Someone else just reported this, and I figured I could give a bit more background on how I ensure PhotoStructure’s builds are as secure/free from malware as I can make them:
-
I always update all of PhotoStructure’s dependencies and then run security audits (using snyk) to those dependencies right before a release. Electronegativity audits run against the desktop build, as well.
-
The final windows distribution builds are done on computers that are, for the most part, off, and run full offline antivirus scans before builds.
-
All binaries are signed with extended-verification code signatures.
-
All code commits are GPG-signed, periodically re-verified, and pushed to multiple remote repos, to detect tampering on either repo.
-
All git and related logins are protected via hardware tokens where possible, or 2FA.
-
The windows installer now contains the full installer (version 0.9.1 and earlier used the “Web installer” feature of NSIS, which meant the installer was very small, and when run, downloaded the installable archive in the background). This means you can run virustotal on the installer and be assured you’re scanning the whole payload.
As always, if you see anything suspicious, better safe than sorry: please tell me and we can look at it together, but always have at least one backup, and preferably have at least one offline or offsite: