Code-signing policy
This page documents how xiboplayer's signed binaries are produced, who authorises each signature, and how users can verify them independently.
Which binaries are signed
| Artefact | Signing authority | Status |
|---|---|---|
Windows installers (.msi, .exe) | SignPath Foundation | Application pending |
| Linux RPMs and DEBs | packages@xiboplayer.org PGP key 5A30EA2BB69D32F2 | Live |
Linux ISO images (SHA256SUMS.asc) | images@xiboplayer.org PGP key 5F908630B78045FF | Key live; CI integration in progress |
| Chrome extension ZIP | Chrome Web Store | Live — when published |
macOS .dmg (future) | Apple Developer ID via SignPath | Planned |
Who requests and authorises a signature
- Requester: the GitHub Actions release workflow, triggered by a
v*tag onmain. - Approver: Pau Aliagas —
security@xiboplayer.org— human-in-the-loop via the signing platform's approval UI. - Multi-factor authentication: mandatory on all approver accounts (GitHub, email, signing platform).
What we sign and what we don't
We sign binaries only when all of these hold:
- Built from source in our GitHub organisation on ephemeral GitHub-hosted Actions runners
- Triggered by a specific
v*tag onmain(never branches, never reruns) - Built from a commit that is itself GPG-signed by an authorised maintainer
We never sign:
- Artefacts built outside our CI
- Pre-release or branch-tip builds
- Binaries that bundle proprietary third-party components without disclosure
- Binaries that would include malware, adware, or undisclosed telemetry
How to verify signatures independently
Every signed Windows release ships with three independent trust primitives:
- Authenticode signature (visible to Windows via right-click → Properties → Digital Signatures)
- Detached GPG signature from
packages@xiboplayer.org(key5A30EA2BB69D32F2), published next to the binary on the GitHub Releases page - SHA-256 hash file published alongside the binary
# Import the signing key if you don't have it
gpg --keyserver keys.openpgp.org --recv-keys 5A30EA2BB69D32F2
# Verify the GPG detached signature
gpg --verify xiboplayer-setup-0.7.x.msi.asc xiboplayer-setup-0.7.x.msi
# Verify the SHA-256
sha256sum -c xiboplayer-setup-0.7.x.msi.sha256
On Windows, to view the Authenticode signature:
Get-AuthenticodeSignature .\xiboplayer-setup-0.7.x.msi
The Subject/Signer should identify SignPath Foundation, acting on behalf of xiboplayer.
Reporting a compromised signature
If you believe one of our signing credentials has been compromised, or if a binary signed with our key has been tampered with, contact security@xiboplayer.org (PGP fingerprint on the Security page). We will:
- Revoke the affected credential immediately
- Publish a revocation advisory on the Security page within 24 hours
- Re-issue signatures for the affected release series on the next release cycle
Code-signing code of conduct
We will not sign binaries that contain malware, bundled adware, undisclosed telemetry, or non-disclosed third-party proprietary components. The signing process is a trust chain — we treat it as such.
This policy is published as a prerequisite for the SignPath Foundation free OSS code-signing programme.
Last updated: 2026-04-15