Software is distributed on Linux as an AppImage, which has no native sandboxing and should be considered untrusted.
Best practice for releases are publishing a PGP public key on a keyserver and offering a signature file created with this keypair alongside each release. This allows user to verify with some confidence that the binary is genuine and was not forged or altered by an attacker.
Cheers
Sorry for the delay in the response. We’re a lean team and try to prioritize the most important features right now (until we grow a bit more 
)
Noted this down as a feature request on our end though.
I’m trying to get my company to adopt Cursor as an alternative to VS Code and GitHub CoPilot.
One of the first things my security team noted is that the installs are not signed.🫨 This means we have no assurance that the install has not been tampered with between the time you posted it and the time we download it.
While I understand some trade-offs need to be made as you ramp up, I would suggest that your adoption rate would increase among enterprise customers if you took the (relatively minor) extra time to sign your distributions. It’s a relatively “quick win” that would impact your growth considerably.
Does your security team has other concerns than this? Such as source code sharing to Cursor / Models to be trained for their purpose, sth like ChatGPT Enterprise provides this:
Yes, and I’ve already pointed out to them these things are covered.
Do you mean that Cursor handles all of these as well?
SOC 2 Certified 
source: footer of cursor.com.
(I’ll keep my eye out for any other assurances/certifications etc)
related posts:
