# Changelog All notable changes to xetup. Format based on [Keep a Changelog](https://keepachangelog.com). No diacritics anywhere (project rule). Builds are continuous: every push to `main` produces a signed `xetup.exe` published as the `latest` release. Version tags (e.g. `v0.7`) mark notable milestones. ## [Unreleased] _Nothing yet._ ## [0.7] - 2026-06-02 ### Added - **Code signing in CI**: the release workflow signs `xetup.exe` on every push (and via `workflow_dispatch`) using Azure Trusted Signing (certificate "X9.cz s.r.o.") through jsign, plus an RFC3161 timestamp (`timestamp.acs.microsoft.com`). jsign is pinned by version + sha256. Trusted Signing certs are short-lived (~3 days); the timestamp keeps the signature valid past expiry. Only `AZURE_CLIENT_SECRET` is a Forgejo Actions secret. (`853908b`) - `workflow_dispatch` trigger for manual release runs. (`cdad15a`) - **Keyboard layout**: CZ primary + US secondary, applied to all profiles via `Set-WinUserLanguageList` (current user) and the `Preload` key in the Default hive and `HKU\.DEFAULT`. (`94b7786`) ### Fixed - **winget** (02, 11): pass `--source winget` to every install. Fresh Win11 ISOs ship an App Installer with a stale pinned cert, so the msstore source fails with `0x8a15005e` and aborts the install; forcing the winget source bypasses it. (`94b7786`) - **Network Discovery** (10): enable by resource-string group `-Group "@FirewallAPI.dll,-32752"` instead of `-DisplayGroup "Network Discovery"`, which is localized and failed on Czech Windows. (`94b7786`) - **Atera detection** (02): verify via the `AteraAgent` service (`Get-Service`) with a path-check fallback incl. `C:\ProgramData`, since Atera no longer installs to a fixed location. (`94b7786`) - **Windows Update log** (12): format installed updates via `$_.Result`/`$_.Title` instead of logging the raw objects (which printed "System.__ComObject"). (`94b7786`) - **UCPD** (02): the UCPD stop failure on Win11 24H2 (protected service) is logged WARN, not ERROR; the system-wide HKCR write succeeds regardless. (`94b7786`) - **Atera under SYSTEM** (02): install the MSI via a one-shot scheduled task running as `NT AUTHORITY\SYSTEM` (`msiexec /qn`). Under SYSTEM the agent registers silently with no interactive MFA window. (`451b9e2`) - **Taskbar File Explorer pin** (04): pin Explorer via its AppUserModelID (`DesktopApplicationID="Microsoft.Windows.Explorer"`) instead of a hand-made `.lnk`. The custom shortcut launched a second Explorer that did not group with the running window and could not be unpinned. (`451b9e2`) - **Accent color in all profiles** (04): write `AccentPalette` (REG_BINARY, 8 shades from #223B47) alongside `AccentColor`. Without it Win11 drops the custom accent on Start/taskbar and falls back to the default. The full theme (Custom mode: dark system + light apps; accent on Start/taskbar and title bars/borders) is written to the Default hive, the current user (HKCU) and `HKU\.DEFAULT` so all profiles match. (`4d08d0c`) - **BackInfo background color**: `BackgroundColor 4668194 -> 2243399`. BackInfo reads the value as 0xRRGGBB (RGB), not COLORREF/BGR, so #223B47 = 2243399; the BGR value swapped red/blue. (`4d08d0c`) ### CI / Infra - deploy.json update step made non-fatal (cosmetic, runs after the release is published). (`8a7fc10`) - Forgejo runner: bind-mount the docker socket into job containers so the deploy.json step's `docker exec` works. (`c8c8523`, `beceeb4`) - docker-compose: mount `web/data` read-write so CI can refresh `deploy.json` (rest of the web docroot stays read-only). (`7becac7`) ### Docs - Web (spec, descriptions.json, navod, landing) updated for all of the above. - `SPEC.md` + `CLAUDE.md` synced. Added this `CHANGELOG.md`. ## [0.6] - 2026-04-28 ### Added - Step 03: disable hibernation and Smart App Control; reworked Edge configuration (mandatory policies + initial_preferences). (`0cfe751`) ### Fixed - Reliability and robustness pass: watchdog kills a stalled script after 30 min of silence; reboot-loop protection caps each step at 5 restarts; atomic `state.json` writes (tmp+rename); email report retried 3x with a local HTML fallback; Default-hive unload retried; resume mode fixed to actually run pending steps. (`d30767e`) --- Earlier history (pre-0.6): see the git log - initial Go launcher, embedded PowerShell steps, reboot-resume cycle, Forgejo CI build, and the static site at xetup.x9.cz.