From 69a94b00589216d861dfb4535e63827f1de9fe3d Mon Sep 17 00:00:00 2001 From: MukundaKatta Date: Tue, 21 Apr 2026 09:12:40 -0700 Subject: [PATCH] docs(readme): distinguish signed release binaries from unsigned source builds in SmartScreen section Per #8, the README claimed the Windows binary was unsigned, but release.yml runs a sign-windows job that Authenticode-signs the amd64/arm64 executables via Azure Trusted Signing before packaging them. Only source builds remain unsigned. Reworded the section to: - note release binaries are signed and shouldn't trigger SmartScreen - keep the Unblock-File guidance, scoped to source builds Closes #8 --- README.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 680f0bc..041059e 100644 --- a/README.md +++ b/README.md @@ -39,9 +39,14 @@ make build ### Windows SmartScreen -The Windows binary is unsigned. On first run SmartScreen may block it with -"Windows protected your PC". Click **More info → Run anyway**. To avoid the -prompt altogether, unblock the executable before running: +Release binaries are Authenticode-signed with Azure Trusted Signing (see the +`sign-windows` job in `.github/workflows/release.yml`), so SmartScreen should +not prompt for official downloads from GitHub Releases. + +If you build from source (`go install` / `make build`), the resulting +`ana.exe` is **not** signed and SmartScreen may still block it on first run +with "Windows protected your PC". Click **More info → Run anyway**, or +unblock the file before running: ```powershell Unblock-File -Path .\ana.exe