Add GPL-3.0 license, code signing policy, SignPath config

- GPL-3.0 LICENSE file (required for SignPath Foundation OSS program) - CODE_SIGNING_POLICY.md (SignPath Foundation requirement) - .signpath/config.yml (artifact signing configuration) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 11:09:15 +01:00
commit 2add1fde07
--- a/CODE_SIGNING_POLICY.md
+++ b/CODE_SIGNING_POLICY.md
@@ -0,0 +1,36 @@
+# Code Signing Policy
+
+## Overview
+
+InstaDrums uses free code signing provided by [SignPath Foundation](https://signpath.org/) via [SignPath.io](https://signpath.io/).
+
+## Signing Certificate
+
+- **Certificate provider:** SignPath Foundation
+- **Signing service:** SignPath.io
+- **Certificate type:** Open Source Code Signing (EV equivalent for Windows)
+
+## Build Process
+
+All signed binaries are built exclusively through GitHub Actions CI:
+- Source code: https://github.com/hariel1985/InstaDrums
+- Build workflow: `.github/workflows/build.yml`
+- No binaries are signed outside of the CI pipeline
+
+## Team Roles
+
+| Role | Responsibility |
+|------|---------------|
+| **Author** | Writes and submits code via pull requests |
+| **Reviewer** | Reviews pull requests before merge |
+| **Approver** | Approves signing requests on SignPath.io |
+
+## Privacy
+
+InstaDrums does not collect, transmit, or store any user data. The plugin operates entirely offline and does not make any network connections.
+
+## Transparency
+
+- All source code is publicly available under GPL-3.0
+- Build artifacts are generated from the public CI pipeline
+- Signing requests are logged and auditable via SignPath.io