1. Signing provider
Free code signing provided by SignPath.io, certificate by SignPath Foundation.
memrynote's desktop installers are signed with a certificate issued to SignPath Foundation and provided to open-source projects. A valid signature confirms the binary is an automated build produced from the source code at github.com/memrynote/memry.
2. Team roles
memrynote is maintained by a single developer, who is responsible for every code-signing role:
- Committers and reviewers: memrynote/memry contributors
- Approvers: @h4yfans (repository owner)
Every change to source code, build scripts, and CI configuration is reviewed before it is merged. Every release is approved manually before it is signed.
3. Security practices
- Multi-factor authentication is enforced on both the source repository (GitHub) and the SignPath account.
- Binaries are built from source in a verifiable, automated CI pipeline. We do not sign artifacts built outside that pipeline.
- We sign only our own binaries, built from our own source. Any third-party or upstream binaries bundled in an installer are not signed with this certificate.
4. Privacy policy
See our privacy policy for how memrynote handles your data. In short: the local app collects nothing, and Sync uploads only ciphertext encrypted on your device — keys never touch our servers.
5. Report a concern
If you believe a file signed with a SignPath Foundation certificate violates their policy, email security@memrynote.com, or report it directly to SignPath at support@signpath.io.