Code Signing Policy

Free code signing provided by SignPath.io, certificate by SignPath Foundation. Binaries of stable and beta releases of the Drawpile client for Windows are signed with this certificate since version 2.2.2-beta.4.

Project roles with regards to code signing are as follows:

This program will not transfer any information to other networked systems unless specifically requested by the user or the person installing or operating it.

The Drawpile client on Windows uses the following shared libraries:

The dependencies are pinned to known good versions and the source code for is verified against the hashes and signatures provided in their releases from upstream. SHA384 hash checks are also done for each build to ensure integrity of the source code retrieved from upstream.

We make some patches to these dependencies when building the application, which you can find in the patches directory of the git repository. Each patch file contains a description as to what it does.

Information about other platforms and links to build processes, versions, upstream source URLs and hashes can be found in the Client Dependencies section of the README.