1c05ef6a7a1a76646d378aa91b7287df9da186f9
`app.security.__csp_notes` failed `tauri.conf.json` schema validation
("Additional properties are not allowed") on BOTH platforms before any
compile. JSON can't hold comments and Tauri forbids extra keys, so the
rationale lives here instead:
CSP rationale (audit 2026-07): tightened from the fully-open policy.
- 'unsafe-eval' MUST stay: the native→web bridge (forward_deeplink /
emit_to_web) uses window.eval, governed by page CSP; also covers crypto wasm.
- The sha256 hash allowlists the single inline `window.global ||= window;`
shim in cinny's index.html (~line 96). If that snippet or its indentation
changes, recompute the hash or the shim is silently blocked.
- connect-src / img-src / media-src keep http: (plain-http homeservers).
- Review-added: Google Fonts (VT323) + OpenStreetMap iframe (m.location).
- style-src keeps 'unsafe-inline' for React style attributes.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Cinny desktop
Cinny is a matrix client focusing primarily on simple, elegant and secure interface. The desktop app is made with Tauri.
Download
Installers for macOS, Windows and Linux can be downloaded from Github releases. Releases are signed with a Ed25519 public-key.
| Operating System | Download |
|---|---|
| Windows | Get it on Windows |
| macOS | Get it on macOS |
| Linux | Get it on Linux · Flatpak |
Decoded public key:
RWRflTUQD3RHFtn25QNANCmePR9+4LSK89kAKTMEEB4OKpOFpLMgc64z
To verify release files, you need to download minisign tool and decode the .sig file before running:
minisign -Vm RELEASE_FILE.msi.zip -P RWRflTUQD3RHFtn25QNANCmePR9+4LSK89kAKTMEEB4OKpOFpLMgc64z -x SINGATURE.msi.zip.sig
Local development
Firstly, to setup Rust, NodeJS and build tools follow Tauri documentation.
Now, to setup development locally run the following commands:
git clone --recursive https://github.com/cinnyapp/cinny-desktop.gitcd cinny-desktop/cinnynpm cicd ..npm ci
To build the app locally, run:
npm run tauri build
To start local dev server, run:
npm run tauri dev
Languages
Rust
93.3%
JavaScript
4.9%
C
1.8%