Windows apps can now trigger Microsoft Defender SmartScreen warnings even when they are signed with a valid EV code signing certificate. EV certificates no longer provide the immediate SmartScreen reputation they once did, so new releases need to build reputation like OV-signed apps.

We recently added Debian APT repository support to ToDesktop. We needed to dynamically sign Debian repo manifests with PGP without exposing PGP private keys to unnecessary risk or turning our system into a tangled mess. The solution? Cloudflare Workers service bindings. They let us isolate sensitive operations, keep our codebase clean, and get isolated visibility into what's happening. Here's how we made it work.