The Windows release binaries (VST3 + Standalone) are currently unsigned — users see SmartScreen warnings on first run. The macOS signing pipeline (Developer ID + notarization, org-secret based) is being set up separately and does not cover Windows.
To resolve, this repo (in line with the whole suite) needs:
- An Authenticode code-signing certificate (OV or EV; options: Certum Open Source, SSL.com, or Azure Trusted Signing) — one org-wide cert, stored like the Apple secrets as org-level GitHub Actions secrets.
- A signing step in
.github/workflows/release.yml's Windows job (signtool on the runner or osslsigncode cross-signing), signing both the .vst3 binary and the Standalone .exe with a timestamp server.
- Release-notes update once shipped (drop the unsigned-Windows warning).
Suite-wide task — implement once in the shared template, then roll out. Tracked per-repo for milestone completeness.
The Windows release binaries (VST3 + Standalone) are currently unsigned — users see SmartScreen warnings on first run. The macOS signing pipeline (Developer ID + notarization, org-secret based) is being set up separately and does not cover Windows.
To resolve, this repo (in line with the whole suite) needs:
.github/workflows/release.yml's Windows job (signtoolon the runner orosslsigncodecross-signing), signing both the.vst3binary and the Standalone.exewith a timestamp server.Suite-wide task — implement once in the shared template, then roll out. Tracked per-repo for milestone completeness.