Problem
The release workflow builds binaries for Windows (MSI/NSIS), macOS (DMG), and Linux but has no code signing step. macOS builds lack notarization entirely.
Impact
- macOS Gatekeeper will block the app with unidentified developer warnings
- Windows SmartScreen will flag the installer
- Enterprise users cannot whitelist the app via MDM
Affected Files
- .github/workflows/release.yml
Suggested Fix
- Add Apple Developer ID signing + notarization for macOS
- Add Authenticode signing for Windows
- Use GitHub secrets for certificates
- At minimum, document the signing process for maintainers
Severity: Medium - Distribution/Security
Problem
The release workflow builds binaries for Windows (MSI/NSIS), macOS (DMG), and Linux but has no code signing step. macOS builds lack notarization entirely.
Impact
Affected Files
Suggested Fix
Severity: Medium - Distribution/Security