[{"data":1,"prerenderedAt":430},["ShallowReactive",2],{"content-en-\u002Fsecurity\u002Fcode-signing":3},{"id":4,"title":5,"author":6,"body":7,"date":6,"description":423,"extension":424,"meta":425,"navigation":295,"path":426,"robots":6,"seo":427,"stem":428,"tags":6,"__hash__":429},"content_en\u002Fsecurity\u002Fcode-signing.md","Code-signing policy",null,{"type":8,"value":9,"toc":415},"minimark",[10,14,18,23,134,138,173,177,184,200,203,217,221,224,251,340,343,354,357,361,372,386,390,393,396,406,411],[11,12,5],"h1",{"id":13},"code-signing-policy",[15,16,17],"p",{},"This page documents how xiboplayer's signed binaries are produced, who authorises each signature, and how users can verify them independently.",[19,20,22],"h2",{"id":21},"which-binaries-are-signed","Which binaries are signed",[24,25,26,42],"table",{},[27,28,29],"thead",{},[30,31,32,36,39],"tr",{},[33,34,35],"th",{},"Artefact",[33,37,38],{},"Signing authority",[33,40,41],{},"Status",[43,44,45,72,89,108,119],"tbody",{},[30,46,47,60,69],{},[48,49,50,51,55,56,59],"td",{},"Windows installers (",[52,53,54],"code",{},".msi",", ",[52,57,58],{},".exe",")",[48,61,62],{},[63,64,68],"a",{"href":65,"rel":66},"https:\u002F\u002Fsignpath.org",[67],"nofollow","SignPath Foundation",[48,70,71],{},"Application pending",[30,73,74,77,86],{},[48,75,76],{},"Linux RPMs and DEBs",[48,78,79,82,83],{},[52,80,81],{},"packages@xiboplayer.org"," PGP key ",[52,84,85],{},"5A30EA2BB69D32F2",[48,87,88],{},"Live",[30,90,91,97,105],{},[48,92,93,94,59],{},"Linux ISO images (",[52,95,96],{},"SHA256SUMS.asc",[48,98,99,82,102],{},[52,100,101],{},"images@xiboplayer.org",[52,103,104],{},"5F908630B78045FF",[48,106,107],{},"Key live; CI integration in progress",[30,109,110,113,116],{},[48,111,112],{},"Chrome extension ZIP",[48,114,115],{},"Chrome Web Store",[48,117,118],{},"Live — when published",[30,120,121,128,131],{},[48,122,123,124,127],{},"macOS ",[52,125,126],{},".dmg"," (future)",[48,129,130],{},"Apple Developer ID via SignPath",[48,132,133],{},"Planned",[19,135,137],{"id":136},"who-requests-and-authorises-a-signature","Who requests and authorises a signature",[139,140,141,157,167],"ul",{},[142,143,144,148,149,152,153,156],"li",{},[145,146,147],"strong",{},"Requester",": the GitHub Actions release workflow, triggered by a ",[52,150,151],{},"v*"," tag on ",[52,154,155],{},"main",".",[142,158,159,162,163,166],{},[145,160,161],{},"Approver",": Pau Aliagas — ",[52,164,165],{},"security@xiboplayer.org"," — human-in-the-loop via the signing platform's approval UI.",[142,168,169,172],{},[145,170,171],{},"Multi-factor authentication",": mandatory on all approver accounts (GitHub, email, signing platform).",[19,174,176],{"id":175},"what-we-sign-and-what-we-dont","What we sign and what we don't",[15,178,179,180,183],{},"We sign binaries ",[145,181,182],{},"only"," when all of these hold:",[139,185,186,189,197],{},[142,187,188],{},"Built from source in our GitHub organisation on ephemeral GitHub-hosted Actions runners",[142,190,191,192,152,194,196],{},"Triggered by a specific ",[52,193,151],{},[52,195,155],{}," (never branches, never reruns)",[142,198,199],{},"Built from a commit that is itself GPG-signed by an authorised maintainer",[15,201,202],{},"We never sign:",[139,204,205,208,211,214],{},[142,206,207],{},"Artefacts built outside our CI",[142,209,210],{},"Pre-release or branch-tip builds",[142,212,213],{},"Binaries that bundle proprietary third-party components without disclosure",[142,215,216],{},"Binaries that would include malware, adware, or undisclosed telemetry",[19,218,220],{"id":219},"how-to-verify-signatures-independently","How to verify signatures independently",[15,222,223],{},"Every signed Windows release ships with three independent trust primitives:",[225,226,227,233,245],"ol",{},[142,228,229,232],{},[145,230,231],{},"Authenticode signature"," (visible to Windows via right-click → Properties → Digital Signatures)",[142,234,235,238,239,241,242,244],{},[145,236,237],{},"Detached GPG signature"," from ",[52,240,81],{}," (key ",[52,243,85],{},"), published next to the binary on the GitHub Releases page",[142,246,247,250],{},[145,248,249],{},"SHA-256 hash file"," published alongside the binary",[252,253,258],"pre",{"className":254,"code":255,"language":256,"meta":257,"style":257},"language-bash shiki shiki-themes material-theme-lighter github-light github-dark","# Import the signing key if you don't have it\ngpg --keyserver keys.openpgp.org --recv-keys 5A30EA2BB69D32F2\n\n# Verify the GPG detached signature\ngpg --verify xiboplayer-setup-0.7.x.msi.asc xiboplayer-setup-0.7.x.msi\n\n# Verify the SHA-256\nsha256sum -c xiboplayer-setup-0.7.x.msi.sha256\n","bash","",[52,259,260,269,290,297,303,317,322,328],{"__ignoreMap":257},[261,262,265],"span",{"class":263,"line":264},"line",1,[261,266,268],{"class":267},"sutJx","# Import the signing key if you don't have it\n",[261,270,272,276,280,284,287],{"class":263,"line":271},2,[261,273,275],{"class":274},"sbgvK","gpg",[261,277,279],{"class":278},"stzsN"," --keyserver",[261,281,283],{"class":282},"s_sjI"," keys.openpgp.org",[261,285,286],{"class":278}," --recv-keys",[261,288,289],{"class":282}," 5A30EA2BB69D32F2\n",[261,291,293],{"class":263,"line":292},3,[261,294,296],{"emptyLinePlaceholder":295},true,"\n",[261,298,300],{"class":263,"line":299},4,[261,301,302],{"class":267},"# Verify the GPG detached signature\n",[261,304,306,308,311,314],{"class":263,"line":305},5,[261,307,275],{"class":274},[261,309,310],{"class":278}," --verify",[261,312,313],{"class":282}," xiboplayer-setup-0.7.x.msi.asc",[261,315,316],{"class":282}," xiboplayer-setup-0.7.x.msi\n",[261,318,320],{"class":263,"line":319},6,[261,321,296],{"emptyLinePlaceholder":295},[261,323,325],{"class":263,"line":324},7,[261,326,327],{"class":267},"# Verify the SHA-256\n",[261,329,331,334,337],{"class":263,"line":330},8,[261,332,333],{"class":274},"sha256sum",[261,335,336],{"class":278}," -c",[261,338,339],{"class":282}," xiboplayer-setup-0.7.x.msi.sha256\n",[15,341,342],{},"On Windows, to view the Authenticode signature:",[252,344,348],{"className":345,"code":346,"language":347,"meta":257,"style":257},"language-powershell shiki shiki-themes material-theme-lighter github-light github-dark","Get-AuthenticodeSignature .\\xiboplayer-setup-0.7.x.msi\n","powershell",[52,349,350],{"__ignoreMap":257},[261,351,352],{"class":263,"line":264},[261,353,346],{},[15,355,356],{},"The Subject\u002FSigner should identify SignPath Foundation, acting on behalf of xiboplayer.",[19,358,360],{"id":359},"reporting-a-compromised-signature","Reporting a compromised signature",[15,362,363,364,366,367,371],{},"If you believe one of our signing credentials has been compromised, or if a binary signed with our key has been tampered with, contact ",[52,365,165],{}," (PGP fingerprint on the ",[63,368,370],{"href":369},"\u002Fsecurity","Security page","). We will:",[139,373,374,377,383],{},[142,375,376],{},"Revoke the affected credential immediately",[142,378,379,380,382],{},"Publish a revocation advisory on the ",[63,381,370],{"href":369}," within 24 hours",[142,384,385],{},"Re-issue signatures for the affected release series on the next release cycle",[19,387,389],{"id":388},"code-signing-code-of-conduct","Code-signing code of conduct",[15,391,392],{},"We will not sign binaries that contain malware, bundled adware, undisclosed telemetry, or non-disclosed third-party proprietary components. The signing process is a trust chain — we treat it as such.",[394,395],"hr",{},[15,397,398],{},[399,400,401,402,405],"em",{},"This policy is published as a prerequisite for the ",[63,403,68],{"href":65,"rel":404},[67]," free OSS code-signing programme.",[15,407,408],{},[399,409,410],{},"Last updated: 2026-04-15",[412,413,414],"style",{},"html pre.shiki code .sutJx, html code.shiki .sutJx{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#6A737D;--shiki-default-font-style:inherit;--shiki-dark:#6A737D;--shiki-dark-font-style:inherit}html pre.shiki code .sbgvK, html code.shiki .sbgvK{--shiki-light:#E2931D;--shiki-default:#6F42C1;--shiki-dark:#B392F0}html pre.shiki code .stzsN, html code.shiki .stzsN{--shiki-light:#91B859;--shiki-default:#005CC5;--shiki-dark:#79B8FF}html pre.shiki code .s_sjI, html code.shiki .s_sjI{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":257,"searchDepth":292,"depth":292,"links":416},[417,418,419,420,421,422],{"id":21,"depth":271,"text":22},{"id":136,"depth":271,"text":137},{"id":175,"depth":271,"text":176},{"id":219,"depth":271,"text":220},{"id":359,"depth":271,"text":360},{"id":388,"depth":271,"text":389},"How xiboplayer binaries are signed, who authorises each signature, and how users can verify signatures independently. Required for SignPath Foundation OSS program.","md",{},"\u002Fsecurity\u002Fcode-signing",{"title":5,"description":423},"security\u002Fcode-signing","xe7bjZzvJ1wM3OjpWgSgi8SGIchWH63qjspT2MIRIF0",1777112059771]