Desktop downloads¶
The desktop app uses the exact same conversion engine as the CLI and Python API. The only thing that changes across release assets is packaging, platform integration, and how convenient the install flow is for a given operating system.
Which download should I choose?¶
| Platform | Architecture | Recommended download | Other available formats |
|---|---|---|---|
| Windows | x64 |
windows-x64-setup.exe |
windows-x64.exe |
| Windows | ARM64 |
windows-arm64-setup.exe |
windows-arm64.exe |
| Linux (Debian / Ubuntu family) | x64 |
linux-amd64.deb |
linux-x86_64.flatpak, linux-x64.AppImage, linux-x64.tar.gz |
| Linux (Debian / Ubuntu family) | ARM64 |
linux-arm64.deb |
linux-aarch64.flatpak, linux-arm64.AppImage, linux-arm64.tar.gz |
| Linux (Fedora / openSUSE / RHEL-like) | x64 |
linux-x86_64.rpm |
linux-x86_64.flatpak, linux-x64.AppImage, linux-x64.tar.gz |
| Linux (Fedora / openSUSE / RHEL-like) | ARM64 |
linux-aarch64.rpm |
linux-aarch64.flatpak, linux-arm64.AppImage, linux-arm64.tar.gz |
| Linux (cross-distro) | x64 |
linux-x86_64.flatpak |
linux-x64.AppImage, linux-x64.tar.gz |
| Linux (cross-distro) | ARM64 |
linux-aarch64.flatpak |
linux-arm64.AppImage, linux-arm64.tar.gz |
| macOS | universal2 |
macos.dmg |
none |
Short guidance¶
- Choose
Setup.exeon Windows unless you explicitly want the portable standalone.exe. - Choose
.debon Debian, Ubuntu, Linux Mint, Pop!_OS, and close derivatives. - Choose
.rpmon Fedora, openSUSE, and RHEL-like systems. - Choose
.flatpakwhen you want a cross-distro Linux install flow. - Choose
.AppImagewhen you prefer a single portable Linux file instead of an installed package. - Choose
.tar.gzonly if you specifically want the raw extracted bundle. - Choose
macos.dmgon macOS for the standard drag-and-drop install flow. The bundle is built as universal2 so one download works on both Apple Silicon and Intel Macs.
Release verification¶
Public releases now ship with a small set of verification assets:
SHA256SUMS.txtSHA256SUMS.txt.sigstore.jsonSHA256SUMS.txt.ascwhen GPG signing is enabledsvg-to-drawio-release-signing-key.ascwhen GPG signing is enabledsvg-to-drawio-<version>-verification-bundles.zipfor advanced per-artifact verification
The recommended verification flow is to verify the checksum manifest once, then verify the downloaded file against that manifest.
cosign verify-blob SHA256SUMS.txt \
--bundle SHA256SUMS.txt.sigstore.json \
--certificate-identity "https://github.com/V1rg1lee/svg-to-drawio/.github/workflows/desktop-build.yml@refs/tags/v3.3.0" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com"
sha256sum -c SHA256SUMS.txt
If GPG assets are present:
gpg --import svg-to-drawio-release-signing-key.asc
gpg --verify SHA256SUMS.txt.asc SHA256SUMS.txt
The advanced archive svg-to-drawio-<version>-verification-bundles.zip contains:
- one Sigstore bundle per artifact (
*.sigstore.json) - detached
*.AppImage.ascfiles when GPG signing is enabled
Use that archive only if you want artifact-by-artifact verification instead of the simpler manifest-first flow above.
Notes¶
- AppImages can also carry an embedded GPG signature when signing is enabled in the release workflow.
- These checks improve provenance and integrity verification, but they do not replace Windows Authenticode / SmartScreen trust or macOS notarization.
.deb,.rpm, and.flatpakare published as standalone release files here, not through a full package repository or app store.
Windows SmartScreen and macOS Gatekeeper warnings¶
The Windows installer/executable is not Authenticode-signed, and the macOS app is not notarized by Apple. This is a deliberate trade-off, not an oversight: code-signing certificates and Apple Developer Program membership both cost money on an ongoing basis, which this single-maintainer, donation-free project does not currently have. The Sigstore/GPG verification flow above is offered as a free, OS-independent alternative, but it does not suppress OS-level warnings.
Expect to see, and have to dismiss, the following on a first run:
- Windows: SmartScreen shows "Windows protected your PC". Click More info, then Run anyway. This appears because the binary is unsigned, not because it was flagged as malware. Sometimes Windows Defender will also show a warning, you have to open Windows Security in the page "App & browser control → Intelligent App Control" and choose Off to allow the app to run. You can turn this back on after the run.
- macOS: Gatekeeper reports the app is "damaged" or "cannot be opened because the developer cannot be verified". Right-click (or Control-click) the app and choose Open, then confirm in the dialog. On recent macOS versions you may instead need System Settings → Privacy & Security → Open Anyway.