ArkHost/HelixNotes
14
150
Fork
You've already forked HelixNotes
13

Blocked installer in corporate environment due to not being code-signed #103

Open
opened 2026年06月12日 12:40:29 +02:00 by entertain · 1 comment

Hello,

I hope you’re doing well.

I would like to use HelixNotes in a corporate environment, but we are currently blocked by security policies on our end. The main issue is that the Windows installer is not code-signed, which causes Microsoft Defender and SmartScreen to block both the download and execution.

Because of this, the application cannot be approved internally, even though it appears to be a false positive and the software itself is legitimate.

I wanted to kindly ask:
Are there any plans to provide a code-signed installer (e.g., with an Authenticode signature) in the future?

Having a signed release would significantly improve trust and allow usage in enterprise environments where strict security controls (Defender, AppLocker, etc.) are enforced.

Alternatively, if there is already a signed version, a checksum, or a recommended secure distribution method, I would greatly appreciate any guidance.

Thank you for your work on HelixNotes – it looks like a very useful tool.

Best regards,
Jan Spatschek

PS: Even a basic code signing certificate (e.g., standard Authenticode) would likely be sufficient to avoid Defender/SmartScreen blocking in many enterprise setups.

Hello, I hope you’re doing well. I would like to use HelixNotes in a corporate environment, but we are currently blocked by security policies on our end. The main issue is that the Windows installer is not code-signed, which causes Microsoft Defender and SmartScreen to block both the download and execution. Because of this, the application cannot be approved internally, even though it appears to be a false positive and the software itself is legitimate. I wanted to kindly ask: Are there any plans to provide a code-signed installer (e.g., with an Authenticode signature) in the future? Having a signed release would significantly improve trust and allow usage in enterprise environments where strict security controls (Defender, AppLocker, etc.) are enforced. Alternatively, if there is already a signed version, a checksum, or a recommended secure distribution method, I would greatly appreciate any guidance. Thank you for your work on HelixNotes – it looks like a very useful tool. Best regards, Jan Spatschek PS: Even a basic code signing certificate (e.g., standard Authenticode) would likely be sufficient to avoid Defender/SmartScreen blocking in many enterprise setups.

Hi Jan,

Thanks for the detailed report and the kind words.

Correct, the Windows builds are unsigned, and I want to be upfront: there are no plans to purchase a code signing certificate. This is a deliberate position, not an oversight.
Two reasons. First, HelixNotes is a free, AGPL-licensed project with no Windows revenue, and Authenticode certificates cost several hundred euros per year while a fresh certificate still triggers SmartScreen until it accumulates download reputation.
Second, and more fundamentally, I won't pay into a trust model where Microsoft's security tooling treats "paid a certificate authority" as a proxy for "safe." Code signing proves who built a binary, not that it's harmless. Microsoft's own Notepad shipped fully signed with an 8.8 CVSS remote code execution vulnerability (CVE-2026-20841, patched this February) that Defender allowed without complaint, while the same Defender blocks an unsigned open-source editor whose complete source code is publicly auditable by anyone. That's trust-by-payment, not security, and I'm not going to fund it.

I understand none of this changes your corporate policy, so here's what's actually available:

  • SHA256 checksums ship with every release. Your IT team can verify integrity and whitelist by hash in AppLocker or Defender. This is a stronger guarantee than a signature, since a hash pins the exact binary.
  • The full source is here under AGPL-3.0. The build is reproducible from source if your organization requires it.
  • I'm evaluating SignPath.io, which signs open source builds for free and doesn't involve paying Microsoft or a commercial CA. If it integrates cleanly with our pipeline, future releases would be signed. No timeline commitment yet.

Leaving this open to track it.

Hi Jan, Thanks for the detailed report and the kind words. Correct, the Windows builds are unsigned, and I want to be upfront: there are no plans to purchase a code signing certificate. This is a deliberate position, not an oversight. Two reasons. First, HelixNotes is a free, AGPL-licensed project with no Windows revenue, and Authenticode certificates cost several hundred euros per year while a fresh certificate still triggers SmartScreen until it accumulates download reputation. Second, and more fundamentally, I won't pay into a trust model where Microsoft's security tooling treats "paid a certificate authority" as a proxy for "safe." Code signing proves who built a binary, not that it's harmless. Microsoft's own Notepad shipped fully signed with an 8.8 CVSS remote code execution vulnerability (CVE-2026-20841, patched this February) that Defender allowed without complaint, while the same Defender blocks an unsigned open-source editor whose complete source code is publicly auditable by anyone. That's trust-by-payment, not security, and I'm not going to fund it. I understand none of this changes your corporate policy, so here's what's actually available: - SHA256 checksums ship with every release. Your IT team can verify integrity and whitelist by hash in AppLocker or Defender. This is a stronger guarantee than a signature, since a hash pins the exact binary. - The full source is here under AGPL-3.0. The build is reproducible from source if your organization requires it. - I'm evaluating SignPath.io, which signs open source builds for free and doesn't involve paying Microsoft or a commercial CA. If it integrates cleanly with our pipeline, future releases would be signed. No timeline commitment yet. Leaving this open to track it.
Sign in to join this conversation.
No Branch/Tag specified
main
fix/vault-indication
v1.3.3
v1.3.2
v1.3.1
v1.3.0
v1.2.9
v1.2.8
v1.2.7
v1.2.6
v1.2.5
v1.2.4
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.1.9
v1.1.8
v1.1.7
v1.1.6
v1.1.5
v1.1.4
v1.1.3
v1.1.2
v1.1.1
v1.1.0
v1.0.9
v1.0.8
v1.0.7
v1.0.6
v1.0.5
v1.0.4
v1.0.3
v1.0.2
v1.0.1
v1.0.0
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
ArkHost/HelixNotes#103
Reference in a new issue
ArkHost/HelixNotes
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?