Code Signing Policy

⚠️ Status: Pending Approval

We have applied for code signing through SignPath Foundation and are currently working through their approval process. Once approved, all releases will be digitally signed to verify authenticity and provide additional security assurances.

Certificate Provider

Free code signing provided by SignPath.io, certificate by SignPath Foundation.

SignPath Foundation is a non-profit certificate authority that provides free code signing certificates to open source projects that meet their requirements.

Team Roles

The Archive project follows SignPath Foundation's requirements for team organization:

Authors

Repository Owner: @Ignyos

Authors are trusted to modify source code in the repository without additional reviews.

Reviewers

Repository Owner: @Ignyos

All pull requests from external contributors are reviewed before merging.

Approvers

Repository Owner: @Ignyos

Each signing request must be approved before code signing occurs.

Privacy Policy

Archive respects your privacy and operates entirely offline:

No data collection: Archive does not collect any user data, telemetry, or analytics.
No network communication: Archive does not transfer any information to networked systems unless specifically requested by the user (such as checking for updates).
Local operation: All backup operations occur entirely on your local system or specified network locations.
Update checks: When enabled, the application checks GitHub's public API for new releases. This request only includes the software version and does not transmit any personal information.

Build Verification

All signed releases of Archive are built using automated, verifiable processes:

Binaries are built from source code in the GitHub repository
Builds are performed by GitHub Actions using the release workflow
Build logs are publicly available for each release
Source code matches the tagged release version

Security Best Practices

The Archive project follows industry security best practices:

Multi-factor authentication enabled for repository access
All releases require manual approval
Code changes are tracked and auditable
Dependencies are managed and reviewed

Open Source Compliance

Archive is licensed under the MIT License, an OSI-approved open source license.

All source code is publicly available
No proprietary components
Community contributions welcome
Transparent development process

Reporting Issues

If you believe a signed release violates SignPath Foundation's code of conduct or contains security issues:

SignPath Foundation: Contact support@signpath.io
Security Issues: Report to the GitHub Security page
General Issues: Open an issue on GitHub Issues