The build pipeline
Studio’s frontend, backend, and Go agent are built in the same controlled CI environment as the AWS infrastructure. The pipeline runs through AWS Amplify Hosting:| Phase | What happens |
|---|---|
| Backend pre-build | A required-secrets check runs first; if any expected SSM parameter is missing, the build fails before any code runs. |
| Backend build | Amplify CDK synthesises the AppSync schema, the DynamoDB tables, the Lambda functions, the IAM and KMS resources. |
| Backend post-build | Smoke tests run against the deployed stack — including the FIPS endpoint assertion (kms-fips.us-east-1.amazonaws.com) and the principal-tag mapping. |
| Frontend pre-build | Dependencies install; lockfile is enforced. |
| Frontend build | Next.js produces the static export shipped inside Electron. |
| Agent build | Go sidecar compiles with GOEXPERIMENT=boringcrypto and the version-stamped build flags. |
| Desktop package | electron-builder produces signed installers for macOS (universal and Intel) and Windows (x64). |
| Release publish | Artifacts upload to a controlled CDN under download.altostrat.io. |
Code signing
| Platform | Signature |
|---|---|
| macOS | Signed with an Apple Developer ID Application certificate. Notarized through Apple’s notary service so Gatekeeper allows the install without a right-click bypass. |
| Windows | Signed with an Authenticode certificate. The installer reports a verified publisher in the standard SmartScreen / UAC dialogs. |
Update flow
The desktop app uses electron-updater for self-update. The flow:App checks for updates
On launch and on a periodic schedule, Studio checks the release feed at
download.altostrat.io for the current channel.Compare with installed version
If a newer version exists, Studio downloads its metadata file (
latest-mac.yml or latest.yml) which contains the version, release date, and SHA-512 hashes for each artifact.Verify SHA-512
electron-updater computes the SHA-512 of the downloaded artifact and compares it against the hash in the metadata file. A mismatch aborts the update.
Verify signature
The OS verifies the installer’s signature. macOS additionally checks notarization status. A failed signature aborts the update.
Release artifacts
Release artifacts are versioned and immutable. The naming follows:| Artifact | Where to download |
|---|---|
| macOS Apple Silicon | https://download.altostrat.io/studio/altostrat-studio-apple-arm64-latest.dmg |
| macOS Intel | https://download.altostrat.io/studio/altostrat-studio-apple-x64-latest.dmg |
| Windows x64 | https://download.altostrat.io/studio/altostrat-studio-windows-x64-latest.exe |
latest symbolic links always point to the most recent release in the active channel. A specific version is also addressable by version number for organizations that want to pin to a known build.
Dependencies
Studio’s dependency surface is large by browser-app standards and small by desktop-app standards. The main lines of defense:- Lockfile enforcement. Every release builds against a committed lockfile. Floating versions are not used in production builds.
- No post-install scripts. Dependencies that try to run scripts during install are rejected; the lockfile-install step disables this.
- Periodic vulnerability scanning. The dependency tree is scanned against published advisory databases on every release; high-severity advisories block the release until addressed.
- First-party crypto. Cryptographic primitives that matter for Studio’s safety claims are not pulled from arbitrary third parties. AES-256-GCM is BoringCrypto in the Go agent; KMS is AWS-managed; the JWT path is Clerk-managed.
What we do not do
- No remote code load at runtime. Studio does not download and execute additional code modules at runtime. Updates always go through the signed installer flow.
- No silent telemetry-driven feature flags that change behavior. Feature flags exist for staged rollout, but they enable or disable existing code paths; they do not load new code.
- No second binary fetched at runtime. The Go sidecar is part of the signed installer. It is not a separate download.
What you can verify
- The macOS signature:
codesign -dv --verbose=4 /Applications/Altostrat\ Studio.appreports the signing identity and team. - The macOS notarization:
spctl --assess --type execute /Applications/Altostrat\ Studio.appreportsacceptedfrom the notary service. - The Windows signature: right-click the installer → Properties → Digital Signatures, or
Get-AuthenticodeSignaturein PowerShell. - The release SHA-512: visible in
latest-mac.yml/latest.ymlon the download server, comparable against your downloaded installer.
Reporting a supply-chain concern
If you find something that looks like a tampered installer, an unexpected signature, a suspicious update prompt, or any indication that the supply-chain controls described here failed, contact us through troubleshooting. Supply-chain concerns are escalated immediately and not subject to normal triage queues.Related
Identity and access
The runtime authentication that depends on the signed binary having reached your machine intact.
Agent and local runtime
The two processes inside the signed installer and how they coordinate.