Installing Sigil Auth on Windows

The Sigil Auth desktop app for Windows uses Windows Hello and TPM for hardware-backed key storage. Requires Windows 10 (1903+) or Windows 11.

Looking for the CLI testing tool? See CLI Device Tool for server integration testing without a GUI.

---

Installation Methods

MSIX Package (Recommended)

MSIX is the modern Windows app format with automatic updates and sandboxed security.

Requirements:

• Windows 10 version 1809+ or Windows 11
• Administrator privileges (one-time for certificate install)

Steps:

1. Download the MSIX package:

   # From GitHub Releases
   Invoke-WebRequest -Uri https://github.com/sigilauth/desktop/releases/download/windows/v0.1.0/Sigil.Windows_0.1.0.0_x64.msix -OutFile Sigil.Windows.msix

2. Install the signing certificate (first-time only):

   MSIX packages must be signed. Self-signed packages need the certificate added to Trusted People.

   # Extract certificate from MSIX
   Add-AppxPackage -Path .\Sigil.Windows.msix -DeferRegistrationWhenPackagesAreInUse
   
   # Or enable Developer Mode (Settings → Privacy & Security → For developers)

   Production releases from the Microsoft Store skip this step — Microsoft signs packages automatically.

3. Install the app:

   Add-AppxPackage -Path .\Sigil.Windows.msix

4. Launch: Start menu → “Sigil Auth”

Uninstall:

Get-AppxPackage -Name "com.wagmilabs.sigil" | Remove-AppxPackage

---

Scoop (Command-Line)

Scoop is a package manager for Windows. Handles updates via scoop update.

Install Scoop (if not already installed):

Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
irm get.scoop.sh | iex

Install Sigil Auth:

scoop bucket add sigilauth https://github.com/sigilauth/scoop-bucket
scoop install sigil-auth-desktop

Update:

scoop update sigil-auth-desktop

Uninstall:

scoop uninstall sigil-auth-desktop

---

Winget (Windows Package Manager)

Coming soon: Sigil Auth will be available via winget after Microsoft Store publication.

Once available:

winget install --id WagmiLabs.SigilAuth

---

Manual Download (Portable)

Download the standalone executable for no-install scenarios:

1. Download from GitHub Releases:

   Invoke-WebRequest -Uri https://github.com/sigilauth/desktop/releases/download/windows/v0.1.0/sigil-auth-windows-x64.zip -OutFile sigil-auth.zip
   Expand-Archive -Path sigil-auth.zip -DestinationPath .\SigilAuth

2. Run: .\SigilAuth\Sigil.Windows.App.exe

Limitations: No automatic updates, no Start menu integration, no sandboxing.

---

System Requirements

Component	Requirement
Operating System	Windows 10 (1903+) or Windows 11
Processor	x64 or ARM64
Memory	4 GB RAM minimum
TPM	TPM 2.0 (for hardware key storage)
Windows Hello	Face, fingerprint, or PIN configured
.NET Runtime	Bundled (no separate install needed)

Check TPM status:

Get-Tpm

Expected output: TpmPresent: True, TpmReady: True

Check Windows Hello: Settings → Accounts → Sign-in options → Windows Hello should show configured method.

---

First Run

1. Launch the app (Start menu or command line)

2. Windows Hello prompt: First launch asks for biometric setup

   • If already configured: Proceeds to app
   • If not configured: Redirects to Settings → Windows Hello setup

3. Generate device keypair:

   • App generates ECDSA P-256 keypair in TPM
   • Private key never leaves hardware
   • Public key fingerprint displayed (SHA-256 hash)

4. Connect to relay:

   • Default: wss://relay.sigilauth.com/ws
   • Custom relay: Settings → Relay URL

5. Copy fingerprint:

   • Displayed in main window
   • Register this fingerprint with your application server
   • Server uses fingerprint to send push notifications

Example fingerprint:

a3f2c8b4e1d9f6a2c5e8b1d4f7a0c3e6b9d2f5a8c1e4b7d0f3a6c9e2b5d8f1a4

---

Firewall Configuration

Sigil Auth requires outbound HTTPS/WSS access to the push relay.

Default relay: relay.sigilauth.com (port 443)

Allow outbound connections:

# Windows Firewall rule (if needed)
New-NetFirewallRule -DisplayName "Sigil Auth Relay" `
  -Direction Outbound `
  -Action Allow `
  -Program "C:\Program Files\WindowsApps\com.wagmilabs.sigil_*\Sigil.Windows.App.exe" `
  -Protocol TCP `
  -RemotePort 443

Most corporate firewalls allow outbound HTTPS by default. If connection fails, check proxy settings or contact IT.

---

Troubleshooting

“This app can’t run on your PC”

Cause: Wrong architecture (x64 app on ARM64 Windows or vice versa).

Fix: Download the ARM64 build from GitHub Releases:

Invoke-WebRequest -Uri https://github.com/sigilauth/desktop/releases/download/windows/v0.1.0/Sigil.Windows_0.1.0.0_arm64.msix -OutFile Sigil.Windows.msix

---

“Windows protected your PC” (SmartScreen)

Cause: Unsigned or unknown publisher on first release.

Fix (temporary):

1. Click “More info”
2. Click “Run anyway”

Fix (permanent): Production releases are Authenticode-signed to avoid this warning.

---

“Windows Hello is not available”

Cause: TPM not present, not enabled, or Windows Hello not configured.

Fix:

1. Check TPM: Settings → Privacy & Security → Windows Security → Device security → Security processor
2. Enable TPM: Restart → BIOS/UEFI → Security → Enable TPM 2.0
3. Set up Windows Hello: Settings → Accounts → Sign-in options → Windows Hello Face/Fingerprint/PIN

---

Connection fails to relay

Symptoms: “Disconnected” status, “Connection timeout” in logs.

Causes:

• Firewall blocking outbound HTTPS
• Proxy requiring authentication
• Custom relay URL misconfigured
• Network offline

Fix:

1. Test connectivity:

   Test-NetConnection -ComputerName relay.sigilauth.com -Port 443

   Expected: TcpTestSucceeded: True

2. Check proxy settings: Settings → Network & Internet → Proxy → Manual setup App respects system proxy settings automatically.

3. Try custom relay: If self-hosting, update relay URL in app Settings.

---

App crashes on startup

Cause: Corrupted app data or missing dependencies.

Fix:

1. Reset app data:

   Remove-Item -Recurse "$env:LOCALAPPDATA\Packages\com.wagmilabs.sigil_*\LocalState"

2. Reinstall:

   Get-AppxPackage -Name "com.wagmilabs.sigil" | Remove-AppxPackage
   Add-AppxPackage -Path .\Sigil.Windows.msix

3. Check Event Viewer:

   Get-WinEvent -LogName "Application" -MaxEvents 20 | Where-Object { $_.ProviderName -like "*Sigil*" }

---

Data Storage

Sigil Auth stores configuration and logs locally:

Data Type	Location
App configuration	%LOCALAPPDATA%\Packages\com.wagmilabs.sigil_*\LocalState\config.json
Logs	%LOCALAPPDATA%\Packages\com.wagmilabs.sigil_*\LocalState\logs\
Private key	TPM (never written to disk)

Backup configuration:

Copy-Item "$env:LOCALAPPDATA\Packages\com.wagmilabs.sigil_*\LocalState\config.json" .\backup-config.json

Note: Private key cannot be backed up or exported — it’s hardware-bound to the TPM chip. If you reinstall Windows or move to a new PC, you must re-register the device with your application server.

---

Related Documentation

• CLI testing tool: CLI Device Tool — command-line authenticator for integration testing (supports Windows via Scoop)
• Developer integration: Integrator Quickstart — integrate Sigil Auth into your app
• Self-hosting: Self-Hosting Guide — run your own relay and auth service
• Mobile apps: iOS and Android apps available at sigilauth.com/download

---

Support

Issues: https://github.com/sigilauth/desktop/issues
Discussions: https://github.com/sigilauth/desktop/discussions
Email: support@sigilauth.com

Security issues: security@sigilauth.com (GPG: keybase.io/sigilauth)