← Back to Mascarata
|

Security & Code Signing

Mascarata releases are signed by the ESFOM Root CA. Install the root certificate once to get verified-publisher status on Windows and to verify downloads on all platforms.

1. About the ESFOM Root CA

Mascarata is distributed as a cryptographically signed release built on the ESFOM Root CA.

2. Install the ESFOM Root Certificate

Download the root certificate: esfom-root.crt.

Windows

  1. Download esfom-root.crt.
  2. Double-click the file and choose Install Certificate…
  3. Select Local Machine, then click Next.
  4. Choose Place all certificates in the following storeBrowse → select Trusted Root Certification Authorities.
  5. Click Finish.

Linux (Ubuntu / Debian)

  1. Download esfom-root.crt.
  2. sudo cp esfom-root.crt /usr/local/share/ca-certificates/
  3. sudo update-ca-certificates

macOS

  1. Download esfom-root.crt.
  2. Double-click — Keychain Access opens.
  3. Right-click the certificate → Get Info → expand Trust.
  4. Set When using this certificate to Always Trust.

3. Verify a Linux / macOS Download

Each archive ships with a detached OpenSSL signature. Download both files, then verify:

# Linux example
openssl dgst -sha256 -verify esfom-codesign.pem \
  -signature mascarata-linux-x64-1.2.1.tar.gz.sig \
  mascarata-linux-x64-1.2.1.tar.gz
# → Verified OK

# macOS example
openssl dgst -sha256 -verify esfom-codesign.pem \
  -signature mascarata-macos-x64-1.2.1.tar.gz.sig \
  mascarata-macos-x64-1.2.1.tar.gz
# → Verified OK

The public signing certificate is available at /dist/esfom-codesign.pem.

4. Verify the Windows Executable Signature

Right-click mascarata.exePropertiesDigital Signatures tab. Or via PowerShell:

(Get-AuthenticodeSignature .\mascarata.exe).Status
# → Valid

If the ESFOM Root CA is not yet installed, the status will show UnknownError. Install the root certificate first.

Last updated: April 2026  ·  mascarata@esfom.com