Skip to content

Windows install path: PowerShell installer, winget, scoop#28

Merged
Taure merged 3 commits into
mainfrom
feat/windows-install
Jul 6, 2026
Merged

Windows install path: PowerShell installer, winget, scoop#28
Taure merged 3 commits into
mainfrom
feat/windows-install

Conversation

@Taure

@Taure Taure commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Windows users had to download a zip from Releases and wire up PATH by hand while Linux/macOS got a one-line installer. This brings Windows to parity and hardens two Windows-specific rough edges found while verifying the binary actually runs there.

What's here

Install parity

  • install.ps1 mirrors install.sh: detects arch, resolves latest (or ASOBI_VERSION), downloads the zip + checksums.txt, verifies SHA256, installs to %LOCALAPPDATA%\asobi\bin (or ASOBI_INSTALL_DIR), and adds it to the user PATH. Run via irm ...install.ps1 | iex.
  • goreleaser publishes scoop and winget manifests. Both uploads are gated on SCOOP_TOKEN / WINGET_TOKEN being non-empty, so a tag cut before the tap repos and PATs exist still ships binaries -- only the manifest push is skipped.
  • release.yml passes SCOOP_TOKEN / WINGET_TOKEN through to goreleaser.
  • README documents PowerShell + winget + scoop alongside the Unix one-liner.

Windows fixes found while verifying

  • openBrowser: replaced cmd /c start <url> with rundll32 url.dll,FileProtocolHandler <url>. cmd re-parses the URL and treats & as a command separator, so any query string would break the login open; rundll32 receives the URL as a direct argument.
  • SECURITY.md: the credential-storage section implied a portable 0600/0700 guarantee that does not hold on Windows (Go maps file modes only to the read-only attribute there). Now describes protection per-platform honestly and points at the DPAPI hardening tracked in Windows: encrypt credentials at rest via DPAPI #27.

Not a vulnerability

Windows creds-at-rest was assessed and is not advisory-worthy: on a default install the file inherits the user-profile ACL (owner + SYSTEM + Administrators), matching the Unix 0600 guarantee for the "other unprivileged user" threat. DPAPI encryption-at-rest is defense-in-depth, tracked as enhancement #27.

Follow-up before winget/scoop go live (one-time, out of this PR)

  1. Create widgrensit/scoop-bucket (can be empty).
  2. Fork microsoft/winget-pkgs to widgrensit/winget-pkgs (first submission is manually reviewed by Microsoft).
  3. Add PATs scoped to those repos as SCOOP_TOKEN / WINGET_TOKEN secrets (GITHUB_TOKEN can't push cross-repo).

Verification

  • goreleaser check passes.
  • go build, go vet, go test ./internal/auth/ pass.
  • install.ps1 not lint-run here (no pwsh in env) -- worth a quick run on Windows before the first tagged release.

Taure added 3 commits July 6, 2026 21:52
Windows users had to download a zip from Releases and wire up PATH by
hand while Linux/macOS got a one-line installer. Bring Windows to parity:

- install.ps1: mirrors install.sh (checksum verify, ASOBI_VERSION /
  ASOBI_INSTALL_DIR, adds install dir to user PATH). Run via
  irm ... | iex.
- goreleaser: publish scoop and winget manifests. Uploads are gated on
  SCOOP_TOKEN / WINGET_TOKEN being present, so releases stay green until
  the tap repos and PATs exist.
- release.yml: pass SCOOP_TOKEN / WINGET_TOKEN through to goreleaser.
- README: Windows install instructions alongside Linux/macOS.
cmd /c start re-parses the URL through the shell, so an & in a query
string is read as a command separator and the open fails. Use rundll32
url.dll,FileProtocolHandler, which receives the URL as a direct argument
with no shell re-parsing.
The 0600/0700 modes are a portable-looking guarantee that does not hold
on Windows, where Go maps file modes only to the read-only attribute.
State honestly that Windows relies on the inherited user-profile ACL and
that DPAPI encryption-at-rest is tracked as a hardening enhancement.
@Taure
Taure merged commit 9361713 into main Jul 6, 2026
1 check passed
@Taure
Taure deleted the feat/windows-install branch July 6, 2026 20:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant