What it took
Apple Developer ID Application certificate + app-specific password for notarytool, configured as 6 GitHub repository secrets. macOS DMGs now ship signed + notarized — double-click installs cleanly with no Gatekeeper prompt.
What we couldn't do for free
Windows EV code signing costs $300–700/yr. We're shipping unsigned Windows binaries today — SmartScreen shows a one-time 'More info → Run anyway' prompt. The workflow is pre-wired to flip to signed automatically when an EV cert is configured.
What was free
GPG signing. Every binary in every release ships with a detached .asc signature alongside it. Users who want strict origin verification can gpg --import the public key (published at the public release repo) and gpg --verify <file>.asc <file>.
Honest distribution
We split into two repos — visionxixlabs (private, all code) and axiom-releases (public, only binaries). CI in the private repo builds, signs (where certs are configured), and pushes artefacts to the public repo via a cross-repo PAT. The /download page reads the public release manifest live; no rebuilds when a new release lands.
What's labelled honestly
Every download tile on the website carries its real install friction note. macOS: 'Signed + notarized — double-click to install'. Windows: 'Unsigned — SmartScreen → More info → Run anyway'. Linux: 'GPG-signed; chmod +x for AppImage'. No platform claims signed when it isn't.