--- name: install-warnings type: release tags: [release, v0.1, install, gatekeeper, smartscreen, sha256, user-facing] description: "Per-platform first-install warnings for Lumotia v0.1. macOS Gatekeeper workaround (no Apple notarisation in v0.1). Windows SmartScreen workaround (no EV signing in v0.1). Linux AppImage SHA-256 verification. Linked from v0.1-release-notes.md and README.md." --- # First-install warnings — Lumotia v0.1 When you install a new unsigned app, your OS will say something. This page tells you what to expect on each platform and what to do. The warnings are expected. ## macOS — Gatekeeper warning **What you'll see.** One of: - "App can't be opened because it is from an unidentified developer." - "[App] is damaged and can't be opened. You should move it to the Trash." **Why it happens.** Lumotia v0.1 is not notarised with an Apple Developer ID. macOS Gatekeeper blocks unsigned apps by default. Neither message means the file is damaged or malicious. **What to do.** Two options, either works: 1. System Settings → Privacy & Security → Security section → click "Open Anyway" next to the Lumotia entry, then confirm. 2. In Finder, Control-click the app → Open → click Open in the dialog. macOS remembers your choice; you only do this once. **When this goes away.** When we ship a notarised build with an Apple Developer ID. Tracked in the v0.1 release checklist; see `KNOWN-ISSUES.md` for status. --- ## Windows — SmartScreen warning **What you'll see.** A blue dialog: "Windows protected your PC." **Why it happens.** Lumotia v0.1 ships without an EV code-signing certificate. SmartScreen flags installers from publishers without established reputation. **What to do.** 1. Click "More info" in the SmartScreen dialog. 2. Click "Run anyway". SmartScreen does not re-block the app on relaunch after you've done this once. **When this goes away.** When we ship an EV-signed installer. --- ## Linux — AppImage verification No OS-level warning on Linux. Verify the file yourself before running it. **Verify the download.** The release page publishes a `.sha256` file alongside the AppImage: ```sh sha256sum -c lumotia-0.1.0-linux-x86_64.AppImage.sha256 ``` Or compare manually: ```sh sha256sum lumotia-0.1.0-linux-x86_64.AppImage ``` Check the output against the value in the `.sha256` file. A match means the file is intact. **Mark it executable before running:** ```sh chmod +x lumotia-0.1.0-linux-x86_64.AppImage ./lumotia-0.1.0-linux-x86_64.AppImage ``` **GPG signing.** Not available in v0.1. When a signing key is published, it will appear on the release page. **When this changes.** GPG signing is deferred to a near-term point release.