Self Checks
Is your feature request related to a problem? Please describe.
I am working on a WinGet manifest to allow users to install Dify CLI via winget install LangGenius.DifyCLI. The current Windows release binaries are not Authenticode-signed, which causes WinGet installation to fail silently. When WinGet installs a portable package, it performs a Mark-of-the-Web (MOTW) security check on the downloaded binary. For unsigned executables, this check fails — WinGet exits with error 0x8A150001 and the dify command alias is never registered, even though the file hash verification passes. On systems with strict Windows Defender / SmartScreen policies, common in enterprise environments, there is no user-facing prompt or error message.
Describe the solution you'd like
Please sign the Windows release binaries (dify-plugin-windows-amd64.exe, dify-plugin-windows-arm64.exe) with a valid Authenticode certificate as part of the release pipeline. This would allow WinGet portable installation to work correctly across all Windows environments, remove the SmartScreen "Unknown Publisher" warning for users who download the binary directly, and meet the signing requirement for official submission to the winget-pkgs community repository.
Describe alternatives you've considered
There is no viable alternative on the distribution side. The MOTW check is hardcoded in WinGet's installer pipeline and cannot be bypassed through any manifest configuration. The only local workaround is for users to manually run Unblock-File on the cached WinGet temp file before installing, which is not practical for general distribution.
Additional context
- Affected versions:
0.6.0 (and all prior releases)
- Affected files:
dify-plugin-windows-amd64.exe, dify-plugin-windows-arm64.exe
- The WinGet manifest repo is ready and pending binary signing before the PR to winget-pkgs can be submitted.
Self Checks
Is your feature request related to a problem? Please describe.
I am working on a WinGet manifest to allow users to install Dify CLI via
winget install LangGenius.DifyCLI. The current Windows release binaries are not Authenticode-signed, which causes WinGet installation to fail silently. When WinGet installs a portable package, it performs a Mark-of-the-Web (MOTW) security check on the downloaded binary. For unsigned executables, this check fails — WinGet exits with error0x8A150001and thedifycommand alias is never registered, even though the file hash verification passes. On systems with strict Windows Defender / SmartScreen policies, common in enterprise environments, there is no user-facing prompt or error message.Describe the solution you'd like
Please sign the Windows release binaries (
dify-plugin-windows-amd64.exe,dify-plugin-windows-arm64.exe) with a valid Authenticode certificate as part of the release pipeline. This would allow WinGet portable installation to work correctly across all Windows environments, remove the SmartScreen "Unknown Publisher" warning for users who download the binary directly, and meet the signing requirement for official submission to the winget-pkgs community repository.Describe alternatives you've considered
There is no viable alternative on the distribution side. The MOTW check is hardcoded in WinGet's installer pipeline and cannot be bypassed through any manifest configuration. The only local workaround is for users to manually run
Unblock-Fileon the cached WinGet temp file before installing, which is not practical for general distribution.Additional context
0.6.0(and all prior releases)dify-plugin-windows-amd64.exe,dify-plugin-windows-arm64.exe