-
Notifications
You must be signed in to change notification settings - Fork 0
Security
Every HTTPS connection made by the app validates the server certificate before any data is read:
- Certificate subject must contain
github.comorgithub.io - Issuer must be DigiCert, Sectigo, GlobalSign, or Let's Encrypt
Connections that fail certificate validation are dropped immediately.
Before every script execution the app computes the SHA1 blob hash of the local cached file and compares it to the SHA reported by the GitHub API:
- If they match, the script runs
- If they don't match, a warning is shown asking if you want to re-download
The SHA is computed using the Git blob format: SHA1("blob <size>\0<content>") — identical to how GitHub computes it.
This detects:
- Cached files that have been modified locally
- Incomplete or corrupt downloads
- Files that have changed on GitHub since last sync
GitHub Personal Access Tokens are stored in plain text in %APPDATA%\CatiaMenuWin32\settings.ini. This file is in your user profile and is not readable by other Windows users on the same machine.
The app makes no connections other than to api.github.com and raw.githubusercontent.com. No usage data, crash reports, or analytics are collected or transmitted.
Please report security vulnerabilities privately via GitHub Security Advisories rather than as a public issue. See SECURITY.md for full details.
Getting Started
Using the App
Scripts
Reference
Development
Legal