From 14bfdd6d7853a97d0c5ff76086bf8f60d01549ba Mon Sep 17 00:00:00 2001 From: wangnov <48670012+Wangnov@users.noreply.github.com> Date: Tue, 14 Jul 2026 12:57:09 +0800 Subject: [PATCH] docs(signing): publish SignPath application policies --- README.md | 16 ++- docs/code-signing-policy.md | 143 +++++++++++++++++++++++++++ docs/privacy.md | 140 ++++++++++++++++++++++++++ docs/releases/FALLBACK.md | 6 +- docs/releases/TEMPLATE.md | 6 +- docs/releases/v0.3.1.md | 6 +- docs/windows-signing.md | 38 ++++--- website/index.html | 20 +++- website/public/fonts/shs-bold.woff2 | Bin 242788 -> 247020 bytes website/public/fonts/shs-heavy.woff2 | Bin 237856 -> 242332 bytes website/src/locales/en.ts | 12 ++- website/src/locales/zh.ts | 12 ++- website/src/styles/sections.css | 33 +++++++ 13 files changed, 406 insertions(+), 26 deletions(-) create mode 100644 docs/code-signing-policy.md create mode 100644 docs/privacy.md diff --git a/README.md b/README.md index 0ac8d7d..ef3c4e4 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@
- 官网 · Official Website · 中文 · English + 官网 · Official Website · 代码签名政策 · Code signing policy · 隐私政策 · Privacy policy · 中文 · English
--- @@ -89,7 +89,7 @@ brew install --cask wangnov/tap/codex-app-manager | Windows x64 | `CodexAppManager_x64-setup.exe` | [⤓ 镜像下载](https://codexapp.agentsmirror.com/manager/latest/CodexAppManager_x64-setup.exe) | | Windows ARM64 | `CodexAppManager_arm64-setup.exe` | [⤓ 镜像下载](https://codexapp.agentsmirror.com/manager/latest/CodexAppManager_arm64-setup.exe) | -macOS 版本经 **Developer ID 签名 + Apple 公证**,首次打开不会被 Gatekeeper 拦截。Windows 安装器(`CodexAppManager_x64-setup.exe` / `CodexAppManager_arm64-setup.exe`)当前**没有 Authenticode 代码签名**,首次运行可能出现 SmartScreen 提示;应用内自更新使用的 Tauri updater 签名只校验下载字节,不代表 Windows 发行者信任。详情见 [Windows signing and verification](docs/windows-signing.md)。 +macOS 版本经 **Developer ID 签名 + Apple 公证**,首次打开不会被 Gatekeeper 拦截。Windows 安装器(`CodexAppManager_x64-setup.exe` / `CodexAppManager_arm64-setup.exe`)当前**没有 Authenticode 代码签名**,首次运行可能出现 SmartScreen 提示;应用内自更新使用的 Tauri updater 签名只校验下载字节,不代表 Windows 发行者信任。SignPath Foundation 申请已提交、仍在审核,当前下载不得被描述为已获批或已签名。详情见 [代码签名政策](docs/code-signing-policy.md)与 [Windows signing and verification](docs/windows-signing.md)。 下载后建议用同一 GitHub Release 的 `SHA256SUMS` 核验文件。Windows 可用 PowerShell,macOS 可用 `shasum`: @@ -161,6 +161,11 @@ npm run tauri:build # 本地构建(未签名) - 不伪造或重算 Sparkle 签名(只字节级复制官方签名) - 不替代 OpenAI、Microsoft Store 的官方分发渠道 +## 政策与隐私 + +- [代码签名政策](docs/code-signing-policy.md):SignPath Foundation 申请状态、项目角色、逐次人工审批、可签工件边界与未来的 trusted-build 验证要求。 +- [隐私政策](docs/privacy.md):Manager 更新检查、下载源/代理网络行为、官网本地存储、本地诊断与第三方连接元数据。 + ## 致谢 - **[LINUX DO](https://linux.do/)** 社区 —— 安装体验、更新链路、问题反馈的讨论都汇聚于此。 @@ -221,7 +226,7 @@ Grab your platform's file from the [latest GitHub Release](https://github.com/Wa | Windows x64 | `CodexAppManager_x64-setup.exe` | [⤓ mirror](https://codexapp.agentsmirror.com/manager/latest/CodexAppManager_x64-setup.exe) | | Windows ARM64 | `CodexAppManager_arm64-setup.exe` | [⤓ mirror](https://codexapp.agentsmirror.com/manager/latest/CodexAppManager_arm64-setup.exe) | -The macOS builds are **Developer ID signed + Apple notarized**, so Gatekeeper won't block first launch. The Windows installers (`CodexAppManager_x64-setup.exe` / `CodexAppManager_arm64-setup.exe`) are **not Authenticode-signed** yet, so SmartScreen may warn on first run; the Tauri updater signature used for in-app updates verifies bytes only and is not Windows publisher trust. See [Windows signing and verification](docs/windows-signing.md). +The macOS builds are **Developer ID signed + Apple notarized**, so Gatekeeper won't block first launch. The Windows installers (`CodexAppManager_x64-setup.exe` / `CodexAppManager_arm64-setup.exe`) are **not Authenticode-signed** yet, so SmartScreen may warn on first run; the Tauri updater signature used for in-app updates verifies bytes only and is not Windows publisher trust. The SignPath Foundation application is pending, so current downloads must not be described as approved or signed by SignPath. See the [code signing policy](docs/code-signing-policy.md) and [Windows signing and verification](docs/windows-signing.md). After downloading, compare the file with `SHA256SUMS` from the same GitHub Release. Use PowerShell on Windows or `shasum` on macOS: @@ -293,6 +298,11 @@ npm run tauri:build # local (unsigned) build - Does not forge or recompute Sparkle signatures (official signatures are copied verbatim) - Is not a replacement for official OpenAI / Microsoft Store distribution +## Policy and privacy + +- [Code signing policy](docs/code-signing-policy.md): SignPath Foundation application status, project roles, per-request human approval, artifact scope, and future trusted-build verification requirements. +- [Privacy policy](docs/privacy.md): Manager update checks, download-source and proxy behavior, website local storage, local diagnostics, and third-party connection metadata. + ## Acknowledgements - **[LINUX DO](https://linux.do/)** community — the home for feedback on install experience, update links, and bug reports. diff --git a/docs/code-signing-policy.md b/docs/code-signing-policy.md new file mode 100644 index 0000000..e04c6b7 --- /dev/null +++ b/docs/code-signing-policy.md @@ -0,0 +1,143 @@ +# Code signing policy · 代码签名政策 + +Last updated / 最后更新:2026-07-14 + +## Current status · 当前状态 + +Codex App Manager submitted an application to SignPath Foundation on +2026-07-11. The application is still pending. No production SignPath +organization, project, artifact configuration, or signing policy is configured +for this repository, and no artifact has been signed through the Foundation +service. + +Codex App Manager 已于 2026-07-11 提交 SignPath Foundation 申请,目前仍在审核。 +本仓库尚未配置生产 SignPath organization、project、artifact configuration 或 +signing policy,也没有任何工件通过 Foundation 服务完成签名。 + +The current Windows installers are **not Authenticode-signed**. Their Tauri +updater signatures authenticate update bytes, but they are not Windows +publisher identity and do not remove SmartScreen warnings. The current release +workflow still contains a legacy, optional PFX signing scaffold; it is not a +SignPath integration and unsigned verification remains non-blocking. + +当前 Windows 安装器**没有 Authenticode 签名**。Tauri updater 签名只验证更新工件 +字节,不代表 Windows 发行者身份,也不能消除 SmartScreen 提示。现有发布流程仍保留一条 +可选的 PFX 签名占位路径;它不是 SignPath 接入,未签名校验目前也不会阻断发布。 + +SignPath support will be enabled only by a separate reviewed change after the +application is approved and the trusted-build integration has been verified +with real artifacts. Until then, project pages and release notes must describe +Windows artifacts as unsigned and must not imply Foundation approval. + +只有在申请获批、并用真实工件验证 trusted-build 接入后,项目才会通过独立、受审查的变更 +启用 SignPath。在此之前,项目页面与 release note 必须明确 Windows 工件未签名,不得暗示 +Foundation 已批准本项目。 + +If the application is approved and production signing is activated, the +required attribution will be: + +> Free code signing provided by [SignPath.io](https://about.signpath.io/), certificate by [SignPath Foundation](https://signpath.org/) + +This attribution records the intended provider relationship. It does **not** +claim that current downloads are signed. + +## Scope · 适用范围 + +- This policy covers only Codex App Manager artifacts built from this public, + MIT-licensed repository. +- The Foundation certificate will be used only for executable files and + installers owned and maintained by this project. It will never be used for + personal files, private or commercial software, or another project. +- The official OpenAI Codex desktop application is not embedded in or + repackaged by the Manager installer. The Manager downloads official Codex + artifacts only after the user requests an install or update. +- Open-source dependencies may be bundled where their licenses permit, but + third-party binaries must not be presented or separately signed as + project-owned code. + +- 本政策只适用于从本 MIT 开源仓库构建的 Codex App Manager 工件。 +- Foundation 证书只会用于本项目拥有并维护的可执行文件和安装器,不会用于个人文件、 + 私有/商业软件或其他项目。 +- Manager 安装器不会嵌入或重新打包 OpenAI 官方 Codex 桌面应用。只有在用户主动发起安装 + 或更新后,Manager 才会下载官方 Codex 工件。 +- 在许可证允许时可以打包开源依赖,但不得把第三方二进制冒充或单独签署为本项目自有代码。 + +## Roles and review · 角色与审查 + +Current public role assignments are: + +| Role | Member | Responsibility | +| --- | --- | --- | +| Committer / author | [@Wangnov](https://github.com/Wangnov) | Maintains source, build configuration, and release preparation. | +| Reviewer | [@Wangnov](https://github.com/Wangnov) | Reviews external contributions and verifies maintainer-authored PR diffs and required checks before merge. | +| SignPath approver | [@Wangnov](https://github.com/Wangnov) | After approval, manually reviews and approves each individual signing request. | + +当前项目是单维护者项目,因此同一名维护者承担多个角色。外部贡献必须经维护者审查;维护者 +自己的变更也必须通过 pull request、必需 CI 和明确的 diff/review 收尾后才可 squash 合并。 +如果 SignPath 的最终配置要求不同人员之间的职责分离,项目会在启用生产签名前公开增加成员 +并更新本表。 + +All GitHub and SignPath accounts used for source control, release, approval, or +administration must use multi-factor authentication. Access is granted with +least privilege, and role changes must remain auditable. + +用于源码、发布、审批或管理的 GitHub 与 SignPath 账户必须启用多因素认证。权限按最小权限 +原则配置,角色变化必须可审计。 + +## Source and release controls · 源码与发布控制 + +- `main` is protected by an active GitHub ruleset. Changes enter through pull + requests and must pass Frontend plus Rust checks on macOS and Windows. +- Force pushes and branch deletion are prohibited. Repository administrators + technically retain an emergency bypass; a bypassed change must not be used + for a signing request until its diff and CI have been reviewed and recorded. +- The future SignPath policy must accept artifacts only from the trusted GitHub + Actions integration for this public repository, with origin verification + bound to the reviewed source revision and approved release ref. +- Every production signing request requires a separate manual approval. No + automatic approval, bulk pre-approval, or reuse of an old approval is + permitted. + +- `main` 由启用中的 GitHub ruleset 保护。所有变更通过 pull request 进入,并必须通过 + Frontend、macOS Rust 与 Windows Rust 检查。 +- 禁止 force push 和删除分支。仓库管理员技术上仍有紧急 bypass;通过 bypass 进入的变更 + 在 diff 与 CI 被重新审查并留下记录前,不得用于签名请求。 +- 未来的 SignPath policy 只能接受来自本公开仓库、经 SignPath 信任的 GitHub Actions + 集成所生成的工件;origin verification 必须绑定已审查的源码 revision 与获准发布 ref。 +- 每一次生产签名请求都必须单独人工批准,不允许自动审批、批量预批准或复用旧审批。 + +## Artifact and verification requirements · 工件与验证要求 + +Before production signing can be enabled, a reviewed integration must prove all +of the following with real x64 and ARM64 artifacts: + +1. The signing request is bound to the expected repository, commit, release + ref, workflow run, version, and artifact digest. +2. Artifact configuration enforces the Codex App Manager product name and a + consistent product/file version. +3. The intended project-owned PE layers are covered: the installed main + executable, uninstaller, and final installer. Third-party binaries are not + signed as project-owned files. +4. Every required PE reports a valid Authenticode signature from the expected + SignPath Foundation publisher and carries a valid timestamp. +5. The Tauri updater signature is generated only after Authenticode signing so + it authenticates the final published bytes. +6. Files uploaded to GitHub Releases and mirrors are byte-identical to the + verified signed artifacts. +7. Any signing, origin-verification, timestamp, malware-scan, or post-signature + verification failure blocks publication; there is no unsigned fallback. + +生产签名启用前,独立受审查的接入必须用真实 x64 与 ARM64 工件证明以上全部条件。任何签名、 +来源验证、时间戳、恶意软件扫描或签后校验失败都必须阻断发布,不得回退为未签名发布。 + +Operational details and the current legacy scaffold are documented in +[`Windows signing and verification`](./windows-signing.md). Network behavior +and user data handling are documented in the [privacy policy](./privacy.md). + +## References · 参考 + +- [SignPath Foundation conditions](https://signpath.org/terms.html) +- [SignPath GitHub trusted build systems](https://docs.signpath.io/trusted-build-systems/github) +- [SignPath origin verification](https://docs.signpath.io/origin-verification/) +- [Privacy policy](./privacy.md) +- [Windows signing and verification](./windows-signing.md) diff --git a/docs/privacy.md b/docs/privacy.md new file mode 100644 index 0000000..15aeddb --- /dev/null +++ b/docs/privacy.md @@ -0,0 +1,140 @@ +# Privacy policy · 隐私政策 + +Effective date / 生效日期:2026-07-14 + +This policy applies to Codex App Manager, its public website, and the download +router maintained by this repository. Third-party services selected or contacted +by the user remain subject to their own privacy policies. + +本政策适用于 Codex App Manager、本项目官网以及本仓库维护的下载路由。用户选择或应用 +为完成公开功能而访问的第三方服务,仍分别适用其自身的隐私政策。 + +## What we do not collect · 我们不收集什么 + +- The app has no account system and does not ask for a name, email address, + phone number, or payment information. +- The app and website contain no project-operated telemetry, advertising, + crash-reporting, or behavioral-analytics service. +- The project does not intentionally read or upload conversations, + credentials, workspace files, or other user content from `~/.codex`. +- Settings, logs, and diagnostics remain local unless the user deliberately + copies or attaches them to an issue or support request. + +- 应用没有账户系统,不要求姓名、邮箱、电话或付款信息。 +- 应用与官网不包含由本项目运营的遥测、广告、崩溃上报或行为分析服务。 +- 项目不会主动读取或上传 `~/.codex` 中的对话、凭据、工作区文件或其他用户内容。 +- 设置、日志和诊断默认只保存在本机;只有用户主动复制或附加到 Issue/支持请求时才会离开 + 本机。 + +## Network requests made by the app · 应用发起的网络请求 + +Network requests provide update, download, and verification features; they are +not used for telemetry: + +- **Manager self-update:** the current version checks only when the user selects + “Check for manager updates” on the About screen. Download, installation, and + restart require a separate user confirmation. +- **Codex update checks:** by default, the Manager checks Codex on the Home + screen at startup and periodically while the Manager remains open. Users can + independently disable startup and periodic checks and adjust the interval. +- **Install, update, and verification:** a user-initiated operation contacts the + selected mirror, official OpenAI source, GitHub fallback, or a custom HTTPS + source to obtain manifests, appcasts, checksums, and installers. +- **Proxy behavior:** requests may use the system mode, direct mode, or a proxy + configured by the user. A custom proxy can observe destination hosts and + ordinary connection metadata for traffic it handles. +- **External links:** repository, feedback, and policy links open only after a + user action. + +网络请求只用于更新、下载与校验,不用于遥测: + +- **Manager 自身更新:**当前版本只有在用户进入“关于”并点击“检查管理器更新”时才会检查; + 下载、安装与重启还需要用户再次确认。 +- **Codex 更新检查:**默认在主界面启动时检查,并在 Manager 保持打开时按设置周期检查。 + 用户可以分别关闭启动检查和定时检查,也可调整间隔。 +- **安装、更新与校验:**用户主动发起操作后,应用会访问所选镜像、OpenAI 官方源、GitHub + 后备源或自定义 HTTPS 源,以取得 manifest、appcast、checksum 与安装包。 +- **代理行为:**请求可使用系统模式、直连模式或用户配置的代理。自定义代理能够看到它所 + 转发流量的目标 host 和正常连接元数据。 +- **外部链接:**仓库、反馈与政策链接只会在用户主动点击后打开。 + +## Services and connection metadata · 服务与连接元数据 + +Default network paths may include: + +- `codexapp.agentsmirror.com` for Manager and Codex manifests, downloads, and + update metadata. Cloudflare normally serves or routes these requests; mainland + China requests may be redirected to an IHEP S3 mirror. +- `github.com` and `githubusercontent.com` for public repository pages and + Manager update fallback artifacts. +- OpenAI-operated hosts such as `persistent.oaistatic.com` when the official + Codex source is selected. +- `go.microsoft.com` when the Windows installer needs to download Microsoft's + WebView2 bootstrapper before Codex App Manager can run. Systems that already + have a suitable WebView2 runtime do not need this download. +- A custom HTTPS source or proxy explicitly configured by the user. + +这些服务与普通 HTTPS 服务一样,可能处理来源 IP、请求时间与路径、User-Agent、响应状态 +以及防滥用/安全日志。项目维护者无法代表第三方承诺其保留期限。相关第三方政策包括: + +- [GitHub General Privacy Statement](https://docs.github.com/en/site-policy/privacy-policies/github-general-privacy-statement) +- [Cloudflare Privacy Policy](https://www.cloudflare.com/privacypolicy/) +- [OpenAI Privacy Policy](https://openai.com/policies/privacy-policy/) +- [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) + +Windows 首次安装时,如果系统没有可用的 WebView2 runtime,NSIS 安装器会在 Manager +启动前通过 `go.microsoft.com` 下载并运行 Microsoft WebView2 bootstrapper;已有合适 +runtime 的系统不需要这次下载。该连接适用 Microsoft 的隐私政策。 + +IHEP S3 hosts the mainland-China mirror node. As of this policy date, the +project has not identified a standalone public privacy policy for that mirror +endpoint. Applicable institutional terms and legal obligations govern its +processing; see the [IHEP website](https://english.ihep.cas.cn/). This document +will add a direct policy link if one becomes available. + +## Website storage · 官网本地存储 + +The website stores only the visitor's language choice in browser local storage +under `cam-site-lang`. It embeds no advertising or analytics script. Cloudflare, +as the hosting and routing provider, may still generate ordinary access and +security logs under its own policy. + +官网只在浏览器 local storage 的 `cam-site-lang` 中保存语言选择,不嵌入广告或分析脚本。 +作为托管和路由服务商,Cloudflare 仍可能按其政策生成正常的访问与安全日志。 + +## Local data and diagnostics · 本地数据与诊断 + +The app stores settings, installation provenance, update state, operation state, +and diagnostic logs on the local machine. A copied diagnostic report can include +the app version, operating system and architecture, update-source host, install +status, local log paths, error text, and—when an upstream tool includes it—the +complete request URL or query parameters. The app does not intentionally add +signing private keys, passwords, or SignPath tokens to diagnostics, but users +must still inspect and redact reports before sharing them. + +应用会在本机保存设置、安装来源、更新状态、操作状态和诊断日志。用户复制的诊断报告可能 +包含应用版本、操作系统与架构、更新源 host、安装状态、本地日志路径、错误文本;如果上游 +工具把完整请求地址写入错误,还可能包含 URL query。应用不会主动把签名私钥、密码或 +SignPath token 加进诊断,但用户分享前仍必须检查并删改。 + +Users should review and redact diagnostics before sharing them publicly. +Uninstalling Codex App Manager does not automatically delete data owned by the +separately installed Codex application; the uninstall UI explains its retention +scope. + +用户公开分享诊断前应先检查并删改敏感内容。卸载 Codex App Manager 不会自动删除独立安装 +的 Codex 应用所拥有的数据;卸载界面会说明实际保留范围。 + +## Contact and user choices · 联系方式与用户选择 + +Users can disable Codex startup/periodic checks, choose an update source and +proxy, and decide whether to install a Manager update. Report privacy or +security concerns through [GitHub Issues](https://github.com/Wangnov/Codex-App-Manager/issues). +Never post tokens, passwords, private keys, complete presigned URLs, or other +secrets publicly. + +用户可以关闭 Codex 启动/定时检查、选择更新源与代理,并决定是否安装 Manager 更新。 +隐私或安全问题请通过 [GitHub Issues](https://github.com/Wangnov/Codex-App-Manager/issues) +报告;请勿公开粘贴 token、密码、私钥、完整预签名 URL 或其他秘密。 + +See also the [code signing policy](./code-signing-policy.md). diff --git a/docs/releases/FALLBACK.md b/docs/releases/FALLBACK.md index 9d86bd6..5ca93a4 100644 --- a/docs/releases/FALLBACK.md +++ b/docs/releases/FALLBACK.md @@ -16,8 +16,10 @@ | Windows · x64 | [CodexAppManager_x64-setup.exe](https://codexapp.agentsmirror.com/manager/latest/CodexAppManager_x64-setup.exe) | | Windows · ARM64 | [CodexAppManager_arm64-setup.exe](https://codexapp.agentsmirror.com/manager/latest/CodexAppManager_arm64-setup.exe) | -**Windows 签名状态:** `CodexAppManager_x64-setup.exe` / `CodexAppManager_arm64-setup.exe` 当前没有 Authenticode 代码签名,首次运行可能出现 SmartScreen 提示;`.sig` / `latest.json` 里的 Tauri updater 签名只用于应用内自更新的字节校验,不代表 Windows 发行者信任。详情见 [Windows signing and verification](https://github.com/Wangnov/Codex-App-Manager/blob/main/docs/windows-signing.md)。 -**Windows signing status:** `CodexAppManager_x64-setup.exe` / `CodexAppManager_arm64-setup.exe` are not Authenticode-signed yet, so SmartScreen may warn on first run; the Tauri updater signature in `.sig` / `latest.json` verifies in-app update bytes only and is not Windows publisher trust. See [Windows signing and verification](https://github.com/Wangnov/Codex-App-Manager/blob/main/docs/windows-signing.md). +**Windows 签名状态:** `CodexAppManager_x64-setup.exe` / `CodexAppManager_arm64-setup.exe` 当前没有 Authenticode 代码签名,首次运行可能出现 SmartScreen 提示;`.sig` / `latest.json` 的 Tauri updater 签名只校验更新字节,不代表 Windows 发行者身份。SignPath Foundation 申请仍在审核。参见 [代码签名政策](https://github.com/Wangnov/Codex-App-Manager/blob/main/docs/code-signing-policy.md)与 [Windows signing and verification](https://github.com/Wangnov/Codex-App-Manager/blob/main/docs/windows-signing.md)。 +**Windows signing status:** `CodexAppManager_x64-setup.exe` / `CodexAppManager_arm64-setup.exe` are not Authenticode-signed, so SmartScreen may warn on first run. The Tauri updater signature in `.sig` / `latest.json` verifies update bytes only and is not Windows publisher identity. The SignPath Foundation application is pending. See the [code signing policy](https://github.com/Wangnov/Codex-App-Manager/blob/main/docs/code-signing-policy.md) and [Windows signing and verification](https://github.com/Wangnov/Codex-App-Manager/blob/main/docs/windows-signing.md). + +**隐私 · Privacy:** [隐私政策 · Privacy policy](https://github.com/Wangnov/Codex-App-Manager/blob/main/docs/privacy.md) **核验下载:** 本页 Assets 带有 `SHA256SUMS`;Windows 用 `Get-FileHash .\CodexAppManager_x64-setup.exe -Algorithm SHA256` 或替换为 ARM64 文件名,macOS 用 `shasum -a 256 CodexAppManager_aarch64.dmg`,再与 `SHA256SUMS` 比对。 **Verify downloads:** This release includes `SHA256SUMS` in Assets; on Windows run `Get-FileHash .\CodexAppManager_x64-setup.exe -Algorithm SHA256` or swap in the ARM64 filename, and on macOS run `shasum -a 256 CodexAppManager_aarch64.dmg`, then compare with `SHA256SUMS`. diff --git a/docs/releases/TEMPLATE.md b/docs/releases/TEMPLATE.md index 90cc7ce..a87133e 100644 --- a/docs/releases/TEMPLATE.md +++ b/docs/releases/TEMPLATE.md @@ -43,8 +43,10 @@ | Windows · x64 | [CodexAppManager_x64-setup.exe](https://codexapp.agentsmirror.com/manager/latest/CodexAppManager_x64-setup.exe) | | Windows · ARM64 | [CodexAppManager_arm64-setup.exe](https://codexapp.agentsmirror.com/manager/latest/CodexAppManager_arm64-setup.exe) | -**Windows 签名状态:** `CodexAppManager_x64-setup.exe` / `CodexAppManager_arm64-setup.exe` 当前没有 Authenticode 代码签名,首次运行可能出现 SmartScreen 提示;`.sig` / `latest.json` 里的 Tauri updater 签名只用于应用内自更新的字节校验,不代表 Windows 发行者信任。详情见 [Windows signing and verification](https://github.com/Wangnov/Codex-App-Manager/blob/main/docs/windows-signing.md)。 -**Windows signing status:** `CodexAppManager_x64-setup.exe` / `CodexAppManager_arm64-setup.exe` are not Authenticode-signed yet, so SmartScreen may warn on first run; the Tauri updater signature in `.sig` / `latest.json` verifies in-app update bytes only and is not Windows publisher trust. See [Windows signing and verification](https://github.com/Wangnov/Codex-App-Manager/blob/main/docs/windows-signing.md). +**Windows 签名状态(本版必须据实填写):** 当前安装器没有 Authenticode 代码签名,首次运行可能出现 SmartScreen 提示;不得把 `.sig` / `latest.json` 的 Tauri updater 字节签名写成 Windows 发行者身份。SignPath Foundation 申请仍在审核。参见 [代码签名政策](https://github.com/Wangnov/Codex-App-Manager/blob/main/docs/code-signing-policy.md)与 [Windows signing and verification](https://github.com/Wangnov/Codex-App-Manager/blob/main/docs/windows-signing.md)。 +**Windows signing status (replace with this release's verified facts):** The current installers are not Authenticode-signed, so SmartScreen may warn on first run. Never describe a Tauri updater signature in `.sig` / `latest.json` as Windows publisher identity. The SignPath Foundation application is pending. See the [code signing policy](https://github.com/Wangnov/Codex-App-Manager/blob/main/docs/code-signing-policy.md) and [Windows signing and verification](https://github.com/Wangnov/Codex-App-Manager/blob/main/docs/windows-signing.md). + +**隐私 · Privacy:** [隐私政策 · Privacy policy](https://github.com/Wangnov/Codex-App-Manager/blob/main/docs/privacy.md) **核验下载:** 本页 Assets 带有 `SHA256SUMS`;Windows 用 `Get-FileHash .\CodexAppManager_x64-setup.exe -Algorithm SHA256` 或替换为 ARM64 文件名,macOS 用 `shasum -a 256 CodexAppManager_aarch64.dmg`,再与 `SHA256SUMS` 比对。 **Verify downloads:** This release includes `SHA256SUMS` in Assets; on Windows run `Get-FileHash .\CodexAppManager_x64-setup.exe -Algorithm SHA256` or swap in the ARM64 filename, and on macOS run `shasum -a 256 CodexAppManager_aarch64.dmg`, then compare with `SHA256SUMS`. diff --git a/docs/releases/v0.3.1.md b/docs/releases/v0.3.1.md index 0074596..a9777e1 100644 --- a/docs/releases/v0.3.1.md +++ b/docs/releases/v0.3.1.md @@ -53,8 +53,10 @@ | Windows · x64 | [CodexAppManager_x64-setup.exe](https://codexapp.agentsmirror.com/manager/latest/CodexAppManager_x64-setup.exe) | | Windows · ARM64 | [CodexAppManager_arm64-setup.exe](https://codexapp.agentsmirror.com/manager/latest/CodexAppManager_arm64-setup.exe) | -**Windows 签名状态:** `CodexAppManager_x64-setup.exe` / `CodexAppManager_arm64-setup.exe` 当前没有 Authenticode 代码签名,首次运行可能出现 SmartScreen 提示;`.sig` / `latest.json` 里的 Tauri updater 签名只用于应用内自更新的字节校验,不代表 Windows 发行者信任。详情见 [Windows signing and verification](https://github.com/Wangnov/Codex-App-Manager/blob/main/docs/windows-signing.md)。 -**Windows signing status:** `CodexAppManager_x64-setup.exe` / `CodexAppManager_arm64-setup.exe` are not Authenticode-signed yet, so SmartScreen may warn on first run; the Tauri updater signature in `.sig` / `latest.json` verifies in-app update bytes only and is not Windows publisher trust. See [Windows signing and verification](https://github.com/Wangnov/Codex-App-Manager/blob/main/docs/windows-signing.md). +**Windows 签名状态:** `CodexAppManager_x64-setup.exe` / `CodexAppManager_arm64-setup.exe` 当前没有 Authenticode 代码签名,首次运行可能出现 SmartScreen 提示;`.sig` / `latest.json` 的 Tauri updater 签名只校验更新字节,不代表 Windows 发行者身份。SignPath Foundation 申请仍在审核。参见 [代码签名政策](https://github.com/Wangnov/Codex-App-Manager/blob/main/docs/code-signing-policy.md)与 [Windows signing and verification](https://github.com/Wangnov/Codex-App-Manager/blob/main/docs/windows-signing.md)。 +**Windows signing status:** `CodexAppManager_x64-setup.exe` / `CodexAppManager_arm64-setup.exe` are not Authenticode-signed, so SmartScreen may warn on first run. The Tauri updater signature in `.sig` / `latest.json` verifies update bytes only and is not Windows publisher identity. The SignPath Foundation application is pending. See the [code signing policy](https://github.com/Wangnov/Codex-App-Manager/blob/main/docs/code-signing-policy.md) and [Windows signing and verification](https://github.com/Wangnov/Codex-App-Manager/blob/main/docs/windows-signing.md). + +**隐私 · Privacy:** [隐私政策 · Privacy policy](https://github.com/Wangnov/Codex-App-Manager/blob/main/docs/privacy.md) **核验下载:** 本页 Assets 带有 `SHA256SUMS`;Windows 用 `Get-FileHash .\CodexAppManager_x64-setup.exe -Algorithm SHA256` 或替换为 ARM64 文件名,macOS 用 `shasum -a 256 CodexAppManager_aarch64.dmg`,再与 `SHA256SUMS` 比对。 **Verify downloads:** This release includes `SHA256SUMS` in Assets; on Windows run `Get-FileHash .\CodexAppManager_x64-setup.exe -Algorithm SHA256` or swap in the ARM64 filename, and on macOS run `shasum -a 256 CodexAppManager_aarch64.dmg`, then compare with `SHA256SUMS`. diff --git a/docs/windows-signing.md b/docs/windows-signing.md index bec12cd..b3ee2ae 100644 --- a/docs/windows-signing.md +++ b/docs/windows-signing.md @@ -5,9 +5,12 @@ signing. The installer is still published through GitHub Releases and the agentsmirror download mirror, and every release includes `SHA256SUMS` so users can verify the bytes they downloaded. -CI already prepares the Authenticode **path** (sign script, verify script, optional -release step, packaged lifecycle smoke). Certificate secrets are optional and -non-blocking until budget/demand justify an OV/EV cert. +CI already contains a legacy optional PFX-based Authenticode scaffold (sign +script, verify script, optional release step, and packaged lifecycle smoke). +That scaffold is not the SignPath integration. A SignPath Foundation application +was submitted on 2026-07-11 and is still pending; the current Windows artifacts +remain unsigned. See the public [code-signing policy](code-signing-policy.md) and +[privacy policy](privacy.md). ## 中文 @@ -18,12 +21,13 @@ non-blocking until budget/demand justify an OV/EV cert. - Windows 应用内自更新包带有 Tauri updater 签名,用于校验下载字节没有被篡改。 - Windows 首次手动运行安装器时可能出现 SmartScreen 提示;这是预期风险,不是更新器签名失效。 - CI 已接入安装包冒烟(x64:`install → launch → upgrade → uninstall`)与 Authenticode 探测;证书未配置时签名步骤跳过且校验为非阻塞。 +- SignPath Foundation 免费代码签名申请已于 2026-07-11 提交,目前仍在审核;尚未获得服务批准或启用签名流水线。公开规则见[代码签名政策](code-signing-policy.md),数据边界见[隐私政策](privacy.md)。 ### 三个概念 **Tauri updater 签名:** `latest.json` 里的 `signature` 对安装包字节签名。它保护应用内自更新下载,确保镜像或网络传输没有改包。它不参与 Windows 系统的发行者信任判断,也不能消除 SmartScreen 提示。实现:`npx tauri signer sign` + `TAURI_SIGNING_PRIVATE_KEY`。 -**Authenticode 代码签名:** Windows 对 PE 文件和安装器使用的代码签名体系。拥有 OV 或 EV 证书后,安装器可以显示发行者身份,并更容易建立系统信任。本项目当前还没有给 Windows 安装器做 Authenticode 签名。实现路径见下文「CI / 发布管线」。 +**Authenticode 代码签名:** Windows 对 PE 文件和安装器使用的代码签名体系。由可信证书提供方签名后,安装器可以显示发行者身份,并逐步建立系统信任。本项目当前还没有给 Windows 安装器做 Authenticode 签名;已选择 SignPath Foundation 作为申请中的公开方案。 **SmartScreen 信誉:** Microsoft Defender SmartScreen 会结合签名身份、下载量、历史信誉和风险信号做拦截判断。EV 证书通常能更快建立信誉;OV 证书和未签名分发都需要累积信誉,未签名安装器首次运行更容易被提示。 @@ -57,13 +61,13 @@ shasum -a 256 CodexAppManager_x86_64.dmg **Microsoft Store / Partner Center:** 这是中期可选路径,需要开发者账号、MSIX 打包和商店审核。优点是用户信任更强,缺点是流程和维护成本更高。 -**OV / EV 代码签名证书:** 证书不是当前发布阻塞项。后续可在 Windows 下载量、企业用户需求或支持成本达到明确阈值后重新评估。EV 成本更高但信誉建立更快;OV 成本较低但仍需累积 SmartScreen 信誉。 +**SignPath Foundation:** 本项目已提交免费代码签名申请,但审核通过前不会声称安装器已签名。若获批,接入会在单独 PR 中完成 trusted build、人工批准与 installer / 主程序 / uninstaller 三层验证;当前的可选 PFX 占位并不等于 SignPath 集成。 **不推荐的降本方式:** 不把私钥托管给不可信第三方,不合租硬件令牌,不把代码签名能力转交给无法审计的渠道。 ### 风险披露 -未签名 Windows 安装器意味着用户首次运行可能需要在 SmartScreen 中选择更多信息后继续。项目通过公开 release、镜像直链、`SHA256SUMS`、Tauri updater 签名和透明文档降低篡改与误解风险;这不能替代 Authenticode,但可以让用户在证书预算到位前做独立核验。 +未签名 Windows 安装器意味着用户首次运行可能需要在 SmartScreen 中选择更多信息后继续。项目通过公开 release、镜像直链、`SHA256SUMS`、Tauri updater 签名和透明文档降低篡改与误解风险;这不能替代 Authenticode,但可以让用户在 SignPath Foundation 审核与独立接入完成前做独立核验。 ### CI / 发布管线(Authenticode 路径) @@ -74,7 +78,12 @@ shasum -a 256 CodexAppManager_x86_64.dmg | `release.yml` Windows | PE 架构诊断 → 可选 Authenticode 签名 → Authenticode 校验 → Tauri updater `.sig` → 收集**最终**工件 | updater `.sig` 与工件齐全为阻塞;Authenticode 默认非阻塞 | | ARM64 | 交叉构建 + PE machine=`0xAA64` 诊断;**不是**实机运行验证 | 交叉构建失败阻塞;运行验证见下 | -**启用 Authenticode(证书就绪后):** +**现有 PFX 占位路径(不是 SignPath 接入):** + +下面记录的是仓库当前已有的可选 PFX 代码路径,不是推荐的 Foundation +接入方式,也不应被配置成 Foundation 方案。若 SignPath 申请获批,会通过 +单独、可审查的 PR 接入其 trusted build 与人工审批流程,并在发布前验证 +installer、主程序和 uninstaller 三层 PE 签名。 1. 在 `release` environment 配置 secrets: - `WINDOWS_CERTIFICATE` — base64 编码的 OV/EV `.pfx` @@ -114,12 +123,13 @@ shasum -a 256 CodexAppManager_x86_64.dmg - Windows in-app update artifacts carry the Tauri updater signature, which verifies the downloaded bytes. - SmartScreen may warn when users manually run the Windows installer for the first time; that is the known distribution risk, not an updater-signature failure. - CI already runs x64 packaged lifecycle smoke (`install → launch → upgrade → uninstall`) and Authenticode probes; signing is skipped and verification is non-blocking until a certificate is configured. +- The free SignPath Foundation code-signing application was submitted on 2026-07-11 and remains pending. No service approval or signing pipeline is in place. See the public [code-signing policy](code-signing-policy.md) and [privacy policy](privacy.md). ### Three separate concepts **Tauri updater signature:** The `signature` field in `latest.json` signs the installer bytes. It protects in-app self-update downloads from tampering across mirrors and network hops. It is not Windows publisher trust and does not remove SmartScreen warnings. Implementation: `npx tauri signer sign` + `TAURI_SIGNING_PRIVATE_KEY`. -**Authenticode code signing:** This is the Windows code-signing system for PE files and installers. With an OV or EV certificate, the installer can show a publisher identity and build operating-system trust. This project does not currently Authenticode-sign the Windows installer. The prepared CI path is documented below. +**Authenticode code signing:** This is the Windows code-signing system for PE files and installers. A trusted certificate provider can let the installer show a publisher identity and build operating-system trust. This project does not currently Authenticode-sign the Windows installer; SignPath Foundation is the public path under application. **SmartScreen reputation:** Microsoft Defender SmartScreen combines signing identity, download volume, historical reputation, and risk signals. EV certificates usually establish reputation faster; OV certificates and unsigned distribution still need reputation to build, and unsigned installers are more likely to warn on first run. @@ -154,7 +164,7 @@ issue with the source URL and filename. **Microsoft Store / Partner Center:** This is a medium-term option. It requires a developer account, MSIX packaging, and Store review. It improves user trust but adds process and maintenance cost. -**OV / EV code-signing certificate:** A certificate is not a release blocker today. Re-evaluate when Windows download volume, enterprise demand, or support cost crosses a clear threshold. EV costs more but establishes reputation faster; OV costs less but still needs SmartScreen reputation to build. +**SignPath Foundation:** The project has submitted an application for free code signing, but will not claim signed installers before approval. If approved, a separate PR will integrate trusted builds, manual approval, and three-layer verification for the installer, main executable, and uninstaller. The current optional PFX scaffold is not a SignPath integration. **Cost shortcuts to avoid:** Do not custody private keys with untrusted third parties, share hardware tokens, or hand signing capability to channels that cannot be audited. @@ -165,7 +175,7 @@ and continue through SmartScreen on first run. The project reduces tampering and confusion risk with public releases, mirror permalinks, `SHA256SUMS`, Tauri updater signatures, and transparent documentation. Those mitigations do not replace Authenticode, but they let users verify downloads independently until -certificate budget and demand justify Windows code signing. +the SignPath Foundation review and a separately reviewed integration are complete. ### CI / release pipeline (Authenticode path) @@ -176,7 +186,13 @@ certificate budget and demand justify Windows code signing. | `release.yml` Windows | PE arch diagnostic → optional Authenticode sign → Authenticode verify → Tauri updater `.sig` → collect **final** artifacts | Updater `.sig` + artifact set block; Authenticode optional by default | | ARM64 | Cross-build + PE machine=`0xAA64` diagnostic; **not** runtime verification | Cross-build failure blocks; runtime verification below | -**Turning on Authenticode (when a cert is available):** +**Existing PFX scaffold (not the SignPath integration):** + +The steps below document the repository's current optional PFX code path. They +are not the recommended Foundation integration and must not be configured as a +substitute for it. If the SignPath application is approved, a separate, +reviewable PR will integrate its trusted-build and manual-approval workflow and +verify all three PE layers: installer, main executable, and uninstaller. 1. Add secrets on the `release` environment: - `WINDOWS_CERTIFICATE` — base64-encoded OV/EV `.pfx` diff --git a/website/index.html b/website/index.html index affd554..436bdda 100644 --- a/website/index.html +++ b/website/index.html @@ -12,7 +12,7 @@ @@ -213,7 +213,7 @@