Code Signing Policy — ChatIncluded

1 — Overview

What this policy covers

ChatIncluded is a free, open-source Windows plugin for Casterlabs Caffeinated maintained by KiraLovey. This policy describes which release artifacts are digitally signed, who may authorize a signing request, how signing is performed, and how users can independently verify a signature.

Code signing prevents Windows SmartScreen from warning users about unknown publishers and lets anyone confirm that a downloaded file was built by this project and has not been tampered with in transit.

2 — Scope

What gets signed

The following artifact is signed for every public release:

ChatIncluded-Setup.exe — the Windows installer distributed via GitHub Releases

Intermediate build artifacts (JAR files, object files, debug builds) are not signed. Only the final installer presented to end users carries a signature.

3 — Team & Responsibilities

Who authorizes signing

ChatIncluded is a sole-maintainer project. All roles are held by one person:

Author / Maintainer KiraLovey

Signing Approver KiraLovey

GitHub github.com/KiraLovey

No signing request may be submitted without the explicit approval of the maintainer. There are no automated or unattended signing pipelines — every release is manually reviewed before signing.

4 — Signing Process

How a release is signed

The maintainer builds the release installer locally using NSIS.
The resulting ChatIncluded-Setup.exe is reviewed to confirm it matches the intended source.
A signing request is submitted to SignPath Foundation, which provides free code signing certificates to qualifying open-source projects.
SignPath signs the artifact using an Extended Validation (EV) or Organization Validation (OV) Authenticode certificate issued by a trusted Certificate Authority.
The signed installer is uploaded to the GitHub Releases page and to the repository root for direct download.

The private signing key is held exclusively by SignPath Foundation and is never accessible to the maintainer, eliminating the risk of key theft or misuse.

5 — Verification

How to verify a signature

You can verify the digital signature of any ChatIncluded installer before running it:

Option A — Windows Explorer

Right-click ChatIncluded-Setup.exe and choose Properties.
Click the Digital Signatures tab.
Select the signature entry and click Details.
Confirm the signer name matches the ChatIncluded project and the certificate is valid.

Option B — PowerShell

Open PowerShell and run:

Get-AuthenticodeSignature "ChatIncluded-Setup.exe" | Format-List

A valid signature returns Valid for Status. An unsigned or tampered file returns NotSigned or HashMismatch — do not run it.

6 — Certificate Authority

Certificate source

Signing certificates are provided by SignPath Foundation, a nonprofit organization that sponsors code signing for open-source projects. ChatIncluded qualifies under SignPath's Open Source Software program because it is:

Licensed under the MIT License
Publicly hosted on GitHub with full source code
Free to use, with no commercial distribution
Actively maintained with documented releases

7 — Policy Changes

Updates to this policy

This policy may be updated as the project evolves — for example if CI/CD signing is introduced or team membership changes. All changes are reflected in the Git history for this file. The date below reflects the last revision.

Last updated: March 2026