Gobby client - insecure download?

This is related to Gobby/Infinoted.

I installed the server on Freedombox Apps OK.

Per directions, went to github to download the client at:

This page links to the download with an insecure linkify.me.

I end up at: /gobby/gobby/releases
And downloaded: gobby-0.6.0-x64.exe

Github says releases are signed with fingerprint 7288 34F3 B8D5 52ED 25CC 1B1F B1C7 1544 BF1D 92C7

The output I got was:
PS C:\Users\XXX\Desktop> get-filehash gobby-0.6.0-x64.exe
Algorithm Hash Path


SHA256 D8B3C71D166E95DA3E13AB920DC63CD0BE7CE4D4F43E4567ABD8646CBDC72128 C:\Users\XXX\Desktop\gob…

PS C:\Users\XXX\Desktop> get-AuthenticodeSignature gobby-0.6.0-x64.exe
Directory: C:\Users\XXX\Desktop

SignerCertificate Status Path


                                      NotSigned                              gobby-0.6.0-x64.exe

Can any one confirm if the download is safe? Perhaps I am attempting to verify it incorrectly as a novice, or perhaps this is cause for concern.

It seems like linkify.me is a URL shortener (and tracker!). The shortened link ultimately redirects to the GitHub releases page which you found.

In the releases, I can see that there is no GPG signature file provided for the exe file.

get-filehash command is unnecessary in this case.
get-AuthenticationcodeSignature cannot be used to verify GPG signatures.

If you try to install the exe and Windows shows a popup that the file is from an unknown developer, that means either the developer hasn’t signed the executable or hasn’t submitted their certificate to Microsoft’s trust store (neither of which means that your download is insecure).

BTW, the wiki says that the Windows executable includes the server component (infinoted) as well. Make sure that you connect Gobby to your FreedomBox’s Infinoted server, or your files might only be saved on the Windows machine.