All team members have Multi-Factor Authentication (MFA) enabled on their GitHub accounts.
- The signing certificate is issued by SignPath Foundation for open-source projects under the GNU GPL v3.
Verification
Signed Windows binaries can be verified via Windows Explorer (right-click → Properties → Digital Signatures) or PowerShell:
Get-AuthenticodeSignature .\md2u_x64-setup.exeBuild Transparency
All release builds are produced by GitHub Actions. Build logs are publicly visible at github.com/stanwu/md2u/actions.