build: apply to SignPath Foundation for free Windows code signing #152
Description
Problem
Windows SmartScreen warnings create friction for non-technical users. The warning "Windows protected your PC" with "Microsoft Defender SmartScreen prevented an unrecognized app from starting" causes users to abandon installation.
Unlike macOS, Windows has a viable free path for OSS projects through SignPath Foundation.
Background
SignPath Foundation provides free code signing certificates for qualifying open-source projects:
- Certificate issued to "SignPath Foundation" (not project name)
- Provides immediate SmartScreen reputation - no warning buildup period
- novelWriter, a similar fiction writing application, already uses SignPath successfully
Eligibility Requirements
Kindling meets all requirements:
- ✅ OSI-approved license (MIT)
- ✅ No proprietary code components
- ✅ Fully automated builds via GitHub Actions
- ✅ Binary verifiably built from source
- ✅ Actively maintained with verifiable reputation
Implementation
Phase 1: Application
- Apply at signpath.io for the OSS program
- Provide GitHub repository URL and project information
- Wait for approval (typically 1-2 weeks)
Phase 2: Integration
- Integrate SignPath into
.github/workflows/release.yml - Configure signing as part of the Windows build matrix
- Test that signed builds eliminate SmartScreen warnings
Phase 3: Attribution
- Add to README or download page: "Code signing on Windows sponsored by SignPath.io, certificate by the SignPath Foundation"
- Update installation docs to remove SmartScreen bypass instructions for signed releases
User Impact
- Before: Users see scary "Windows protected your PC" warning, must click "More info" → "Run anyway"
- After: Silent installation with no security warnings
References
- SignPath OSS Program
- novelWriter's attribution (scroll to Windows section)
- SignPath GitHub Action