SECURITY

Security

Last updated: . How we sign Castforge installers, how to verify a download yourself, and how to report a security issue.

How we sign Castforge

Castforge installers are published under a code-signing process. Our signing path is Azure Artifact Signing under Castforge AI (with an SSL.com OV certificate and cloud HSM as the fallback path) as we roll code signing out across our builds. Code signing lets Windows confirm an installer came from us and has not been altered after we built it.

Castforge is a new app, so Windows SmartScreen builds reputation over the first 30 to 60 days of installs. While that reputation builds you may see a "Windows protected your PC" dialog the first time you run the installer. The download page walks through exactly what to do.

Verifying the installer yourself

You never have to take our word for it. Two checks confirm a download is genuine.

First, confirm the signature on the file. Open PowerShell in the folder where you saved the installer and run:

signtool verify /pa /v Castforge_x64-setup.exe

Second, compare the file hash against the SHA256 value we publish next to every download:

Get-FileHash .\Castforge_x64-setup.exe -Algorithm SHA256

The two hash values must match exactly. If they do not, delete the file, download it again from castforge.ai/download, and email support@castforge.ai if it still does not match.

How Castforge handles your credentials

Castforge only ever custodies its own secrets: your Castforge account session and any API keys you enter yourself. The desktop app stores those in your operating system keychain on your machine and never uploads them to our servers.

For subscription sign-in, Castforge never holds your AI provider credentials at all. Each agent CLI you already pay for manages its own login and its own tokens; Castforge drives those CLIs as subprocesses and never extracts or copies the provider credentials they manage. The web dashboard at castforge.ai only ever sees a secret-free connection status, never your tokens or keys.

Reporting a security issue

If you find a vulnerability or anything that looks like a security problem, email security@castforge.ai. Please include the steps to reproduce and, if you can, the affected version. We aim to acknowledge a report within two business days.

We practice coordinated disclosure: please give us a reasonable window to investigate and ship a fix before publishing details, and we will keep you updated while we work. We will not pursue legal action against good-faith research that respects user privacy and avoids service disruption. This is the contact you would find in a /.well-known/security.txt disclosure file.