v0.26.0 nearly doubled what AZMX ships every release — three new architectures, signed Windows installers, properly notarized macOS, and a cleaner install-time identity. Every piece below is in your ~/Downloads/ folder right now if you grabbed the latest. Full release notes ↗
PLATFORMS
Seven targets. One release run.
The release matrix expanded from 4 cells to 7: Mac Apple Silicon · Mac Intel · Mac Universal · Linux x64 · Linux ARM64 · Windows x64 · Windows ARM64. The "Universal" macOS build is a single .dmg that runs natively on either Intel or Apple Silicon — pick one binary, never wonder which architecture.
Linux ARM64 builds natively on the new ubuntu-22.04-arm GitHub runner (no QEMU emulation), and Windows ARM64 cross-compiles via aarch64-pc-windows-msvc. AZMX now runs on every desktop class a developer uses in 2026.
+3 new architectures · 26 published artifacts · ~25 min matrix
WINDOWS
Authenticode-signed. No SmartScreen warning.
Every Windows MSI and NSIS installer is now signed via Azure Artifact Signing with the legal-name publisher CN=Dhruvitkumar Talati. Right-click the installer → Properties → Digital Signatures shows the validated identity. SmartScreen on first install shows "Verified publisher" instead of the dreaded "Unknown publisher".
The signing key is HSM-backed in Azure (no on-disk PFX, no USB token, no annual cert renewal ritual). Certificates auto-rotate every ~3 days; the embedded RFC 3161 timestamp keeps signatures valid long after each cert expires.
SHA256 + RFC 3161 · Microsoft TSA · Auto-rotating cert
MACOS
DMG itself is now notarized + stapled.
v0.25.0 silently shipped a bug: the inner .app was Apple-notarized, but the outer .dmg wasn't. macOS Sonoma+ Gatekeeper inspects the downloaded .dmg before mounting; an unnotarized one fails to mount with a silent refusal. Users saw "app won't open" with no error.
Fixed in v0.26.0 with a new xcrun notarytool submit + stapler staple step on every macOS build. A permanent spctl -a -t open + xcrun stapler validate gate in CI fails the release before publish if either check fails — same class of bug can never reach users again.
spctl: accepted · Notarized Developer ID · Regression gate locked
IDENTITY
"AZMX" — drops the " AI" suffix on installs.
The productName the installer registers in macOS Applications, Windows Start menu, and Linux .desktop entries is now just AZMX. Matches Cursor / Linear / Notion-style brand stripping for the OS-level display name. Marketing brand on the website stays "AZMX AI"; only the installed app shortens.
Bundle identifier (app.azmx.ai) is unchanged so the auto-updater + on-disk app-state directory keep working across the rename — no orphaned user data, no auto-update break.
Bundle ID stable · No data migration · One-letter shorter logs
DEEP-LINK
azmx:// activation, restored.
A JSON config drift had silently dropped the OS-level azmx:// URL scheme registration across every release since the deep-link plugin was added. License activation (azmx://activate?receipt=… handoff from the Polar checkout success page) was the visible casualty — links from the browser didn't open the installed app.
Fixed by merging the duplicated "plugins" blocks in azmx.conf.json so the deep-link scheme registration actually reaches the OS at bundle time. macOS Info.plist, Windows installer hooks, and Linux .desktop association all stamped correctly now.
License activation works · Polar checkout → app handoff
PIPELINE
Four preflights. Zero broken releases.
The release workflow now runs four fail-fast preflight jobs in parallel before the 25-min matrix build: credential probe (cross-repo PAT can write to AzmxAI/azmx), model-registry drift (no dead model IDs), Pro-checkout e2e (Polar → /webhook/mor → activate full flow), and version-sync (package.json + Cargo.toml + azmx.conf.json all agree).
Each one catches a real prior-incident class: PAT mis-scope, NVIDIA NIM model EOL, license-flow drift, and the v0.18.0 mis-versioned MSI artifact. A broken release is now structurally impossible — every category we've ever shipped a bug in has a guard.
~5 sec preflights · 4 classes guarded · Same gates on every dispatch
