Code Signing Policy

Overview

All CostGoblin release binaries are cryptographically signed so you can verify their authenticity and integrity. Unsigned or tampered binaries will trigger operating system warnings.

Signing status by platform

Build process

All release artifacts are built in GitHub Actions from the public source code. The build process is fully automated and reproducible:

• A version tag (v*) triggers the release workflow
• Builds run on GitHub-hosted runners (macOS, Windows, Linux)
• Signing credentials are stored in GitHub Actions environment secrets and never touch developer machines during the build
• macOS binaries are automatically notarized with Apple

How to verify

macOS

Right-click the .dmg or .app and choose Get Info, or run:

codesign -dv --verbose=2 /Applications/CostGoblin.app

You should see Developer ID Application: Etienne Chabert (VDA7669Q4Y) in the output.

Windows

Right-click the .exe installer, select Properties → Digital Signatures. The signer name and certificate chain will be displayed once Windows signing is active.

Team roles

Security practices

• Signing keys are stored in GitHub Actions environment secrets, protected by deployment approval rules
• Every release requires manual approval before the signing workflow runs
• All maintainer accounts use multi-factor authentication
• Source code is publicly auditable at github.com/etiennechabert/cost-goblin

Reporting issues

If you believe a CostGoblin binary has been tampered with or you encounter a signature verification failure:

1. Do not run the binary
2. Open an issue at github.com/etiennechabert/cost-goblin/issues
3. Or email [email protected]

Acknowledgements

Free code signing provided by SignPath.io, certificate by SignPath Foundation.