BowEcho is a native desktop radar viewer built from public source by GitHub Actions. This file explains what users can verify, what is signed, and how to report security issues.

Use the latest release from the GitHub Releases page. Older releases remain available for comparison and rollback, but security fixes and trust polish are only applied forward.

Every release asset is accompanied by a .sha256 checksum generated by the release workflow after packaging.

Windows PowerShell:

Get-FileHash .\bowecho-windows-x64.zip -Algorithm SHA256

macOS or Linux:

shasum -a 256 bowecho-macos-apple-silicon.zip
sha256sum bowecho-linux-x64.tar.gz

Compare the output with the matching .sha256 file on the release page. A matching hash means the local file is byte-identical to the artifact uploaded by GitHub Actions for that tag.

• Windows: release builds are currently unsigned unless the repository's Azure Trusted Signing secrets are configured. Unsigned builds may trigger SmartScreen or antivirus machine-learning warnings.
• macOS: release apps are signed and notarized when the repository's Apple Developer ID secrets are available. If macOS still warns on first launch, right-click the app and choose Open once.
• Linux: tarballs are not code-signed; verify the .sha256 checksum.

See docs/SIGNING.md for maintainer setup and verification commands.

New unsigned Rust executables are sometimes flagged by Windows Defender machine-learning detections such as !ml families. Treat any warning seriously, but verify provenance first:

1. Download only from the official GitHub Releases page.
2. Compare the asset hash with the published .sha256.
3. Check the release's GitHub Actions run for the matching tag.
4. If the hash matches and the detection is an ML false positive, submit the file to Microsoft at https://www.microsoft.com/en-us/wdsi/filesubmission.

Please do not post exploitable security issues publicly until they can be triaged. If GitHub private vulnerability reporting is enabled for this repo, use it. Otherwise, open a minimal GitHub issue that says you have a private security report and include a safe contact path.

Helpful details:

• BowEcho version and release asset name.
• Operating system and CPU architecture.
• Whether the checksum matched.
• Graphics backend shown by the app, if relevant.
• Panic log or diagnostic export, if the issue involves a crash.

BowEcho is not an official warning source. Security fixes protect the software and its update/download path; weather safety decisions should still use official National Weather Service warnings, local emergency management, and other authoritative sources.