Merge pull request #4228 from jose-cardoso-a22506616/issue-3993

Closes #3993
Merge pull request #4227 from yugui923/fix/vault-options-mount-scroll
2026-05-15 01:01:26 +00:00 · 2026-05-04 08:50:10 +02:00 · 2026-04-27 14:50:46 +02:00 · 2026-04-27 13:01:13 +02:00 · 2026-04-27 09:22:01 +02:00 · 2026-04-25 14:41:28 +00:00
152 changed files with 4864 additions and 1965 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -3,10 +3,7 @@ updates:
  - package-ecosystem: "maven"
    directory: "/"
    schedule:
-      interval: "weekly"
-      day: "monday"
-      time: "06:00"
-      timezone: "Etc/UTC"
+      interval: "monthly"
    ignore:
      - dependency-name: "org.cryptomator:integrations-api"
        versions: ["2.0.0-alpha1"]
@@ -14,37 +11,13 @@ updates:
        versions: ["2.0.1.MR"]
      - dependency-name: "org.openjfx:*"
        update-types: ["version-update:semver-major"]
+      # due to https://github.com/fabriciorby/maven-surefire-junit5-tree-reporter/issues/68
+      - dependency-name: "org.apache.maven.plugins:maven-surefire-plugin"
+        versions: [ "3.5.4", "3.5.5" ]
    groups:
-      java-test-dependencies:
-        patterns:
-          - "org.junit.jupiter:*"
-          - "org.mockito:*"
-          - "org.hamcrest:*"
-          - "com.google.jimfs:jimfs"
-      maven-build-plugins:
-        patterns:
-          - "org.apache.maven.plugins:*"
-          - "org.jacoco:jacoco-maven-plugin"
-          - "org.owasp:dependency-check-maven"
-          - "me.fabriciorby:maven-surefire-junit5-tree-reporter"
-          - "org.codehaus.mojo:license-maven-plugin"
-      javafx:
-        patterns:
-          - "org.openjfx:*"
-      java-production-dependencies:
+      maven-dependencies:
        patterns:
          - "*"
-        exclude-patterns:
-          - "org.openjfx:*"
-          - "org.apache.maven.plugins:*"
-          - "org.jacoco:jacoco-maven-plugin"
-          - "org.owasp:dependency-check-maven"
-          - "me.fabriciorby:maven-surefire-junit5-tree-reporter"
-          - "org.codehaus.mojo:license-maven-plugin"
-          - "org.junit.jupiter:*"
-          - "org.mockito:*"
-          - "org.hamcrest:*"
-          - "com.google.jimfs:jimfs"

  - package-ecosystem: "github-actions"
    directory: "/" # even for `.github/workflows`
--- a/.github/release-body.md.template
+++ b/.github/release-body.md.template
@@ -0,0 +1,34 @@
+<!-- HEADER -->
+> [!WARN]
+> 🚧 DO NOT EDIT 🚧
+>
+> The [builds are still running](https://github.com/cryptomator/cryptomator/actions/workflows/create-release.yml).
+> This banner will be replaced after the builds are finished.
+<!-- /HEADER -->
+
+<!--REPLACE with auto-generated release notes (see below)
+### What's New 🎉
+### Bugfixes 🐛
+### Other Changes 📎
+END REPLACE-->
+
+For a comprehensive view of changes, read the [CHANGELOG](https://github.com/cryptomator/cryptomator/blob/$VERSION/CHANGELOG.md).
+
+---
+
+💾 SHA-256 checksums of release artifacts:
+```
+$TARBALL
+$EXE
+$MSI
+$DMG_x64
+$DMG_arm64
+$APPIMAGE_x86_64
+$APPIMAGE_aarch64
+```
+
+> [!TIP]
+> You can verify the GPG signature of all assets using our public key: [`5811 7AFA 1F85 B3EE C154  677D 615D 449F E6E6 A235`](https://gist.github.com/cryptobot/211111cf092037490275f39d408f461a).
+
+<!-- Auto-Generated Release Notes: -->
+
--- a/.github/workflows/RELEASE.md
+++ b/.github/workflows/RELEASE.md
@@ -0,0 +1,189 @@
+# Cryptomator Release Workflow
+
+This document describes the automated release pipeline defined in [`draft-release.yml`](draft-release.yml) and [`post-publish.yml`](post-publish.yml).
+
+## Overview
+
+The release process has two phases:
+
+1. **Draft phase** (`draft-release.yml`) -- triggered by pushing a signed git tag. Compiles, tests, builds platform installers, and creates a **draft** GitHub Release.
+2. **Post-publish phase** (`post-publish.yml`) -- triggered when the draft release is manually **published**. Submits Windows installers for AV whitelisting, notifies the team for DEB build and latest-version update, and triggers downstream updates (website, docs, winget).
+
+```mermaid
+---
+config:
+  htmlLabels: false
+---
+flowchart TD
+    %% ── Trigger ──────────────────────────────────────────────
+    push_tag([🏷 Signed tag pushed])
+
+    %% ── Draft phase ──────────────────────────────────────────
+    push_tag --> get-version
+
+    subgraph draft["draft-release.yml"]
+        get-version["get-version
+        *parse semver from tag*"]
+
+        get-version --> create-release-draft
+        create-release-draft["create-release-draft
+        *compile & test (Linux)
+        create draft release
+        sign source tarball*"]
+
+        create-release-draft --> build-exe-and-msi
+        create-release-draft --> build-dmg-arm64
+        create-release-draft --> build-dmg-x64
+        create-release-draft --> build-appimages
+
+        build-exe-and-msi["build-exe-and-msi
+        *calls win-exe.yml
+        MSI + EXE (x64)
+        code-signed & GPG-signed*"]
+        build-dmg-arm64["build-dmg-arm64
+        *calls mac-dmg.yml
+        DMG (arm64)
+        notarized & GPG-signed*"]
+        build-dmg-x64["build-dmg-x64
+        *calls mac-dmg-x64.yml
+        DMG (x64)
+        notarized & GPG-signed*"]
+        build-appimages["build-appimages
+        *calls appimage.yml
+        AppImage (x86_64 + aarch64)
+        GPG-signed*"]
+
+        build-exe-and-msi --> update-sha256sums
+        build-dmg-arm64 --> update-sha256sums
+        build-dmg-x64 --> update-sha256sums
+        build-appimages --> update-sha256sums
+
+        update-sha256sums["update-sha256sums
+        *compute checksums
+        update release body*"]
+    end
+
+    update-sha256sums --> manual_review
+
+    %% ── Manual gate ──────────────────────────────────────────
+    manual_review{{Manual review
+    & publish}}
+
+    %% ── Post-publish phase ───────────────────────────────────
+    manual_review --> published([📢 Release published])
+    published --> post-publish
+
+    subgraph post-publish["post-publish.yml"]
+        direction TB
+
+        check-release["check-release
+        *classify release tag
+        stable, alpha, beta, rc, unknown*"]
+        notify["notify
+        *Slack notifications
+        deb build & version check*"]
+        get-asset-urls["get-asset-urls
+        *extract MSI & EXE
+        download URLs*"]
+
+        check-release --> notify-winget
+        check-release --> trigger-website
+        check-release --> trigger-docs
+
+        get-asset-urls --> allowlist-msi
+        allowlist-msi --> allowlist-exe
+
+        allowlist-msi["allowlist-msi-x64
+        *av-whitelist.yml
+        Kaspersky & Avast*"]
+        allowlist-exe["allowlist-exe-x64
+        *av-whitelist.yml
+        Kaspersky & Avast*"]
+
+        notify-winget["notify-winget
+        *Slack: ready for winget
+        stable only*"]
+        trigger-website["trigger-website-update
+        *dispatch to
+        cryptomator.github.io
+        stable only*"]
+        trigger-docs["trigger-docs-update
+        *dispatch to
+        cryptomator/docs
+        stable only, Windows*"]
+    end
+```
+
+## Phase 1: Draft Release (`draft-release.yml`)
+
+**Trigger:** push of any tag (`*`)
+
+### Jobs
+
+| Job | Runs on | Description |
+|-----|---------|-------------|
+| **get-version** | ubuntu | Parses the tag into semver components (`semVerNum`, `semVerSuffix`, `revNum`, `versionType`). The release is aborted if not an alpha, beta, rc or 'stable' release. |
+| **create-release-draft** | ubuntu | Checks out the repo, verifies the tag is **signed** and lives on a `main` or `release/*` branch. Runs `mvn verify` (with `xvfb-run`). Creates a GitHub Release **draft** using the [release body template](../release-body.md.template). Downloads and GPG-signs the source tarball. |
+| **build-exe-and-msi** | windows | Calls [`win-exe.yml`](win-exe.yml). Builds the MSI and EXE bundle installer for x64 Windows. Code-signed via Azure Trusted Signing, GPG-signed, and uploaded to the draft release. Outputs SHA-256 checksums. |
+| **build-dmg-arm64** | macos-15 | Calls [`mac-dmg.yml`](mac-dmg.yml). Builds the DMG for Apple Silicon. Code-signed, notarized with Apple, GPG-signed, and uploaded. Outputs SHA-256 checksum. |
+| **build-dmg-x64** | macos-15-large | Calls [`mac-dmg-x64.yml`](mac-dmg-x64.yml). Same as above but for Intel Macs. Uses macFUSE instead of FUSE-T. |
+| **build-appimages** | ubuntu | Calls [`appimage.yml`](appimage.yml). Builds AppImages for x86_64 and aarch64 (matrix). GPG-signed and uploaded with `.zsync` delta-update files. Outputs SHA-256 checksums. |
+| **update-sha256sums** | ubuntu | Runs after all builds complete. Computes the source tarball checksum, collects all artifact checksums, and updates the draft release body via `envsubst`. Replaces the "builds still running" banner with a success notice. |
+
+### Release Artifacts
+
+After the draft phase, the GitHub Release contains:
+
+| Artifact | Platform |
+|----------|----------|
+| `cryptomator-<ver>.tar.gz.asc` | Source (GPG signature) |
+| `Cryptomator-<ver>-x64.msi` + `.asc` | Windows |
+| `Cryptomator-<ver>-x64.exe` + `.asc` | Windows |
+| `Cryptomator-<ver>-arm64.dmg` + `.asc` | macOS (Apple Silicon) |
+| `Cryptomator-<ver>-x64.dmg` + `.asc` | macOS (Intel) |
+| `cryptomator-<ver>-x86_64.AppImage` + `.zsync` + `.asc` | Linux (x86_64) |
+| `cryptomator-<ver>-aarch64.AppImage` + `.zsync` + `.asc` | Linux (aarch64) |
+
+All artifacts are signed with GPG key [`615D449FE6E6A235`](https://gist.github.com/cryptobot/211111cf092037490275f39d408f461a).
+
+## Manual Review Gate
+
+After the draft phase completes, a maintainer reviews the draft release on GitHub. This is the point to:
+
+- Verify all artifacts are present and checksums look correct.
+- Edit the auto-generated release notes (What's New, Bugfixes, Other Changes).
+- **Publish** the release when ready, which triggers phase 2.
+
+## Phase 2: Post-Publish (`post-publish.yml`)
+
+**Trigger:** `release: [published]`
+
+### Jobs
+
+| Job | Condition | Description |
+|-----|-----------|-------------|
+| **notify** | always | Sends Slack notifications to `#cryptomator-desktop`: ready to build `.deb` package, and reminder to update `latest-version.json` on S3. |
+| **get-asset-urls** | always | Extracts MSI and EXE download URLs from the release assets. |
+| **check-release** | always | Classifies the published release tag as `stable`, `alpha`, `beta`, `rc`, or `unknown`. Stable-only follow-up jobs depend on this output. Unlike `get-version.yml` workflow, this job does not perform semver validation. |
+| **allowlist-msi-x64** | Windows release | Calls [`av-whitelist.yml`](av-whitelist.yml). Uploads the MSI to Kaspersky and Avast for whitelisting. |
+| **allowlist-exe-x64** | Windows release | Same as above for the EXE. Runs sequentially after MSI. |
+| **notify-winget** | stable + Windows | Sends a Slack notification that the release is ready for [winget submission](winget.yml). |
+| **trigger-website-update** | stable | Dispatches `desktop-release` event to `cryptomator/cryptomator.github.io`. |
+| **trigger-docs-update** | stable + Windows | Dispatches `desktop-release` event to `cryptomator/docs`. |
+
+### Manual Follow-ups
+
+These steps are triggered by team members after Slack notifications:
+
+- **Debian package** -- Run the [`debian.yml`](debian.yml) workflow to build `.deb` and optionally upload to the PPA.
+- **winget** -- Run the [`winget.yml`](winget.yml) workflow to submit to the Windows Package Manager.
+- **latest-version.json** -- Update the version-check file on S3 (`static.cryptomator.org/desktop/latest-version.json`).
+
+## Signing & Security
+
+- **Git tag** must be SSH-signed and reside on `main` or `release/*`.
+- **Windows** installers are code-signed using Azure Trusted Signing.
+- **macOS** DMGs are code-signed with an Apple Developer certificate and notarized via `notarytool`.
+- **All artifacts** receive a detached GPG signature (`.asc`) using key `615D449FE6E6A235`.
+- **AV whitelisting** is submitted to Kaspersky and Avast after publish (Windows installers only).
+- The draft release is created using `CRYPTOBOT_RELEASE_TOKEN`, not `GITHUB_TOKEN`, to ensure proper permissions and trigger downstream workflows.
--- a/.github/workflows/appimage.yml
+++ b/.github/workflows/appimage.yml
@@ -1,13 +1,44 @@
 name: Build AppImage

 on:
-  release:
-    types: [published]
+  schedule:
+    - cron: '0 23 20 * *'
+  workflow_call:
+    inputs:
+      semVerNum:
+        type: string
+        description: 'The Major.Minor.Patch part of the version'
+        required: true
+      revisionNum:
+        type: string
+        description: 'The revision number'
+        required: true
+      semVerSuffix:
+        type: string
+        description: 'The suffix of the version, including dash'
+        required: true
+      upload-to-draft:
+        type: boolean
+        default: true
+    outputs:
+      sha256-appimage-x64:
+        description: "SHA256 sum of the x64 appimage"
+        value: ${{ jobs.collect-sha256sums.outputs.x64-sha256sum}}
+      sha256-appimage-aarch64:
+        description: "SHA256 sum of the aarch64 appimage"
+        value: ${{ jobs.collect-sha256sums.outputs.aarch64-sha256sum}}
  workflow_dispatch:
    inputs:
-      version:
-        description: 'Version'
+      semVerNum:
+        description: 'The Major.Minor.Patch part of the version'
        required: false
+      revisionNum:
+        description: 'The revision number'
+        required: false
+      semVerSuffix:
+        description: 'The suffix of the version, including dash'
+        required: false
+        default: '-SNAPSHOT'
  push:
    branches-ignore:
      - 'dependabot/**'
@@ -20,29 +51,29 @@ on:
 env:
  JAVA_DIST: 'temurin'
  JAVA_VERSION: '25.0.2+10.0.LTS'
+  VERSION_NUM: ${{ inputs.semVerNum || '99.99.99'}}
+  REVISION_NUM: ${{ inputs.revisionNum || '0' }}
+  VERSION_SUFFIX: ${{ inputs.semVerSuffix || ''}}
+

 jobs:
-  get-version:
-    uses: ./.github/workflows/get-version.yml
-    with:
-      version: ${{ inputs.version }} #okay if not defined
-
  build:
    name: Build AppImage
    runs-on: ${{ matrix.os }}
-    needs: [get-version]
    strategy:
      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
-            appimage-suffix: x86_64
-            openjfx-url: 'https://download2.gluonhq.com/openjfx/25/openjfx-25_linux-x64_bin-jmods.zip'
-            openjfx-sha: '96e520f48610d8ffb94ca30face1f11ffe8a977ddc1c4ff80b1a9e9f048bd94e'
+            arch: x86_64
+            openjfx-url: 'https://download2.gluonhq.com/openjfx/25.0.2/openjfx-25.0.2_linux-x64_bin-jmods.zip'
+            openjfx-sha: 'e0a9c29d8cf3af9b8b48848b43f87b5785bc107c53a951b19668ce05842bba1b'
+            appimagetool-sha: 'ed4ce84f0d9caff66f50bcca6ff6f35aae54ce8135408b3fa33abfc3cb384eb0'
          - os: ubuntu-24.04-arm
-            appimage-suffix: aarch64
-            openjfx-url: 'https://download2.gluonhq.com/openjfx/25/openjfx-25_linux-aarch64_bin-jmods.zip'
-            openjfx-sha: '9ad4ca7b769ca4ee6419f1e99143dd6ff812f8be4fddb46a7d7cacbeea148af4'
+            arch: aarch64
+            openjfx-url: 'https://download2.gluonhq.com/openjfx/25.0.2/openjfx-25.0.2_linux-aarch64_bin-jmods.zip'
+            openjfx-sha: 'c3408f818693cce09e59829a8e862a82c7695fdfcd585c41cfd527f5fc3fe646'
+            appimagetool-sha: 'f0837e7448a0c1e4e650a93bb3e85802546e60654ef287576f46c71c126a9158'
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Setup Java
@@ -55,7 +86,7 @@ jobs:
      - name: Download OpenJFX jmods
        id: download-jmods
        run: |
-          curl -L ${{ matrix.openjfx-url }} -o openjfx-jmods.zip
+          curl --silent --fail-with-body --proto "=https" -L ${{ matrix.openjfx-url }} -o openjfx-jmods.zip
          echo "${{ matrix.openjfx-sha }}  openjfx-jmods.zip" | shasum -a256 --check
          mkdir -p openjfx-jmods
          unzip -j openjfx-jmods.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d openjfx-jmods
@@ -73,7 +104,7 @@ jobs:
            exit 1
          fi
      - name: Set version
-        run : mvn versions:set -DnewVersion=${{ needs.get-version.outputs.semVerStr }}
+        run : mvn versions:set -DnewVersion="${VERSION_NUM}${VERSION_SUFFIX}"
      - name: Run maven
        run: mvn -B clean package -Plinux -DskipTests
      - name: Patch target dir
@@ -94,13 +125,15 @@ jobs:
          ${JAVA_HOME}/bin/jlink
          --verbose
          --output runtime
-          --module-path "${{ steps.jep-493-check.outputs.jmod_paths }}"
+          --module-path "${JMOD_PATHS}"
          --add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,javafx.base,javafx.graphics,javafx.controls,javafx.fxml,jdk.crypto.cryptoki,jdk.crypto.ec,jdk.unsupported,jdk.security.auth,jdk.accessibility,jdk.management.jfr,jdk.net,java.compiler
          --strip-native-commands
          --no-header-files
          --no-man-pages
          --strip-debug
          --compress zip-0
+        env:
+          JMOD_PATHS: ${{ steps.jep-493-check.outputs.jmod_paths }}
      - name: Run jpackage
        run: >
          ${JAVA_HOME}/bin/jpackage
@@ -113,13 +146,13 @@ jobs:
          --dest appdir
          --name Cryptomator
          --vendor "Skymatic GmbH"
-          --copyright "(C) 2016 - 2025 Skymatic GmbH"
-          --app-version "${{  needs.get-version.outputs.semVerNum }}.${{  needs.get-version.outputs.revNum }}"
+          --copyright "(C) 2016 - 2026 Skymatic GmbH"
+          --app-version "${VERSION_NUM}.${REVISION_NUM}"
          --java-options "--enable-preview"
          --java-options "--enable-native-access=javafx.graphics,org.cryptomator.jfuse.linux.amd64,org.cryptomator.jfuse.linux.aarch64,org.purejava.appindicator"
          --java-options "-Xss5m"
          --java-options "-Xmx256m"
-          --java-options "-Dcryptomator.appVersion=\"${{  needs.get-version.outputs.semVerStr }}\""
+          --java-options "-Dcryptomator.appVersion=\"${VERSION_NUM}${VERSION_SUFFIX}\""
          --java-options "-Dfile.encoding=\"utf-8\""
          --java-options "-Djava.net.useSystemProxies=true"
          --java-options "-Dcryptomator.adminConfigPath=\"/etc/cryptomator/config.properties\""
@@ -130,8 +163,9 @@ jobs:
          --java-options "-Dcryptomator.mountPointsDir=\"@{userhome}/.local/share/Cryptomator/mnt\""
          --java-options "-Dcryptomator.showTrayIcon=true"
          --java-options "-Dcryptomator.integrationsLinux.trayIconsDir=\"@{appdir}/usr/share/icons/hicolor/symbolic/apps\""
-          --java-options "-Dcryptomator.buildNumber=\"appimage-${{  needs.get-version.outputs.revNum }}\""
+          --java-options "-Dcryptomator.buildNumber=\"appimage-${REVISION_NUM}\""
          --java-options "-Dcryptomator.networking.truststore.p12Path=\"/etc/cryptomator/certs.p12\""
+          --java-options "-Dcryptomator.hub.enableTrustOnFirstUse=true"
          --java-options "-XX:ErrorFile=/cryptomator/cryptomator_crash.log"
          --resource-dir dist/linux/resources
      - name: Patch Cryptomator.AppDir
@@ -155,7 +189,8 @@ jobs:
          ln -s bin/cryptomator.sh Cryptomator.AppDir/AppRun
      - name: Download AppImageKit
        run: |
-          curl -L https://github.com/AppImage/appimagetool/releases/download/continuous/appimagetool-${{ matrix.appimage-suffix }}.AppImage -o appimagetool.AppImage
+          curl --silent --fail-with-body --proto "=https" -L "https://github.com/AppImage/appimagetool/releases/download/1.9.1/appimagetool-${{ matrix.arch }}.AppImage" -o appimagetool.AppImage
+          echo "${{ matrix.appimagetool-sha }}  appimagetool.AppImage" | shasum -a256 --check
          chmod +x appimagetool.AppImage
          ./appimagetool.AppImage --appimage-extract
      - name: Prepare GPG-Agent for signing with key 615D449FE6E6A235
@@ -167,26 +202,27 @@ jobs:
          GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
      - name: Build AppImage
        run: >
-          ./squashfs-root/AppRun Cryptomator.AppDir cryptomator-${{  needs.get-version.outputs.semVerStr }}-${{ matrix.appimage-suffix }}.AppImage
-          -u "gh-releases-zsync|cryptomator|cryptomator|latest|cryptomator-*-${{ matrix.appimage-suffix }}.AppImage.zsync"
+          ./squashfs-root/AppRun Cryptomator.AppDir cryptomator-${VERSION_NUM}${VERSION_SUFFIX}-${{ matrix.arch }}.AppImage
+          -u "gh-releases-zsync|cryptomator|cryptomator|latest|cryptomator-*-${{ matrix.arch }}.AppImage.zsync"
          --sign --sign-key=615D449FE6E6A235
      - name: Create detached GPG signatures
        run: |
          gpg --batch --quiet --passphrase-fd 0 --pinentry-mode loopback -u 615D449FE6E6A235 --detach-sign -a cryptomator-*.AppImage
          gpg --batch --quiet --passphrase-fd 0 --pinentry-mode loopback -u 615D449FE6E6A235 --detach-sign -a cryptomator-*.AppImage.zsync
      - name: Upload artifacts
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
-          name: appimage-${{ matrix.appimage-suffix }}
+          name: appimage-${{ matrix.arch }}
          path: |
            cryptomator-*.AppImage
            cryptomator-*.AppImage.zsync
            cryptomator-*.asc
          if-no-files-found: error
      - name: Publish AppImage on GitHub Releases
-        if: startsWith(github.ref, 'refs/tags/') && github.event.action == 'published'
-        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
+        if: inputs.upload-to-draft
+        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
        with:
+          draft: true
          fail_on_unmatched_files: true
          token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
          files: |
@@ -194,67 +230,24 @@ jobs:
            cryptomator-*.zsync
            cryptomator-*.asc

-  create-aur-bin-pr:
-    name: Create PR for aur-bin repo
-    needs: [build, get-version]
+  collect-sha256sums:
+    name: Collect AppImage checksums
    runs-on: ubuntu-latest
-    if: github.event_name == 'release' && needs.get-version.outputs.versionType == 'stable'
+    needs: [build]
+    if: inputs.upload-to-draft
+    outputs:
+      x64-sha256sum: ${{ steps.sha256sum.outputs.x64-sha256sum }}
+      aarch64-sha256sum: ${{ steps.sha256sum.outputs.aarch64-sha256sum }}
    steps:
-      - name: Download AppImages
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+      - name: Download AppImage artifacts
+        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
        with:
-          path: downloads/
-          merge-multiple: true
-      - name: Compute sha256 hash of AppImages
-        id: checksums
+          pattern: appimage-*
+          path: appimage-artifacts
+      - name: Compute SHA256 sums
+        id: sha256sum
        run: |
-          X64_SHA256=$(sha256sum downloads/cryptomator-*-x86_64.AppImage | cut -d ' ' -f1)
-          echo "x64-sha256sum=${X64_SHA256}" >> "$GITHUB_OUTPUT"
-          AARCH64_SHA256=$(sha256sum downloads/cryptomator-*-aarch64.AppImage | cut -d ' ' -f1)
-          echo "aarch64-sha256sum=${AARCH64_SHA256}" >> "$GITHUB_OUTPUT"
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          repository: 'cryptomator/aur-bin'
-          token: ${{ secrets.CRYPTOBOT_PR_TOKEN }}
-      - name: Install dependencies
-        run: |
-          sudo apt-get update
-          sudo apt-get -y install makepkg pacman-package-manager
-      - name: Checkout release branch
-        run: |
-          git checkout -b release/${{ needs.get-version.outputs.semVerStr }}
-      - name: Update build file
-        run: |
-          sed -i -e 's|^pkgver=.*$|pkgver=${{ needs.get-version.outputs.semVerStr }}|' PKGBUILD
-          sed -i -e 's|^pkgrel=.*$|pkgrel=1|' PKGBUILD
-          sed -i -e "s|^sha256sums_x86_64=.*$|sha256sums_x86_64=('${{ steps.checksums.outputs.x64-sha256sum }}'|" PKGBUILD
-          sed -i -e "s|^sha256sums_aarch64=.*$|sha256sums_aarch64=('${{ steps.checksums.outputs.aarch64-sha256sum}}'|" PKGBUILD
-          makepkg --printsrcinfo > .SRCINFO
-      - name: Commit and push
-        run: |
-          git config user.name "${{ github.actor }}"
-          git config user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com"
-          git config push.autoSetupRemote true
-          git stage .
-          git commit -m "Prepare release ${{needs.get-version.outputs.semVerStr}}"
-          git push
-      - name: Create pull request
-        id: create-pr
-        run: |
-          printf "> [!IMPORTANT]\n> Todos:\n> - [ ] Update build instructions\n> - [ ] Check for JDK update\n> - [ ] Check for JFX update" > pr_body.md
-          URL=$(gh pr create --title "Release ${{ needs.get-version.outputs.semVerStr }}" --body-file pr_body.md)
-          echo "PR_URL=$URL" >> "$GITHUB_OUTPUT"
-        env:
-          GH_TOKEN: ${{ secrets.CRYPTOBOT_PR_TOKEN }}
-      - name: Slack Notification
-        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3
-        env:
-          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}
-          SLACK_USERNAME: 'Cryptobot'
-          SLACK_ICON: false
-          SLACK_ICON_EMOJI: ':bot:'
-          SLACK_CHANNEL: 'cryptomator-desktop'
-          SLACK_TITLE: "AUR-bin release PR for ${{ github.event.repository.name }} ${{ github.event.release.tag_name }} created."
-          SLACK_MESSAGE: "See <${{ steps.create-pr.outputs.PR_URL }}|PR> on how to proceed."
-          SLACK_FOOTER: false
-          MSG_MINIMAL: true
+          read -ra X64_SUM < <(sha256sum appimage-artifacts/appimage-x86_64/cryptomator-*-x86_64.AppImage)
+          read -ra AARCH64_SUM < <(sha256sum appimage-artifacts/appimage-aarch64/cryptomator-*-aarch64.AppImage)
+          echo "x64-sha256sum=${X64_SUM[0]}" >> "$GITHUB_OUTPUT"
+          echo "aarch64-sha256sum=${AARCH64_SUM[0]}" >> "$GITHUB_OUTPUT"
--- a/.github/workflows/aur-bin.yml
+++ b/.github/workflows/aur-bin.yml
@@ -0,0 +1,115 @@
+name: PR for aur-bin repo
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+    inputs:
+      src-tag:
+        description: 'Source or Release tag'
+        required: false
+
+jobs:
+  get-version:
+    uses: ./.github/workflows/get-version.yml
+    with:
+      version: ${{ inputs.src-tag }}
+
+  create-aur-bin-pr:
+    name: Create PR for aur-bin repo
+    if: (github.event_name == 'workflow_dispatch') || (github.event_name == 'release' && needs.get-version.outputs.versionType == 'stable')
+    runs-on: ubuntu-latest
+    needs: [get-version]
+    container:
+      image: archlinux:base-devel
+    env:
+      SEMVER_STR: ${{ needs.get-version.outputs.semVerStr }}
+      PKGDEST: ${{ github.workspace }}/pkgdest
+      SRCDEST: ${{ github.workspace }}/srcdest
+    steps:
+      - name: Prepare pacman
+        run: |
+          pacman-key --init
+          pacman-key --populate archlinux
+          pacman -Syu --noconfirm --needed git base-devel sudo gnupg maven unzip github-cli curl pacman-contrib
+      - name: Checkout cryptomator/aur-bin
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          repository: 'cryptomator/aur-bin'
+          token: ${{ secrets.CRYPTOBOT_PR_TOKEN }}
+      - name: Create build user
+        run: |
+          useradd -m builder
+          echo 'builder ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers.d/builder
+          chown -R builder:builder "$GITHUB_WORKSPACE"
+          install -d -m 0755 -o builder -g builder "$PKGDEST" "$SRCDEST"
+      - name: Import Cryptomator release signing key
+        # try first ubuntu. on failure try openpgp keyservers
+        run: >
+          sudo -u builder gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 58117AFA1F85B3EEC154677D615D449FE6E6A235
+          || sudo -u builder gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys 58117AFA1F85B3EEC154677D615D449FE6E6A235
+      - name: Checkout release branch
+        run: |
+          git config --global safe.directory '*'
+          git checkout -b "release/${SEMVER_STR}"
+      - name: Determine pkgrel
+        id: pkgrel
+        run: |
+          CURRENT_VERSION="$(sed -nE 's/^pkgver=(.*)$/\1/p' PKGBUILD | head -n1)"
+          CURRENT_REL="$(sed -nE 's/^pkgrel=([0-9]+).*$/\1/p' PKGBUILD | head -n1)"
+
+          if [[ "$CURRENT_VERSION" == "$TARGET_VERSION" && "$CURRENT_REL" =~ ^[0-9]+$ ]]; then
+            NEXT_REL=$((CURRENT_REL + 1))
+          else
+            NEXT_REL=1
+          fi
+
+          echo "value=${NEXT_REL}" >> "$GITHUB_OUTPUT"
+          echo "dist-version=${TARGET_VERSION}-${NEXT_REL}" >> "$GITHUB_OUTPUT"
+        env:
+          TARGET_VERSION: ${{ needs.get-version.outputs.semVerStr }}
+      - name: Update build file
+        run: |
+          sed -i -e "s|^pkgver=.*$|pkgver=${PKG_VERSION}|" PKGBUILD
+          sed -i -e "s|^pkgrel=.*$|pkgrel=${PKG_RELEASE}|" PKGBUILD
+          sudo -u builder updpkgsums
+          sudo -u builder makepkg --printsrcinfo > .SRCINFO
+        env:
+          PKG_VERSION: ${{ needs.get-version.outputs.semVerNum }}
+          PKG_RELEASE: ${{ steps.pkgrel.outputs.value }}
+      - name: Build package with makepkg
+        run: >
+          sudo -u builder
+          env PKGDEST="$PKGDEST" SRCDEST="$SRCDEST"
+          makepkg --syncdeps --cleanbuild --noconfirm --log
+      - name: Commit and push
+        run: |
+          git config user.name "cryptobot"
+          git config user.email "cryptobot@users.noreply.github.com"
+          git config push.autoSetupRemote true
+          git stage PKGBUILD .SRCINFO
+          git commit -m "Prepare release ${DIST_VERSION}"
+          git push
+        env:
+          DIST_VERSION: ${{ steps.pkgrel.outputs.dist-version }}
+      - name: Create pull request
+        id: create-pr
+        run: |
+          printf "Created by $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" > pr_body.md
+          PR_URL=$(gh pr create --title "Release ${DIST_VERSION}" --body-file pr_body.md)
+          echo "url=$PR_URL" >> "$GITHUB_OUTPUT"
+        env:
+          DIST_VERSION: ${{ steps.pkgrel.outputs.dist-version }}
+          GH_TOKEN: ${{ secrets.CRYPTOBOT_PR_TOKEN }}
+      - name: Slack Notification
+        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3
+        env:
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_CRYPTOMATOR_DESKTOP }}
+          SLACK_USERNAME: 'Cryptobot'
+          SLACK_ICON: ''
+          SLACK_ICON_EMOJI: ':bot:'
+          SLACK_CHANNEL: 'cryptomator-desktop'
+          SLACK_TITLE: "AUR-bin release PR for ${{ github.event.repository.name }} ${{ needs.get-version.outputs.semVerStr }} created."
+          SLACK_MESSAGE: "See <${{ steps.create-pr.outputs.url }}|PR> on how to proceed."
+          SLACK_FOOTER: ''
+          MSG_MINIMAL: true
--- a/.github/workflows/aur.yml
+++ b/.github/workflows/aur.yml
@@ -1,95 +0,0 @@
-name: Create PR for AUR
-
-on:
-  release:
-    types: [published]
-  workflow_dispatch:
-    inputs:
-      tag:
-        description: 'Release tag'
-        required: true
-
-jobs:
-  get-version:
-    uses: ./.github/workflows/get-version.yml
-    with:
-      version: ${{ inputs.tag }}
-  tarball:
-    name: Determines tarball url and compute checksum
-    runs-on: ubuntu-latest
-    needs: [get-version]
-    if:  github.event_name == 'workflow_dispatch' || needs.get-version.outputs.versionType == 'stable'
-    env:
-      INPUT_TAG: ${{ inputs.tag }}
-    outputs:
-      url: ${{ steps.url.outputs.url}}
-      sha256: ${{ steps.sha256.outputs.sha256}}
-    steps:
-      - name: Determine tarball url
-        id: url
-        run: |
-          URL="";
-          if [[ -n "${INPUT_TAG}"  ]]; then
-            URL="https://github.com/cryptomator/cryptomator/archive/refs/tags/${INPUT_TAG}.tar.gz"
-          else
-            URL="https://github.com/cryptomator/cryptomator/archive/refs/tags/${{ github.event.release.tag_name }}.tar.gz"
-          fi
-          echo "url=${URL}" >> "$GITHUB_OUTPUT"
-      - name: Download source tarball and compute checksum
-        id: sha256
-        run: |
-          curl --silent --fail-with-body -L -H "Accept: application/vnd.github+json" ${{ steps.url.outputs.url }} --output cryptomator.tar.gz
-          TARBALL_SHA256=$(sha256sum cryptomator.tar.gz | cut -d ' ' -f1)
-          echo "sha256=${TARBALL_SHA256}" >> "$GITHUB_OUTPUT"
-  aur:
-    name: Create PR for AUR
-    runs-on: ubuntu-latest
-    needs: [tarball, get-version]
-    env:
-      AUR_PR_URL: tbd
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          repository: 'cryptomator/aur'
-          token: ${{ secrets.CRYPTOBOT_PR_TOKEN }}
-      - name: Install dependencies
-        run: |
-          sudo apt-get update
-          sudo apt-get install makepkg pacman-package-manager
-      - name: Checkout release branch
-        run: |
-          git checkout -b release/${{ needs.get-version.outputs.semVerStr }}
-      - name: Update build file
-        run: |
-          sed -i -e 's|^pkgver=.*$|pkgver=${{ needs.get-version.outputs.semVerStr }}|' PKGBUILD
-          sed -i -e 's|^pkgrel=.*$|pkgrel=1|' PKGBUILD
-          sed -i -e "s|^sha256sums=.*$|sha256sums=('${{ needs.tarball.outputs.sha256 }}'|" PKGBUILD
-          makepkg --printsrcinfo > .SRCINFO
-      - name: Commit and push
-        run: |
-          git config user.name "${{ github.actor }}"
-          git config user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com"
-          git config push.autoSetupRemote true
-          git stage .
-          git commit -m "Prepare release ${{needs.get-version.outputs.semVerStr}}"
-          git push
-      - name: Create pull request
-        run: |
-          printf "> [!IMPORTANT]\n> Todos:\n> - [ ] Update build instructions\n> - [ ] Check for JDK update\n> - [ ] Check for JFX update" > pr_body.md
-          PR_URL=$(gh pr create --title "Release ${{ needs.get-version.outputs.semVerStr }}" --body-file pr_body.md)
-          echo "AUR_PR_URL=$PR_URL" >> "$GITHUB_ENV"
-        env:
-          GH_TOKEN: ${{ secrets.CRYPTOBOT_PR_TOKEN }}
-      - name: Slack Notification
-        if: github.event_name == 'release'
-        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3
-        env:
-          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}
-          SLACK_USERNAME: 'Cryptobot'
-          SLACK_ICON: false
-          SLACK_ICON_EMOJI: ':bot:'
-          SLACK_CHANNEL: 'cryptomator-desktop'
-          SLACK_TITLE: "AUR release PR created for ${{ github.event.repository.name }} ${{ github.event.release.tag_name }} created."
-          SLACK_MESSAGE: "See <${{ env.AUR_PR_URL }}|PR> on how to proceed."
-          SLACK_FOOTER: false
-          MSG_MINIMAL: true
--- a/.github/workflows/av-whitelist.yml
+++ b/.github/workflows/av-whitelist.yml
@@ -37,7 +37,7 @@ on:
 jobs:
  download-file:
    name: Downloads the file into the VM
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
    outputs:
      fileName: ${{ steps.extractName.outputs.fileName}}
    env:
@@ -49,21 +49,21 @@ jobs:
          url="${INPUT_URL}"
          echo "fileName=${url##*/}" >> $GITHUB_OUTPUT
      - name: Download file
-        run: curl "${INPUT_URL}" -L -o "${{steps.extractName.outputs.fileName}}" --fail-with-body
+        run: curl --silent --fail-with-body --proto "=https" -L "${INPUT_URL}" -o "${{steps.extractName.outputs.fileName}}"
      - name: Upload artifact
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: ${{ steps.extractName.outputs.fileName }}
          path: ${{ steps.extractName.outputs.fileName }}
          if-no-files-found: error
  allowlist-kaspersky:
    name: Anti Virus Allowlisting Kaspersky
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
    needs: download-file
    if: inputs.kaspersky
    steps:
      - name: Download artifact
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          name: ${{ needs.download-file.outputs.fileName }}
          path: upload
@@ -78,12 +78,12 @@ jobs:
          local-dir: ./upload/
  allowlist-avast:
    name: Anti Virus Allowlisting Avast
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
    needs: download-file
    if: inputs.avast
    steps:
      - name: Download artifact
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          name: ${{ needs.download-file.outputs.fileName }}
          path: upload
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -29,7 +29,7 @@ jobs:
          java-version: ${{ env.JAVA_VERSION }}
          cache: 'maven'
      - name: Cache SonarCloud packages
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: ~/.sonar/cache
          key: ${{ runner.os }}-sonar
@@ -47,40 +47,3 @@ jobs:
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-      - name: Draft a release
-        if: startsWith(github.ref, 'refs/tags/')
-        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
-        with:
-          draft: true
-          discussion_category_name: releases
-          token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
-          generate_release_notes: true
-          body: |-
-            > [!NOTE]
-            > 🚧 Work in Progress 🚧
-            >
-            > Please be patient, the [builds are still running](https://github.com/cryptomator/cryptomator/actions). Binary packages can be found here in a few moments.   
-            
-            <!--REPLACE with auto-generated release notes (see below)
-            ### What's New 🎉
-            ### Bugfixes 🐛
-            ### Other Changes 📎
-            END REPLACE-->
-            
-            Feel free to also read our [CHANGELOG.md](https://github.com/cryptomator/cryptomator/blob/develop/CHANGELOG.md).
-            
-            ---
-            
-            
-            <!-- Don't forget to include the
-            💾 SHA-256 checksums of release artifacts:
-            ```
-            ```
-            -->
-            
-            > [!TIP]
-            > You can verify the GPG signature of all assets using our public key: [`5811 7AFA 1F85 B3EE C154  677D 615D 449F E6E6 A235`](https://gist.github.com/cryptobot/211111cf092037490275f39d408f461a).
-            
-            
-            
-            <!-- Auto-Generated Release Notes: -->
--- a/.github/workflows/check-jdk-updates.yml
+++ b/.github/workflows/check-jdk-updates.yml
@@ -74,10 +74,10 @@ jobs:
        env:
          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}
          SLACK_USERNAME: 'Cryptobot'
-          SLACK_ICON: false
+          SLACK_ICON: ''
          SLACK_ICON_EMOJI: ':bot:'
          SLACK_CHANNEL: 'cryptomator-desktop'
          SLACK_TITLE: "JDK update available"
          SLACK_MESSAGE: "Cryptomator-CI JDK can be upgraded to ${{ steps.determine.outputs.LATEST_JDK_VERSION }}. Check the Nextcloud collective for instructions."
-          SLACK_FOOTER: false
+          SLACK_FOOTER: ''
          MSG_MINIMAL: true
--- a/.github/workflows/debian.yml
+++ b/.github/workflows/debian.yml
@@ -1,6 +1,8 @@
 name: Build Debian Package

 on:
+  schedule:
+    - cron: '0 22 20 * *'
  workflow_dispatch:
    inputs:
      semver:
@@ -25,10 +27,10 @@ env:
  JAVA_DIST: 'temurin'
  JAVA_VERSION: '25.0.2+10.0.LTS'
  DEB_BUILD_DEPENDS: 'debhelper (>=10), openjdk-25-jdk (>= 25+36), libgtk-3-0 (>= 3.20.0), libxxf86vm1, libgl1'
-  OPENJFX_JMODS_AMD64: 'https://download2.gluonhq.com/openjfx/25/openjfx-25_linux-x64_bin-jmods.zip'
-  OPENJFX_JMODS_AMD64_HASH: '96e520f48610d8ffb94ca30face1f11ffe8a977ddc1c4ff80b1a9e9f048bd94e'
-  OPENJFX_JMODS_AARCH64: 'https://download2.gluonhq.com/openjfx/25/openjfx-25_linux-aarch64_bin-jmods.zip'
-  OPENJFX_JMODS_AARCH64_HASH: '9ad4ca7b769ca4ee6419f1e99143dd6ff812f8be4fddb46a7d7cacbeea148af4'
+  OPENJFX_JMODS_AMD64: 'https://download2.gluonhq.com/openjfx/25.0.2/openjfx-25.0.2_linux-x64_bin-jmods.zip'
+  OPENJFX_JMODS_AMD64_HASH: 'e0a9c29d8cf3af9b8b48848b43f87b5785bc107c53a951b19668ce05842bba1b'
+  OPENJFX_JMODS_AARCH64: 'https://download2.gluonhq.com/openjfx/25.0.2/openjfx-25.0.2_linux-aarch64_bin-jmods.zip'
+  OPENJFX_JMODS_AARCH64_HASH: 'c3408f818693cce09e59829a8e862a82c7695fdfcd585c41cfd527f5fc3fe646'

 jobs:
  get-version:
@@ -71,11 +73,11 @@ jobs:
      - name: Download OpenJFX jmods
        id: download-jmods
        run: |
-          curl -L ${{ env.OPENJFX_JMODS_AMD64 }} -o openjfx-amd64.zip
+          curl --silent --fail-with-body --proto "=https" -L ${{ env.OPENJFX_JMODS_AMD64 }} -o openjfx-amd64.zip
          echo "${{ env.OPENJFX_JMODS_AMD64_HASH }}  openjfx-amd64.zip" | shasum -a256 --check
          mkdir -p jmods/amd64
          unzip -j openjfx-amd64.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d jmods/amd64
-          curl -L ${{ env.OPENJFX_JMODS_AARCH64 }} -o openjfx-aarch64.zip
+          curl --silent --fail-with-body --proto "=https" -L ${{ env.OPENJFX_JMODS_AARCH64 }} -o openjfx-aarch64.zip
          echo "${{ env.OPENJFX_JMODS_AARCH64_HASH }}  openjfx-aarch64.zip" | shasum -a256 --check
          mkdir -p jmods/aarch64
          unzip -j openjfx-aarch64.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d jmods/aarch64
@@ -143,7 +145,7 @@ jobs:
        run: |
          gpg --batch --quiet --passphrase-fd 0 --pinentry-mode loopback -u 615D449FE6E6A235 --detach-sign -a cryptomator_*_amd64.deb
      - name: Upload artifacts
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: linux-deb-package
          path: |
--- a/.github/workflows/draft-release.yml
+++ b/.github/workflows/draft-release.yml
@@ -0,0 +1,157 @@
+name: Draft a Cryptomator Release
+
+on:
+  push:
+    tags:
+        - '*'
+
+env:
+  JAVA_DIST: 'temurin'
+  JAVA_VERSION: '25.0.2+10.0.LTS'
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  get-version:
+    uses: ./.github/workflows/get-version.yml
+    with:
+      version:  ''
+
+  create-release-draft:
+    name: Compile and Test
+    runs-on: ubuntu-latest
+    needs: get-version
+    if: needs.get-version.outputs.versionType != 'unknown'
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+      - name: Check the git tag is signed
+        run: git cat-file -p "${GITHUB_REF_NAME}" | grep "BEGIN SSH SIGNATURE"
+      - name: Check the git tag is on release or main branch
+        run: git branch -r --contains "${GITHUB_REF_NAME}" | grep -E '^\s*origin/(main|release/.*)\s*$'
+      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
+        with:
+          distribution: ${{ env.JAVA_DIST }}
+          java-version: ${{ env.JAVA_VERSION }}
+          cache: 'maven'
+      - name: Build and Test
+        run: xvfb-run mvn -B verify -Plinux
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
+      - name: Draft a release
+        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
+        with:
+          draft: true
+          discussion_category_name: releases
+          token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
+          generate_release_notes: true
+          body_path: .github/release-body.md.template
+      - name: Download source tarball
+        run: |
+          curl --silent --fail-with-body --proto "=https" -L -H "Accept: application/vnd.github+json" https://github.com/cryptomator/cryptomator/archive/${{ github.ref }}.tar.gz --output cryptomator-${{ github.ref_name }}.tar.gz
+      - name: Sign source tarball with key 615D449FE6E6A235
+        run: |
+          echo "${GPG_PRIVATE_KEY}" | gpg --batch --quiet --import
+          echo "${GPG_PASSPHRASE}" | gpg --batch --quiet --passphrase-fd 0 --pinentry-mode loopback -u 615D449FE6E6A235 --detach-sign -a cryptomator-*.tar.gz
+        env:
+          GPG_PRIVATE_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }}
+          GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
+      - name: Publish asc on GitHub Releases
+        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
+        with:
+          draft: true
+          fail_on_unmatched_files: true
+          token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
+          files: |
+            cryptomator-*.tar.gz.asc
+
+  build-exe-and-msi:
+    needs: [get-version, create-release-draft]
+    uses: ./.github/workflows/win-exe.yml
+    with:
+      semVerNum: ${{needs.get-version.outputs.semVerNum}}
+      revisionNum: ${{needs.get-version.outputs.revNum}}
+      semVerSuffix: ${{needs.get-version.outputs.semVerSuffix}}
+    secrets: inherit
+
+  build-dmg-arm64:
+    needs: [get-version, create-release-draft]
+    uses: ./.github/workflows/mac-dmg.yml
+    with:
+      semVerNum: ${{needs.get-version.outputs.semVerNum}}
+      revisionNum: ${{needs.get-version.outputs.revNum}}
+      semVerSuffix: ${{needs.get-version.outputs.semVerSuffix}}
+    secrets: inherit
+
+  build-dmg-x64:
+    needs: [get-version, create-release-draft]
+    uses: ./.github/workflows/mac-dmg-x64.yml
+    with:
+      semVerNum: ${{needs.get-version.outputs.semVerNum}}
+      revisionNum: ${{needs.get-version.outputs.revNum}}
+      semVerSuffix: ${{needs.get-version.outputs.semVerSuffix}}
+    secrets: inherit
+
+  build-appimages:
+    needs: [get-version, create-release-draft]
+    uses: ./.github/workflows/appimage.yml
+    with:
+      semVerNum: ${{needs.get-version.outputs.semVerNum}}
+      revisionNum: ${{needs.get-version.outputs.revNum}}
+      semVerSuffix: ${{needs.get-version.outputs.semVerSuffix}}
+    secrets: inherit
+
+  update-sha256sums:
+    runs-on: ubuntu-latest
+    needs: [get-version, build-exe-and-msi, build-dmg-arm64, build-dmg-x64, build-appimages]
+    env:
+      TAG: ${{ github.ref_name }}
+      SEMVER: ${{ needs.get-version.outputs.semVerStr }}
+      GH_TOKEN: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Compute source tarball SHA256
+        id: src-sha256
+        run: |
+          curl --silent --fail-with-body --proto "=https" -L \
+            -H "Accept: application/vnd.github+json" \
+            "https://github.com/cryptomator/cryptomator/archive/refs/tags/${TAG}.tar.gz" \
+            --output "cryptomator-${SEMVER}.tar.gz"
+          read -ra CMD_OUTPUT < <(sha256sum "cryptomator-${SEMVER}.tar.gz")
+          echo "value=${CMD_OUTPUT[0]}" >> $GITHUB_OUTPUT
+      - name: Update release body with checksums
+        run: |
+          CURRENT_BODY=$(gh release view "${TAG}" --json body --jq .body)
+          RELEASE_BODY=$(printf '%s\n' "${CURRENT_BODY}" | sed '/<!-- HEADER -->/,/<!-- \/HEADER -->/c\
+          <!-- HEADER -->\
+          > [!NOTE]\
+          > Release artifacts finished building successfully.\
+          >\
+          > SHA-256 checksums have been updated below.\
+          <!-- /HEADER -->')
+
+          export TARBALL="${SRC_SHA}  cryptomator-${SEMVER}.tar.gz"
+          export MSI="${MSI_SHA}  Cryptomator-${SEMVER}-x64.msi"
+          export EXE="${EXE_SHA}  Cryptomator-${SEMVER}-x64.exe"
+          export DMG_arm64="${DMG_ARM64_SHA}  Cryptomator-${SEMVER}-arm64.dmg"
+          export DMG_x64="${DMG_X64_SHA}  Cryptomator-${SEMVER}-x64.dmg"
+          export APPIMAGE_x86_64="${APPIMAGE_X64_SHA}  cryptomator-${SEMVER}-x86_64.AppImage"
+          export APPIMAGE_aarch64="${APPIMAGE_AARCH64_SHA}  cryptomator-${SEMVER}-aarch64.AppImage"
+
+          envsubst '$VERSION $TARBALL $EXE $MSI $DMG_x64 $DMG_arm64 $APPIMAGE_x86_64 $APPIMAGE_aarch64' \
+            <<< "${RELEASE_BODY}" \
+            > release-body.md
+
+          gh release edit "${TAG}" --draft --notes-file release-body.md
+        env:
+          VERSION: ${{ needs.get-version.outputs.semVerStr }}
+          SRC_SHA: ${{ steps.src-sha256.outputs.value }}
+          MSI_SHA: ${{ needs.build-exe-and-msi.outputs.sha256-msi }}
+          EXE_SHA: ${{ needs.build-exe-and-msi.outputs.sha256-exe }}
+          DMG_ARM64_SHA: ${{ needs.build-dmg-arm64.outputs.sha256-dmg }}
+          DMG_X64_SHA: ${{ needs.build-dmg-x64.outputs.sha256-dmg }}
+          APPIMAGE_X64_SHA: ${{ needs.build-appimages.outputs.sha256-appimage-x64 }}
+          APPIMAGE_AARCH64_SHA: ${{ needs.build-appimages.outputs.sha256-appimage-aarch64 }}
--- a/.github/workflows/flathub.yml
+++ b/.github/workflows/flathub.yml
@@ -1,85 +0,0 @@
-name: Create PR for flathub
-
-on:
-  release:
-    types: [published]
-  workflow_dispatch:
-    inputs:
-      tag:
-        description: 'Release tag'
-        required: true
-
-jobs:
-  get-version:
-    uses: ./.github/workflows/get-version.yml
-    with:
-      version: ${{ inputs.tag }}
-  tarball:
-    name: Determines tarball url and compute checksum
-    runs-on: ubuntu-latest
-    needs: [get-version]
-    if:  github.event_name == 'workflow_dispatch' || needs.get-version.outputs.versionType == 'stable'
-    outputs:
-      url: ${{ steps.url.outputs.url}}
-      sha512: ${{ steps.sha512.outputs.sha512}}
-    steps:
-      - name: Determine tarball url
-        id: url
-        run: |
-          URL="https://github.com/cryptomator/cryptomator/archive/refs/tags/${TAG}.tar.gz"
-          echo "url=${URL}" >> "$GITHUB_OUTPUT"
-        env:
-          TAG: ${{ inputs.tag || github.event.release.tag_name}}
-      - name: Download source tarball and compute checksum
-        id: sha512
-        run: |
-          curl --silent --fail-with-body -L -H "Accept: application/vnd.github+json" ${{ steps.url.outputs.url }} --output cryptomator.tar.gz
-          TARBALL_SHA512=$(sha512sum cryptomator.tar.gz | cut -d ' ' -f1)
-          echo "sha512=${TARBALL_SHA512}" >> "$GITHUB_OUTPUT"
-  flathub:
-    name: Create PR for flathub
-    runs-on: ubuntu-latest
-    needs: [tarball, get-version]
-    env:
-      FLATHUB_PR_URL: tbd
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          repository: 'flathub/org.cryptomator.Cryptomator'
-          token: ${{ secrets.CRYPTOBOT_PR_TOKEN }}
-      - name: Checkout release branch
-        run: |
-          git checkout -b release/${{ needs.get-version.outputs.semVerStr }}
-      - name: Update build file
-        run: |
-          sed -i -e 's/VERSION: [0-9]\+\.[0-9]\+\.[0-9]\+.*/VERSION: ${{ needs.get-version.outputs.semVerStr }}/g' org.cryptomator.Cryptomator.yaml
-          sed -i -e 's/sha512: [0-9A-Za-z_\+-]\{128\} #CRYPTOMATOR/sha512: ${{ needs.tarball.outputs.sha512 }} #CRYPTOMATOR/g' org.cryptomator.Cryptomator.yaml
-          sed -i -e 's;url: https://github.com/cryptomator/cryptomator/archive/refs/tags/[^[:blank:]]\+;url: ${{ needs.tarball.outputs.url }};g' org.cryptomator.Cryptomator.yaml
-      - name: Commit and push
-        run: |
-          git config user.name "${{ github.actor }}"
-          git config user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com"
-          git config push.autoSetupRemote true
-          git stage .
-          git commit -m "Prepare release ${{needs.get-version.outputs.semVerStr}}"
-          git push
-      - name: Create pull request
-        run: |
-          printf "> [!IMPORTANT]\n> Todos:\n> - [ ] Update maven dependencies\n> - [ ] Check for JDK update\n> - [ ] Check for JFX update" > pr_body.md
-          PR_URL=$(gh pr create --title "Release ${{ needs.get-version.outputs.semVerStr }}" --body-file pr_body.md)
-          echo "FLATHUB_PR_URL=$PR_URL" >> "$GITHUB_ENV"
-        env:
-          GH_TOKEN: ${{ secrets.CRYPTOBOT_PR_TOKEN }}
-      - name: Slack Notification
-        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3
-        if: github.event_name == 'release'
-        env:
-          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}
-          SLACK_USERNAME: 'Cryptobot'
-          SLACK_ICON: false
-          SLACK_ICON_EMOJI: ':bot:'
-          SLACK_CHANNEL: 'cryptomator-desktop'
-          SLACK_TITLE: "Flathub release PR created for ${{ github.event.repository.name }} ${{ github.event.release.tag_name }} created."
-          SLACK_MESSAGE: "See <${{ env.FLATHUB_PR_URL }}|PR> on how to proceed.>."
-          SLACK_FOOTER: false
-          MSG_MINIMAL: true
--- a/.github/workflows/get-version.yml
+++ b/.github/workflows/get-version.yml
@@ -14,6 +14,9 @@ on:
      semVerNum:
        description: "The numerical part of the version string"
        value: ${{ jobs.determine-version.outputs.semVerNum}}
+      semVerSuffix:
+        description: "The suffix of the version string"
+        value: ${{ jobs.determine-version.outputs.semVerSuffix}}
      revNum:
        description: "The revision number"
        value: ${{ jobs.determine-version.outputs.revNum}}
@@ -32,6 +35,7 @@ jobs:
    outputs:
      semVerNum: ${{ steps.versions.outputs.semVerNum }}
      semVerStr: ${{ steps.versions.outputs.semVerStr }}
+      semVerSuffix: ${{ steps.versions.outputs.semVerSuffix }}
      revNum: ${{ steps.versions.outputs.revNum }}
      type: ${{ steps.versions.outputs.type}}
    steps:
@@ -54,25 +58,30 @@ jobs:
          else
            SEM_VER_STR=`mvn help:evaluate -Dexpression=project.version -q -DforceStdout`
          fi
-          SEM_VER_NUM=`echo ${SEM_VER_STR} | sed -E 's/([0-9]+\.[0-9]+\.[0-9]+).*/\1/'`
+
+          SEM_VER_NUM=$(echo ${SEM_VER_STR} | sed -E 's/([0-9]+\.[0-9]+\.[0-9]+).*/\1/')
+          SEM_VER_SUFFIX="${SEM_VER_STR#"$SEM_VER_NUM"}"
          REVCOUNT=`git rev-list --count HEAD`
+
          TYPE="unknown"
-          if [[ $SEM_VER_STR =~ [0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+          if [[ -z $SEM_VER_SUFFIX  ]]; then
            TYPE="stable"
-          elif [[ $SEM_VER_STR =~ [0-9]+\.[0-9]+\.[0-9]+-alpha[1-9]+$ ]]; then
+          elif [[ $SEM_VER_SUFFIX =~ -alpha[1-9]+$ ]]; then
            TYPE="alpha"
-          elif [[ $SEM_VER_STR =~ [0-9]+\.[0-9]+\.[0-9]+-beta[1-9]+$ ]]; then
+          elif [[ $SEM_VER_SUFFIX =~ -beta[1-9]+$ ]]; then
            TYPE="beta"
-          elif [[ $SEM_VER_STR =~ [0-9]+\.[0-9]+\.[0-9]+-rc[1-9]$ ]]; then
+          elif [[ $SEM_VER_SUFFIX =~ -rc[1-9]+$ ]]; then
            TYPE="rc"
          fi
+
          echo "semVerStr=${SEM_VER_STR}" >> $GITHUB_OUTPUT
          echo "semVerNum=${SEM_VER_NUM}" >> $GITHUB_OUTPUT
+          echo "semVerSuffix=${SEM_VER_SUFFIX}" >> $GITHUB_OUTPUT
          echo "revNum=${REVCOUNT}" >> $GITHUB_OUTPUT
          echo "type=${TYPE}" >> $GITHUB_OUTPUT
        env:
          VERSION_STRING: ${{ inputs.version }}
      - name: Validate Version
-        uses: skymatic/semver-validation-action@7a6ae1c9e121540d11c9c7e4e667c83d583aa153 # v3.0.0
+        uses: skymatic/semver-validation-action@7c80b6b03a18b42884761daa9862ff5683ec8c8a # v4.0.0
        with:
          version: ${{ steps.versions.outputs.semVerStr }}
--- a/.github/workflows/linux-flatpak.yml
+++ b/.github/workflows/linux-flatpak.yml
@@ -0,0 +1,264 @@
+name: Build flatpak
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+    inputs:
+      src-tag:
+        description: 'Source or Release tag'
+        required: false
+      create-pr:
+        description: 'Create Flathub PR'
+        required: false
+        type: boolean
+        default: false
+  push:
+    branches-ignore:
+      - 'dependabot/**'
+    paths:
+      - '.github/workflows/get-version.yml'
+      - '.github/workflows/linux-flatpak.yml'
+      - 'dist/linux/flatpak/**'
+      - 'dist/linux/common/**'
+      - 'dist/linux/resources/**'
+
+jobs:
+  get-version:
+    uses: ./.github/workflows/get-version.yml
+    with:
+      version: ${{ inputs.src-tag }}
+
+  build-flatpak:
+    name: "Build flatpak"
+    needs: [get-version]
+    container:
+      image: ghcr.io/flathub-infra/flatpak-github-actions:freedesktop-25.08
+      options: --privileged
+    strategy:
+      fail-fast: false
+      matrix:
+        variant:
+          - arch: x86_64
+            runner: ubuntu-24.04
+          - arch: aarch64
+            runner: ubuntu-24.04-arm
+    runs-on: ${{ matrix.variant.runner }}
+    permissions:
+      contents: read
+    env:
+      SRC_GIT_SHA: ${{ inputs.src-tag || github.sha}}
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          repository: flathub/org.cryptomator.Cryptomator
+          submodules: true
+      - name: Checkout build script
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          path: build-scripts
+      - name: Checkout app source
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          path: cryptomator
+          ref: ${{ env.SRC_GIT_SHA }}
+          fetch-depth: 0
+      - name: Prepare build files
+        # using envsubst instead of yq to keep linebreaks
+        run: |
+          cp -r -f build-scripts/dist/linux/flatpak/* .
+          envsubst '$FLATPAK_VERSION $FLATPAK_REVISION $CRYPTOMATOR_SOURCE' < org.cryptomator.Cryptomator.TEMPLATE.yaml > org.cryptomator.Cryptomator.yaml
+        env:
+          FLATPAK_VERSION: ${{ needs.get-version.outputs.semVerNum }}
+          FLATPAK_REVISION: 1
+          CRYPTOMATOR_SOURCE: |-
+            type: git
+                    path: cryptomator
+                    commit: ${{ env.SRC_GIT_SHA }}
+      - name: Copy build script for upload
+        run: cp org.cryptomator.Cryptomator.yaml org.cryptomator.Cryptomator.${{matrix.variant.arch}}.yaml
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          archive: false
+          if-no-files-found: error
+          path: |
+            org.cryptomator.Cryptomator.${{matrix.variant.arch}}.yaml
+      - uses: flatpak/flatpak-github-actions/flatpak-builder@401fe28a8384095fc1531b9d320b292f0ee45adb # SNAPSHOT due to using keep-build-dirs
+        with:
+          bundle: cryptomator.flatpak
+          manifest-path: org.cryptomator.Cryptomator.yaml
+          cache-key: flatpak-builder-${{ env.SRC_GIT_SHA }}
+          arch: ${{ matrix.variant.arch }}
+          keep-build-dirs: true
+      - name: Collect maven dependencies
+        working-directory: .flatpak-builder/build/cryptomator-1/.m2/repository/
+        run: |
+          find * -type f \( -iname '*.jar' -o -iname '*.pom' \) | sort -V > /tmp/maven-dependency-files.txt
+          grep -v '^org/openjfx/javafx-' /tmp/maven-dependency-files.txt > maven-dependency-files-common.txt
+          grep '^org/openjfx/javafx-' /tmp/maven-dependency-files.txt > maven-dependency-files-javafx.txt
+      - name: Update arch independent maven dependencies
+        run: |
+          (
+            cd .flatpak-builder/build/cryptomator-1/.m2/repository/
+
+            while IFS= read -r dependencyPath; do
+              dependencyName=$(dirname "$dependencyPath")
+              dependencySha=$(sha256sum "$dependencyPath" | cut -c 1-64)
+              cat <<EOF
+          - type: file
+            dest: .m2/repository/${dependencyName}
+            url: https://repo.maven.apache.org/maven2/${dependencyPath}
+            sha256: ${dependencySha}
+          EOF
+            done < maven-dependency-files-common.txt
+          ) > maven-dependencies.yaml
+      - name: Update arch specific maven dependencies
+        run: |
+          (
+            cd .flatpak-builder/build/cryptomator-1/.m2/repository/
+
+            while IFS= read -r dependencyPath; do
+              dependencyName=$(dirname "$dependencyPath")
+              dependencySha=$(sha256sum "$dependencyPath" | cut -c 1-64)
+              cat <<EOF
+          - type: file
+            dest: .m2/repository/${dependencyName}
+            url: https://repo.maven.apache.org/maven2/${dependencyPath}
+            sha256: ${dependencySha}
+            only-arches: [${{ matrix.variant.arch }}]
+          EOF
+            done < maven-dependency-files-javafx.txt
+          ) > javafx-maven-dependencies-${{ matrix.variant.arch }}.yaml
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: maven-sources-${{ matrix.variant.arch }}
+          if-no-files-found: error
+          path: |
+            maven-dependencies.yaml
+            javafx-maven-dependencies-${{ matrix.variant.arch }}.yaml
+
+  verify-maven-sources:
+    name: Verify maven sources
+    runs-on: ubuntu-latest
+    needs: [build-flatpak]
+    permissions:
+      contents: none
+    steps:
+      - name: Download updated maven aarch64 dependencies
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: maven-sources-aarch64
+          path: mvn-src-aarch64
+      - name: Download updated maven x86_64 dependencies
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: maven-sources-x86_64
+          path: mvn-src-x64
+      - name: Verify arch independent maven dependencies
+        run: cmp --silent mvn-src-aarch64/maven-dependencies.yaml mvn-src-x64/maven-dependencies.yaml
+
+  create-pr:
+    name: Create PR for flathub
+    runs-on: ubuntu-latest
+    needs: [get-version, verify-maven-sources]
+    if: (github.event_name == 'workflow_dispatch' && inputs.create-pr ) || (github.event_name == 'release' && needs.get-version.outputs.versionType == 'stable')
+    permissions:
+      contents: write
+    env:
+      TARBALL_URL: 'https://github.com/cryptomator/cryptomator/archive/refs/tags/${{ github.event.release.tag_name || inputs.src-tag }}.tar.gz'
+    steps:
+      - name: Check that input "src-tag" is actually a tag
+        if: github.event_name == 'workflow_dispatch'
+        run: |
+          if [ -z "$SRC_TAG" ]; then
+            echo '::error::Input "src-tag" must be set to create a Flathub PR'
+            exit 1
+          fi
+        env:
+          SRC_TAG: ${{ inputs.src-tag }}
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          repository: flathub/org.cryptomator.Cryptomator
+          submodules: true #TODO: Update submodule!
+          token: ${{ secrets.CRYPTOBOT_PR_TOKEN }}
+      - name: Checkout release branch
+        run: |
+          git checkout -b release/${{ needs.get-version.outputs.semVerStr }}
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          path: cryptomator
+      - name: Download source tarball and compute checksum
+        id: sha512
+        run: |
+          curl --silent --fail-with-body --proto "=https" -L -H "Accept: application/vnd.github+json" ${TARBALL_URL} --output cryptomator.tar.gz
+          TARBALL_SHA512=$(sha512sum cryptomator.tar.gz | cut -d ' ' -f1)
+          echo "value=${TARBALL_SHA512}" >> "$GITHUB_OUTPUT"
+      - name: Download updated maven aarch64 dependencies
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: maven-sources-aarch64
+          path: mvn-src-aarch64
+      - name: Download updated maven x86_64 dependencies
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: maven-sources-x86_64
+          path: mvn-src-x64
+      - name: Determine revision
+        id: revision
+        run: |
+          CURRENT_VERSION="$(yq '(.modules[] | select(.name == "cryptomator") | .build-options.env.VERSION)' org.cryptomator.Cryptomator.yaml)"
+          CURRENT_REVISION="$(yq '(.modules[] | select(.name == "cryptomator") | .build-options.env.REVISION_NO)' org.cryptomator.Cryptomator.yaml)"
+
+          if [[ "$CURRENT_VERSION" == "$TARGET_VERSION" && "$CURRENT_REVISION" =~ ^[0-9]+$ ]]; then
+            NEXT_REVISION=$((CURRENT_REVISION + 1))
+          else
+            NEXT_REVISION=1
+          fi
+
+          echo "value=${NEXT_REVISION}" >> "$GITHUB_OUTPUT"
+        env:
+          TARGET_VERSION: ${{ needs.get-version.outputs.semVerStr }}
+      - name: Update build files
+        run: |
+          cp -r -f cryptomator/dist/linux/flatpak/* .
+          cp -r -f mvn-src-x64/* .
+          cp -r -f mvn-src-aarch64/* .
+          envsubst '$FLATPAK_VERSION $FLATPAK_REVISION $CRYPTOMATOR_SOURCE' < org.cryptomator.Cryptomator.TEMPLATE.yaml > org.cryptomator.Cryptomator.yaml
+          yq -i 'del(.modules[] | select(.name == "cryptomator") | .build-options.build-args)' org.cryptomator.Cryptomator.yaml
+          yq -i '(.modules[] | select(.name == "cryptomator") | .sources) += ["maven-dependencies.yaml", "javafx-maven-dependencies-x86_64.yaml", "javafx-maven-dependencies-aarch64.yaml"]' org.cryptomator.Cryptomator.yaml
+        env:
+          FLATPAK_VERSION: ${{ needs.get-version.outputs.semVerNum }}
+          FLATPAK_REVISION: ${{ steps.revision.outputs.value}}
+          CRYPTOMATOR_SOURCE: |-
+            type: archive
+                    sha512: ${{steps.sha512.outputs.value}}
+                    url: ${{ env.TARBALL_URL }}
+      - name: Commit and push
+        run: |
+          git config user.name "cryptobot"
+          git config user.email "cryptobot@users.noreply.github.com"
+          git config push.autoSetupRemote true
+          git stage org.cryptomator.Cryptomator.yaml maven-dependencies.yaml javafx-maven-dependencies-aarch64.yaml javafx-maven-dependencies-x86_64.yaml
+          git commit -m "Prepare release ${{needs.get-version.outputs.semVerStr}}"
+          git push
+      - name: Create pull request
+        id: create-pr
+        run: |
+          printf "Created by $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" > pr_body.md
+          PR_URL=$(gh pr create --title "Release ${{ needs.get-version.outputs.semVerStr }}" --body-file pr_body.md)
+          echo "FLATHUB_PR_URL=$PR_URL" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: ${{ secrets.CRYPTOBOT_PR_TOKEN }}
+      - name: Slack Notification
+        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3
+        if: github.event_name == 'release'
+        env:
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_CRYPTOMATOR_DESKTOP }}
+          SLACK_USERNAME: 'Cryptobot'
+          SLACK_ICON: ''
+          SLACK_ICON_EMOJI: ':bot:'
+          SLACK_CHANNEL: 'cryptomator-desktop'
+          SLACK_TITLE: "Flathub release PR created for ${{ github.event.repository.name }} ${{ github.event.release.tag_name }} created."
+          SLACK_MESSAGE: "See <${{ steps.create-pr.outputs.FLATHUB_PR_URL }}|PR> on how to proceed."
+          SLACK_FOOTER: ''
+          MSG_MINIMAL: true
--- a/.github/workflows/linux-makepkg.yml
+++ b/.github/workflows/linux-makepkg.yml
@@ -0,0 +1,201 @@
+name: Build Arch package
+
+on:
+  release:
+    types: [published]
+  schedule:
+    - cron: '0 21 20 * *'
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Version'
+        required: false
+      create-pr:
+          description: 'Create a PR for aur repo'
+          type: boolean
+          default: false
+  push:
+    branches-ignore:
+      - 'dependabot/**'
+    paths:
+      - '.github/workflows/linux-makepkg.yml'
+      - 'dist/linux/makepkg/**'
+      - 'dist/linux/common/**'
+      - 'dist/linux/resources/**'
+
+jobs:
+  get-version:
+    uses: ./.github/workflows/get-version.yml
+    with:
+      version: ${{ inputs.version }}
+
+  makepkg:
+    name: Build with makepkg
+    needs: [get-version]
+    runs-on: ubuntu-latest
+    container:
+      image: archlinux:base-devel
+    env:
+      PKGDEST: ${{ github.workspace }}/pkgdest
+      SRCDEST: ${{ github.workspace }}/srcdest
+    steps:
+      - name: Prepare pacman
+        run: |
+          pacman-key --init
+          pacman-key --populate archlinux
+          pacman -Syu --noconfirm --needed git base-devel sudo gnupg maven unzip
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          path: cryptomator
+      - name: Create build user
+        run: |
+          useradd -m builder
+          echo 'builder ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers.d/builder
+          chown -R builder:builder "$GITHUB_WORKSPACE"
+          install -d -m 0755 -o builder -g builder "$PKGDEST" "$SRCDEST"
+      - name: Prepare PKGBUILD
+        # cannot use github.workspace due to https://github.com/actions/runner/issues/2058
+        run: |
+          export SOURCES="${SOURCES_1}${GITHUB_WORKSPACE}${SOURCES_2}"
+          envsubst '$PKG_VERSION $PKG_RELEASE $SOURCES $SOURCES_SHA' < cryptomator/dist/linux/makepkg/PKGBUILD.template > PKGBUILD
+        env:
+          PKG_VERSION: ${{ needs.get-version.outputs.semVerNum }}
+          PKG_RELEASE: 1
+          SOURCES_1: '"${_src_app_dir}::git+file://'
+          SOURCES_2: '/cryptomator"'
+          SOURCES_SHA: "'SKIP'"
+      - name: Build package with makepkg
+        run: >
+          sudo -u builder
+          env PKGDEST="$PKGDEST" SRCDEST="$SRCDEST"
+          makepkg --syncdeps --cleanbuild --noconfirm --log
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: arch-package
+          if-no-files-found: error
+          path: |
+            ${{ env.PKGDEST }}/*.pkg.tar.zst
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: pkgbuild-file
+          if-no-files-found: error
+          path: |
+            cryptomator/dist/linux/makepkg/PKGBUILD.template
+
+  create-pr:
+    name: Create PR for aur repo
+    if:  github.event_name == 'workflow_dispatch' && inputs.create-pr || github.event_name == 'release' && needs.get-version.outputs.versionType == 'stable'
+    runs-on: ubuntu-latest
+    needs: [get-version, makepkg]
+    container:
+      image: archlinux:base-devel
+    env:
+      PKGDEST: ${{ github.workspace }}/pkgdest
+      SRCDEST: ${{ github.workspace }}/srcdest
+    steps:
+      - name: Prepare pacman
+        run: |
+          pacman-key --init
+          pacman-key --populate archlinux
+          pacman -Syu --noconfirm --needed git base-devel sudo gnupg maven unzip github-cli curl
+      - name: Download source tarball and compute checksum
+        id: sha256
+        run: |
+          URL="https://github.com/cryptomator/cryptomator/archive/refs/tags/${TAG}.tar.gz"
+          curl --silent --fail-with-body --proto "=https" -L -H "Accept: application/vnd.github+json" ${URL} --output cryptomator.tar.gz
+          TARBALL_SHA256=$(sha256sum cryptomator.tar.gz | cut -d ' ' -f1)
+          echo "value=${TARBALL_SHA256}" >> "$GITHUB_OUTPUT"
+        env:
+          TAG: ${{ needs.get-version.outputs.semVerStr || github.event.release.tag_name }}
+      - name: Checkout cryptomator/aur repo
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          repository: 'cryptomator/aur'
+          token: ${{ secrets.CRYPTOBOT_PR_TOKEN }}
+      - name: Create build user
+        run: |
+          useradd -m builder
+          echo 'builder ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers.d/builder
+          chown -R builder:builder "$GITHUB_WORKSPACE"
+          install -d -m 0755 -o builder -g builder "$PKGDEST" "$SRCDEST"
+      - name: Import Cryptomator release signing key
+        # try first ubuntu. on failure try openpgp keyservers
+        run: >
+          sudo -u builder gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 58117AFA1F85B3EEC154677D615D449FE6E6A235
+          || sudo -u builder gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys 58117AFA1F85B3EEC154677D615D449FE6E6A235
+      - name: Checkout release branch
+        run: |
+          git config --global safe.directory '*'
+          git checkout -b release/${VERSION}
+        env:
+          VERSION: ${{ needs.get-version.outputs.semVerStr }}
+      - name: Determine pkgrel
+        id: pkgrel
+        run: |
+          CURRENT_VERSION="$(sed -nE 's/^pkgver=(.*)$/\1/p' PKGBUILD | head -n1)"
+          CURRENT_REL="$(sed -nE 's/^pkgrel=([0-9]+).*$/\1/p' PKGBUILD | head -n1)"
+
+          if [[ "$CURRENT_VERSION" == "$TARGET_VERSION" && "$CURRENT_REL" =~ ^[0-9]+$ ]]; then
+            NEXT_REL=$((CURRENT_REL + 1))
+          else
+            NEXT_REL=1
+          fi
+
+          echo "value=${NEXT_REL}" >> "$GITHUB_OUTPUT"
+          echo "dist-version=${TARGET_VERSION}-${NEXT_REL}" >> "$GITHUB_OUTPUT"
+        env:
+          TARGET_VERSION: ${{ needs.get-version.outputs.semVerStr }}
+      - name: Download PKGBUILD template
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: pkgbuild-file
+      - name: Prepare PKGBUILD
+        run: |
+          envsubst '$PKG_VERSION $PKG_RELEASE $SOURCES $SOURCES_SHA' < PKGBUILD.template > PKGBUILD
+          sudo -u builder makepkg --printsrcinfo > .SRCINFO
+        env:
+          PKG_VERSION: ${{ needs.get-version.outputs.semVerNum }}
+          PKG_RELEASE: ${{ steps.pkgrel.outputs.value }}
+          SOURCES: |-
+            "cryptomator-${pkgver//_/-}.tar.gz::https://github.com/cryptomator/cryptomator/archive/refs/tags/${pkgver//_/-}.tar.gz"
+                    "cryptomator-${pkgver//_/-}.tar.gz.asc::https://github.com/cryptomator/cryptomator/releases/download/${pkgver//_/-}/cryptomator-${pkgver//_/-}.tar.gz.asc"
+          SOURCES_SHA: |-
+            '${{steps.sha256.outputs.value}}'
+                        'SKIP'
+      - name: Build package with makepkg
+        run: >
+          sudo -u builder
+          env PKGDEST="$PKGDEST" SRCDEST="$SRCDEST"
+          makepkg --syncdeps --cleanbuild --noconfirm --log
+      - name: Commit and push
+        run: |
+          git config user.name "cryptobot"
+          git config user.email "cryptobot@users.noreply.github.com"
+          git config push.autoSetupRemote true
+          git stage PKGBUILD .SRCINFO
+          git commit -m "Prepare release ${DIST_VERSION}"
+          git push
+        env:
+          DIST_VERSION: ${{ steps.pkgrel.outputs.dist-version }}
+      - name: Create pull request
+        id: create-pr
+        run: |
+          printf "Created by $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" > pr_body.md
+          PR_URL=$(gh pr create --title "Release $DIST_VERSION" --body-file pr_body.md)
+          echo "url=$PR_URL" >> "$GITHUB_OUTPUT"
+        env:
+          DIST_VERSION: ${{ steps.pkgrel.outputs.dist-version }}
+          GH_TOKEN: ${{ secrets.CRYPTOBOT_PR_TOKEN }}
+      - name: Slack Notification
+        if: github.event_name == 'release'
+        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3
+        env:
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_CRYPTOMATOR_DESKTOP }}
+          SLACK_USERNAME: 'Cryptobot'
+          SLACK_ICON: ''
+          SLACK_ICON_EMOJI: ':bot:'
+          SLACK_CHANNEL: 'cryptomator-desktop'
+          SLACK_TITLE: "AUR release PR created for ${{ github.event.repository.name }} ${{ steps.pkgrel.outputs.dist-version }} ."
+          SLACK_MESSAGE: "See <${{ steps.create-pr.outputs.url }}|PR> on how to proceed."
+          SLACK_FOOTER: ''
+          MSG_MINIMAL: true
--- a/.github/workflows/mac-dmg-x64.yml
+++ b/.github/workflows/mac-dmg-x64.yml
@@ -9,13 +9,45 @@ name: Build macOS .dmg for x64
 #######################################

 on:
-  release:
-    types: [published]
+  schedule:
+    - cron: '0 20 20 * *'
+  workflow_call:
+    inputs:
+      semVerNum:
+        type: string
+        description: 'The Major.Minor.Patch part of the version'
+        required: true
+      revisionNum:
+        type: string
+        description: 'The revision number'
+        required: true
+      semVerSuffix:
+        type: string
+        description: 'The suffix of the version, including dash'
+        required: true
+      notarize:
+        description: 'Notarize'
+        default: true
+        type: boolean
+      upload-to-draft:
+        type: boolean
+        default: true
+    outputs:
+      sha256-dmg:
+        description: "SHA256 sum of the x64 dmg"
+        value: ${{ jobs.build.outputs.sha256sum}}
  workflow_dispatch:
    inputs:
-      version:
-        description: 'Version'
+      semVerNum:
+        description: 'The Major.Minor.Patch part of the version'
        required: false
+      revisionNum:
+        description: 'The revision number'
+        required: false
+      semVerSuffix:
+        description: 'The suffix of the version, including dash'
+        required: false
+        default: '-SNAPSHOT'
      notarize:
        description: 'Notarize'
        required: true
@@ -25,17 +57,17 @@ on:
 env:
  JAVA_DIST: 'temurin'
  JAVA_VERSION: '25.0.2+10.0.LTS'
+  VERSION_NUM: ${{ inputs.semVerNum || '99.99.99'}}
+  REVISION_NUM: ${{ inputs.revisionNum || '0' }}
+  VERSION_SUFFIX: ${{ inputs.semVerSuffix || ''}}
+

 jobs:
-  get-version:
-    uses: ./.github/workflows/get-version.yml
-    with:
-      version: ${{ inputs.version }}
-
-  build-arm:
+  build:
    name: Build Cryptomator.app for ${{ matrix.output-suffix }}
    runs-on: ${{ matrix.os }}
-    needs: [get-version]
+    outputs:
+      sha256sum: ${{ steps.sha256sum.outputs.value }}
    strategy:
      fail-fast: false
      matrix:
@@ -44,8 +76,8 @@ jobs:
          architecture: x64
          output-suffix: x64
          fuse-lib: macFUSE
-          openjfx-url: 'https://download2.gluonhq.com/openjfx/25/openjfx-25_osx-x64_bin-jmods.zip'
-          openjfx-sha: '0eba73fb28a24c845175d16fa2f8c081c936ce6de1be9b79eb6119fa32e53d52'
+          openjfx-url: 'https://download2.gluonhq.com/openjfx/25.0.2/openjfx-25.0.2_osx-x64_bin-jmods.zip'
+          openjfx-sha: '0b4d8463f03901b7425d94628e4116b7078abb8dd540fbec415266fac20bda5c'
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Setup Java
@@ -59,7 +91,7 @@ jobs:
      - name: Download OpenJFX jmods
        id: download-jmods
        run: |
-          curl -L ${{ matrix.openjfx-url }} -o openjfx-jmods.zip
+          curl --silent --fail-with-body --proto "=https" -L ${{ matrix.openjfx-url }} -o openjfx-jmods.zip
          echo "${{ matrix.openjfx-sha }} *openjfx-jmods.zip" | shasum -a256 --check
          mkdir -p openjfx-jmods/
          unzip -jo openjfx-jmods.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d openjfx-jmods
@@ -77,7 +109,7 @@ jobs:
            exit 1
          fi
      - name: Set version
-        run : mvn versions:set -DnewVersion=${{ needs.get-version.outputs.semVerStr }}
+        run : mvn versions:set -DnewVersion="${VERSION_NUM}${VERSION_SUFFIX}"
      - name: Run maven
        run: mvn -B clean package -Pmac -DskipTests
      - name: Patch target dir
@@ -117,8 +149,8 @@ jobs:
          --dest appdir
          --name Cryptomator
          --vendor "Skymatic GmbH"
-          --copyright "(C) 2016 - 2025 Skymatic GmbH"
-          --app-version "${{ needs.get-version.outputs.semVerNum }}"
+          --copyright "(C) 2016 - 2026 Skymatic GmbH"
+          --app-version "${VERSION_NUM}"
          --java-options "--enable-preview"
          --java-options "--enable-native-access=javafx.graphics,org.cryptomator.jfuse.mac"
          --java-options "-Xss5m"
@@ -127,7 +159,7 @@ jobs:
          --java-options "-Djava.net.useSystemProxies=true"
          --java-options "-Dapple.awt.enableTemplateImages=true"
          --java-options "-Dsun.java2d.metal=true"
-          --java-options "-Dcryptomator.appVersion=\"${{ needs.get-version.outputs.semVerStr }}\""
+          --java-options "-Dcryptomator.appVersion=\"${VERSION_NUM}${VERSION_SUFFIX}\""
          --java-options "-Dcryptomator.adminConfigPath=\"/Library/Application Support/Cryptomator/config.properties\""
          --java-options "-Dcryptomator.logDir=\"@{userhome}/Library/Logs/Cryptomator\""
          --java-options "-Dcryptomator.settingsPath=\"@{userhome}/Library/Application Support/Cryptomator/settings.json\""
@@ -137,34 +169,20 @@ jobs:
          --java-options "-Dcryptomator.mountPointsDir=\"@{userhome}/Library/Application Support/Cryptomator/mnt\""
          --java-options "-Dcryptomator.showTrayIcon=true"
          --java-options "-Dcryptomator.updateMechanism=org.cryptomator.macos.update.DmgUpdateMechanism"
-          --java-options "-Dcryptomator.buildNumber=\"dmg-${{ needs.get-version.outputs.revNum }}\""
+          --java-options "-Dcryptomator.buildNumber=\"dmg-${REVISION_NUM}\""
+          --java-options "-Dcryptomator.hub.enableTrustOnFirstUse=true"
          --mac-package-identifier org.cryptomator
          --resource-dir dist/mac/resources
      - name: Patch Cryptomator.app
        run: |
          mv appdir/Cryptomator.app Cryptomator.app
          mv dist/mac/resources/Cryptomator-Vault.icns Cryptomator.app/Contents/Resources/
-          sed -i '' "s|###BUNDLE_SHORT_VERSION_STRING###|${VERSION_NO}|g" Cryptomator.app/Contents/Info.plist
-          sed -i '' "s|###BUNDLE_VERSION###|${REVISION_NO}|g" Cryptomator.app/Contents/Info.plist
+          cp dist/mac/resources/Assets.car Cryptomator.app/Contents/Resources/
+          sed -i '' "s|###BUNDLE_SHORT_VERSION_STRING###|${VERSION_NUM}|g" Cryptomator.app/Contents/Info.plist
+          sed -i '' "s|###BUNDLE_VERSION###|${REVISION_NUM}|g" Cryptomator.app/Contents/Info.plist
          echo -n "$PROVISIONING_PROFILE_BASE64" | base64 --decode --output Cryptomator.app/Contents/embedded.provisionprofile
        env:
-          VERSION_NO: ${{ needs.get-version.outputs.semVerNum }}
-          REVISION_NO: ${{ needs.get-version.outputs.revNum }}
          PROVISIONING_PROFILE_BASE64: ${{ secrets.MACOS_PROVISIONING_PROFILE_BASE64 }}
-      - name: Build and install DockTilePlugin
-        env:
-          DERIVED_DATA_PATH: dist/mac/DockTilePlugin/build
-        run: |
-          xcodebuild -project dist/mac/DockTilePlugin/DockTilePlugin.xcodeproj \
-                     -scheme DockTilePlugin \
-                     -configuration Release \
-                     -destination "platform=macOS,arch=x86_64" \
-                     -derivedDataPath ${DERIVED_DATA_PATH} \
-                     -quiet \
-                     clean build
-          mkdir -p Cryptomator.app/Contents/PlugIns
-          cp -R ${DERIVED_DATA_PATH}/Build/Products/Release/Cryptomator.docktileplugin Cryptomator.app/Contents/PlugIns/
-          rm -rf ${DERIVED_DATA_PATH}
      - name: Generate license for dmg
        run: >
          mvn -B license:add-third-party
@@ -252,16 +270,14 @@ jobs:
          --eula "dist/mac/dmg/resources/license.rtf"
          --icon ".background" 128 758
          --icon ".VolumeIcon.icns" 512 758
-          Cryptomator-${VERSION_NO}-${{ matrix.output-suffix }}.dmg dmg
-        env:
-          VERSION_NO: ${{ needs.get-version.outputs.semVerNum }}
+          Cryptomator-${VERSION_NUM}-${{ matrix.output-suffix }}.dmg dmg
      - name: Codesign .dmg
        run: |
          codesign -s ${CODESIGN_IDENTITY} --timestamp Cryptomator-*.dmg
        env:
          CODESIGN_IDENTITY: ${{ secrets.MACOS_CODESIGN_IDENTITY }}
      - name: Notarize .dmg
-        if: startsWith(github.ref, 'refs/tags/') || inputs.notarize
+        if:  inputs.notarize || github.event_name == 'schedule'
        uses: cocoalibs/xcode-notarization-action@5cf433d494b6fa26504b574c591f4dd120388846 # v1.0.3
        with:
          app-path: 'Cryptomator-*.dmg'
@@ -269,8 +285,12 @@ jobs:
          password: ${{ secrets.MACOS_NOTARIZATION_PW }}
          team-id: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}
          xcode-path: '/Applications/Xcode_16.app'
+      - id: sha256sum
+        run: |
+          read -ra CMD_OUTPUT < <(shasum -a256 Cryptomator-*.dmg)
+          echo "value=${CMD_OUTPUT[0]}" >> $GITHUB_OUTPUT
      - name: Add possible alpha/beta tags to installer name
-        run: mv Cryptomator-*.dmg Cryptomator-${{ needs.get-version.outputs.semVerStr }}-${{ matrix.output-suffix }}.dmg
+        run: mv Cryptomator-*.dmg "Cryptomator-${VERSION_NUM}${VERSION_SUFFIX}-${{ matrix.output-suffix }}.dmg"
      - name: Create detached GPG signature with key 615D449FE6E6A235
        run: |
          echo "${GPG_PRIVATE_KEY}" | gpg --batch --quiet --import
@@ -283,7 +303,7 @@ jobs:
        run: security delete-keychain $RUNNER_TEMP/codesign.keychain-db
        continue-on-error: true
      - name: Upload artifacts
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: dmg-${{ matrix.output-suffix }}
          path: |
@@ -291,9 +311,10 @@ jobs:
            Cryptomator-*.asc
          if-no-files-found: error
      - name: Publish dmg on GitHub Releases
-        if: startsWith(github.ref, 'refs/tags/') && github.event.action == 'published'
-        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
+        if: inputs.upload-to-draft
+        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
        with:
+          draft: true
          fail_on_unmatched_files: true
          token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
          files: |
--- a/.github/workflows/mac-dmg.yml
+++ b/.github/workflows/mac-dmg.yml
@@ -1,13 +1,45 @@
 name: Build macOS .dmg for arm64

 on:
-  release:
-    types: [published]
+  schedule:
+    - cron: '0 20 20 * *'
+  workflow_call:
+    inputs:
+      semVerNum:
+        type: string
+        description: 'The Major.Minor.Patch part of the version'
+        required: true
+      revisionNum:
+        type: string
+        description: 'The revision number'
+        required: true
+      semVerSuffix:
+        type: string
+        description: 'The suffix of the version, including dash'
+        required: true
+      notarize:
+        description: 'Notarize'
+        default: true
+        type: boolean
+      upload-to-draft:
+        type: boolean
+        default: true
+    outputs:
+      sha256-dmg:
+        description: "SHA256 sum of the arm64 dmg"
+        value: ${{ jobs.build.outputs.sha256sum}}
  workflow_dispatch:
    inputs:
-      version:
-        description: 'Version'
+      semVerNum:
+        description: 'The Major.Minor.Patch part of the version'
        required: false
+      revisionNum:
+        description: 'The revision number'
+        required: false
+      semVerSuffix:
+        description: 'The suffix of the version, including dash'
+        required: false
+        default: '-SNAPSHOT'
      notarize:
        description: 'Notarize'
        required: true
@@ -23,17 +55,17 @@ on:
 env:
  JAVA_DIST: 'temurin'
  JAVA_VERSION: '25.0.2+10.0.LTS'
+  VERSION_NUM: ${{ inputs.semVerNum || '99.99.99'}}
+  REVISION_NUM: ${{ inputs.revisionNum || '0' }}
+  VERSION_SUFFIX: ${{ inputs.semVerSuffix || ''}}
+

 jobs:
-  get-version:
-    uses: ./.github/workflows/get-version.yml
-    with:
-      version: ${{ inputs.version }}
-
  build:
    name: Build Cryptomator.app for ${{ matrix.output-suffix }}
    runs-on: ${{ matrix.os }}
-    needs: [get-version]
+    outputs:
+      sha256sum: ${{ steps.sha256sum.outputs.value }}
    strategy:
      fail-fast: false
      matrix:
@@ -42,8 +74,8 @@ jobs:
          architecture: aarch64
          output-suffix: arm64
          fuse-lib: FUSE-T
-          openjfx-url: 'https://download2.gluonhq.com/openjfx/25/openjfx-25_osx-aarch64_bin-jmods.zip'
-          openjfx-sha: '13f8c0513c40c95881479fbcf0465a29a60217393fb0656f5e4eab78a9442fba'
+          openjfx-url: 'https://download2.gluonhq.com/openjfx/25.0.2/openjfx-25.0.2_osx-aarch64_bin-jmods.zip'
+          openjfx-sha: '4cd258001c75af7047005c5c891e2400ed11d24fbb09412324c0cbaf8b503c5a'
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Setup Java
@@ -57,7 +89,7 @@ jobs:
      - name: Download OpenJFX jmods
        id: download-jmods
        run: |
-          curl -L ${{ matrix.openjfx-url }} -o openjfx-jmods.zip
+          curl --silent --fail-with-body --proto "=https" -L ${{ matrix.openjfx-url }} -o openjfx-jmods.zip
          echo "${{ matrix.openjfx-sha }} *openjfx-jmods.zip" | shasum -a256 --check
          mkdir -p openjfx-jmods/
          unzip -jo openjfx-jmods.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d openjfx-jmods
@@ -75,7 +107,7 @@ jobs:
            exit 1
          fi
      - name: Set version
-        run : mvn versions:set -DnewVersion=${{ needs.get-version.outputs.semVerStr }}
+        run : mvn versions:set -DnewVersion="${VERSION_NUM}${VERSION_SUFFIX}"
      - name: Run maven
        run: mvn -B clean package -Pmac -DskipTests
      - name: Patch target dir
@@ -115,8 +147,8 @@ jobs:
          --dest appdir
          --name Cryptomator
          --vendor "Skymatic GmbH"
-          --copyright "(C) 2016 - 2025 Skymatic GmbH"
-          --app-version "${{ needs.get-version.outputs.semVerNum }}"
+          --copyright "(C) 2016 - 2026 Skymatic GmbH"
+          --app-version "${VERSION_NUM}"
          --java-options "--enable-preview"
          --java-options "--enable-native-access=javafx.graphics,org.cryptomator.jfuse.mac"
          --java-options "-Xss5m"
@@ -125,7 +157,7 @@ jobs:
          --java-options "-Djava.net.useSystemProxies=true"
          --java-options "-Dapple.awt.enableTemplateImages=true"
          --java-options "-Dsun.java2d.metal=true"
-          --java-options "-Dcryptomator.appVersion=\"${{ needs.get-version.outputs.semVerStr }}\""
+          --java-options "-Dcryptomator.appVersion=\"${VERSION_NUM}${VERSION_SUFFIX}\""
          --java-options "-Dcryptomator.adminConfigPath=\"/Library/Application Support/Cryptomator/config.properties\""
          --java-options "-Dcryptomator.logDir=\"@{userhome}/Library/Logs/Cryptomator\""
          --java-options "-Dcryptomator.settingsPath=\"@{userhome}/Library/Application Support/Cryptomator/settings.json\""
@@ -135,35 +167,21 @@ jobs:
          --java-options "-Dcryptomator.mountPointsDir=\"@{userhome}/Library/Application Support/Cryptomator/mnt\""
          --java-options "-Dcryptomator.showTrayIcon=true"
          --java-options "-Dcryptomator.updateMechanism=org.cryptomator.macos.update.DmgUpdateMechanism"
-          --java-options "-Dcryptomator.buildNumber=\"dmg-${{ needs.get-version.outputs.revNum }}\""
+          --java-options "-Dcryptomator.buildNumber=\"dmg-${REVISION_NUM}\""
          --java-options "-XX:ErrorFile=/cryptomator/cryptomator_crash.log"
+          --java-options "-Dcryptomator.hub.enableTrustOnFirstUse=true"
          --mac-package-identifier org.cryptomator
          --resource-dir dist/mac/resources
      - name: Patch Cryptomator.app
        run: |
          mv appdir/Cryptomator.app Cryptomator.app
          mv dist/mac/resources/Cryptomator-Vault.icns Cryptomator.app/Contents/Resources/
-          sed -i '' "s|###BUNDLE_SHORT_VERSION_STRING###|${VERSION_NO}|g" Cryptomator.app/Contents/Info.plist
-          sed -i '' "s|###BUNDLE_VERSION###|${REVISION_NO}|g" Cryptomator.app/Contents/Info.plist
+          cp dist/mac/resources/Assets.car Cryptomator.app/Contents/Resources/
+          sed -i '' "s|###BUNDLE_SHORT_VERSION_STRING###|${VERSION_NUM}|g" Cryptomator.app/Contents/Info.plist
+          sed -i '' "s|###BUNDLE_VERSION###|${REVISION_NUM}|g" Cryptomator.app/Contents/Info.plist
          echo -n "$PROVISIONING_PROFILE_BASE64" | base64 --decode --output Cryptomator.app/Contents/embedded.provisionprofile
        env:
-          VERSION_NO: ${{ needs.get-version.outputs.semVerNum }}
-          REVISION_NO: ${{ needs.get-version.outputs.revNum }}
          PROVISIONING_PROFILE_BASE64: ${{ secrets.MACOS_PROVISIONING_PROFILE_BASE64 }}
-      - name: Build and install DockTilePlugin
-        env:
-          DERIVED_DATA_PATH: dist/mac/DockTilePlugin/build
-        run: |
-          xcodebuild -project dist/mac/DockTilePlugin/DockTilePlugin.xcodeproj \
-                     -scheme DockTilePlugin \
-                     -configuration Release \
-                     -destination "platform=macOS,arch=arm64" \
-                     -derivedDataPath ${DERIVED_DATA_PATH} \
-                     -quiet \
-                     clean build
-          mkdir -p Cryptomator.app/Contents/PlugIns
-          cp -R ${DERIVED_DATA_PATH}/Build/Products/Release/Cryptomator.docktileplugin Cryptomator.app/Contents/PlugIns/
-          rm -rf ${DERIVED_DATA_PATH}
      - name: Generate license for dmg
        run: >
          mvn -B license:add-third-party
@@ -251,16 +269,14 @@ jobs:
          --eula "dist/mac/dmg/resources/license.rtf"
          --icon ".background" 128 758
          --icon ".VolumeIcon.icns" 512 758
-          Cryptomator-${VERSION_NO}-${{ matrix.output-suffix }}.dmg dmg
-        env:
-          VERSION_NO: ${{ needs.get-version.outputs.semVerNum }}
+          Cryptomator-${VERSION_NUM}-${{ matrix.output-suffix }}.dmg dmg
      - name: Codesign .dmg
        run: |
          codesign -s ${CODESIGN_IDENTITY} --timestamp Cryptomator-*.dmg
        env:
          CODESIGN_IDENTITY: ${{ secrets.MACOS_CODESIGN_IDENTITY }}
      - name: Notarize .dmg
-        if: startsWith(github.ref, 'refs/tags/') || inputs.notarize
+        if:  inputs.notarize || github.event_name == 'schedule'
        uses: cocoalibs/xcode-notarization-action@5cf433d494b6fa26504b574c591f4dd120388846 # v1.0.3
        with:
          app-path: 'Cryptomator-*.dmg'
@@ -268,8 +284,12 @@ jobs:
          password: ${{ secrets.MACOS_NOTARIZATION_PW }}
          team-id: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}
          xcode-path: '/Applications/Xcode_16.app'
+      - id: sha256sum
+        run: |
+          read -ra CMD_OUTPUT < <(shasum -a256 Cryptomator-*.dmg)
+          echo "value=${CMD_OUTPUT[0]}" >> $GITHUB_OUTPUT
      - name: Add possible alpha/beta tags to installer name
-        run: mv Cryptomator-*.dmg Cryptomator-${{ needs.get-version.outputs.semVerStr }}-${{ matrix.output-suffix }}.dmg
+        run: mv Cryptomator-*.dmg "Cryptomator-${VERSION_NUM}${VERSION_SUFFIX}-${{ matrix.output-suffix }}.dmg"
      - name: Create detached GPG signature with key 615D449FE6E6A235
        run: |
          echo "${GPG_PRIVATE_KEY}" | gpg --batch --quiet --import
@@ -282,7 +302,7 @@ jobs:
        run: security delete-keychain $RUNNER_TEMP/codesign.keychain-db
        continue-on-error: true
      - name: Upload artifacts
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: dmg-${{ matrix.output-suffix }}
          path: |
@@ -290,9 +310,10 @@ jobs:
            Cryptomator-*.asc
          if-no-files-found: error
      - name: Publish dmg on GitHub Releases
-        if: startsWith(github.ref, 'refs/tags/') && github.event.action == 'published'
-        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
+        if: inputs.upload-to-draft
+        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
        with:
+          draft: true
          fail_on_unmatched_files: true
          token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
          files: |
--- a/.github/workflows/no-response.yml
+++ b/.github/workflows/no-response.yml
@@ -7,12 +7,12 @@ on:

 jobs:
  no-response:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
    permissions:
      issues: write
      pull-requests: write
    steps:
-      - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10.1.1
+      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
        with:
          days-before-stale: 14
          days-before-close: 0
--- a/.github/workflows/post-publish.yml
+++ b/.github/workflows/post-publish.yml
@@ -5,35 +5,141 @@ on:
    types: [published]

 jobs:
-  get-version:
-    runs-on: ubuntu-latest
+  notify:
+    runs-on: ubuntu-slim
    steps:
-      - name: Download source tarball
-        run: |
-          curl -L -H "Accept: application/vnd.github+json" https://github.com/cryptomator/cryptomator/archive/refs/tags/${{ github.event.release.tag_name }}.tar.gz --output cryptomator-${{ github.event.release.tag_name }}.tar.gz
-      - name: Sign source tarball with key 615D449FE6E6A235
-        run: |
-          echo "${GPG_PRIVATE_KEY}" | gpg --batch --quiet --import
-          echo "${GPG_PASSPHRASE}" | gpg --batch --quiet --passphrase-fd 0 --pinentry-mode loopback -u 615D449FE6E6A235 --detach-sign -a cryptomator-*.tar.gz
-        env:
-          GPG_PRIVATE_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }}
-          GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
-      - name: Publish asc on GitHub Releases
-        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
-        with:
-          fail_on_unmatched_files: true
-          token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
-          files: |
-            cryptomator-*.tar.gz.asc
-      - name: Slack Notification
+      - name: Notify about DEB build
        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3
        env:
-          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_CRYPTOMATOR_DESKTOP }}
          SLACK_USERNAME: 'Cryptobot'
-          SLACK_ICON: false
+          SLACK_ICON: ''
          SLACK_ICON_EMOJI: ':bot:'
          SLACK_CHANNEL: 'cryptomator-desktop'
          SLACK_TITLE: "Release ${{ github.event.repository.name }} ${{ github.event.release.tag_name }} published."
          SLACK_MESSAGE: "Ready to <https://github.com/${{ github.repository }}/actions/workflows/debian.yml|build deb Package>."
-          SLACK_FOOTER: false
-          MSG_MINIMAL: true
+          SLACK_FOOTER: ''
+          MSG_MINIMAL: true
+      - name: Notify about latest-version update
+        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3
+        env:
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_CRYPTOMATOR_DESKTOP }}
+          SLACK_USERNAME: 'Cryptobot'
+          SLACK_ICON: ''
+          SLACK_ICON_EMOJI: ':bot:'
+          SLACK_CHANNEL: 'cryptomator-desktop'
+          SLACK_TITLE: "Requiring version check source update for ${{ github.event.repository.name }} ${{ github.event.release.tag_name }}."
+          SLACK_MESSAGE: 'Check S3 bucket for <https://static.cryptomator.org/desktop/latest-version.json|latest-version.json>.'
+          SLACK_FOOTER: ''
+          MSG_MINIMAL: true
+
+  get-asset-urls:
+    name: Get release asset URLs
+    runs-on: ubuntu-slim
+    outputs:
+      is-windows-release: ${{ steps.urls.outputs.urls-present }}
+      msi-url: ${{ steps.urls.outputs.msi }}
+      exe-url: ${{ steps.urls.outputs.exe }}
+    steps:
+      - name: Extract MSI and EXE download URLs
+        id: urls
+        run: |
+          MSI_URL=$(jq -r '[.[] | select(.name | endswith("-x64.msi"))][0].browser_download_url // "null"' <<< "$RELEASE_ASSETS")
+          EXE_URL=$(jq -r '[.[] | select(.name | endswith("-x64.exe"))][0].browser_download_url // "null"' <<< "$RELEASE_ASSETS")
+          if [[ "$MSI_URL" == "null" || -z "$MSI_URL" || "$EXE_URL" == "null" || -z "$EXE_URL" ]]; then
+            echo "urls-present=false" >> $GITHUB_OUTPUT
+          else
+            echo "urls-present=true" >> $GITHUB_OUTPUT
+            echo "msi=${MSI_URL}" >> $GITHUB_OUTPUT
+            echo "exe=${EXE_URL}" >> $GITHUB_OUTPUT
+          fi
+        env:
+          RELEASE_ASSETS: ${{ toJson(github.event.release.assets) }}
+
+  allowlist-msi-x64:
+    needs: [get-asset-urls]
+    if: needs.get-asset-urls.outputs.is-windows-release == 'true'
+    uses: ./.github/workflows/av-whitelist.yml
+    with:
+      url: ${{ needs.get-asset-urls.outputs.msi-url }}
+    secrets: inherit
+
+  allowlist-exe-x64:
+    needs: [get-asset-urls, allowlist-msi-x64]
+    if: needs.get-asset-urls.outputs.is-windows-release == 'true'
+    uses: ./.github/workflows/av-whitelist.yml
+    with:
+      url: ${{ needs.get-asset-urls.outputs.exe-url }}
+    secrets: inherit
+
+  check-release:
+    name: Analyzes the release for certain properties
+    runs-on: ubuntu-slim
+    outputs:
+      release-kind: ${{steps.determine-kind.outputs.value}} # Possible values are [alpha, beta, rc, stable, unknown]
+    steps:
+      - id: determine-kind
+        run: |
+          SEM_VER_NUM=$(echo ${SEM_VER_STR} | sed -E 's/([0-9]+\.[0-9]+\.[0-9]+).*/\1/')
+          SEM_VER_SUFFIX="${SEM_VER_STR#"$SEM_VER_NUM"}"
+
+          TYPE="unknown"
+          if [[ -z $SEM_VER_SUFFIX  ]]; then
+            TYPE="stable"
+          elif [[ $SEM_VER_SUFFIX =~ -alpha[1-9]+$ ]]; then
+            TYPE="alpha"
+          elif [[ $SEM_VER_SUFFIX =~ -beta[1-9]+$ ]]; then
+            TYPE="beta"
+          elif [[ $SEM_VER_SUFFIX =~ -rc[1-9]+$ ]]; then
+            TYPE="rc"
+          fi
+          echo "value=${TYPE}" >> $GITHUB_OUTPUT
+        env:
+          SEM_VER_STR: ${{ github.event.release.tag_name }}
+
+
+  notify-winget:
+    name: Notify for winget-release
+    if: needs.get-asset-urls.outputs.is-windows-release == 'true' && needs.check-release.outputs.release-kind == 'stable'
+    needs: [check-release, get-asset-urls]
+    runs-on: ubuntu-slim
+    steps:
+      - name: Slack Notification
+        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3
+        env:
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_CRYPTOMATOR_DESKTOP }}
+          SLACK_USERNAME: 'Cryptobot'
+          SLACK_ICON: ''
+          SLACK_ICON_EMOJI: ':bot:'
+          SLACK_CHANNEL: 'cryptomator-desktop'
+          SLACK_TITLE: "Release ${{ github.event.repository.name }} ${{ github.event.release.tag_name }} published."
+          SLACK_MESSAGE: "Ready to <https://github.com/${{ github.repository }}/actions/workflows/winget.yml|release to winget>."
+          SLACK_FOOTER: ''
+          MSG_MINIMAL: true
+
+  trigger-website-update:
+    needs: [check-release]
+    runs-on: ubuntu-slim
+    if: needs.check-release.outputs.release-kind == 'stable'
+    steps:
+      - name: Start website update workflow
+        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
+        with:
+          event-type: desktop-release
+          token: ${{ secrets.CRYPTOBOT_WORKFLOW_DISPATCH_TOKEN }}
+          repository: cryptomator/cryptomator.github.io
+          client-payload: '{ "version": "${{ github.event.release.tag_name }}", "release": ${{ toJson(github.event.release.assets) }} }'
+
+  trigger-docs-update:
+    needs: [check-release, get-asset-urls]
+    runs-on: ubuntu-slim
+    if: needs.get-asset-urls.outputs.is-windows-release == 'true' && needs.check-release.outputs.release-kind == 'stable'
+    steps:
+      - name: Start docs update workflow
+        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
+        with:
+          event-type: desktop-release
+          token: ${{ secrets.CRYPTOBOT_WORKFLOW_DISPATCH_TOKEN }}
+          repository: cryptomator/docs
+          client-payload: '{ "version": "${{ github.event.release.tag_name }}", "release": ${{ toJson(github.event.release.assets) }} }'
+
--- a/.github/workflows/release-check.yml
+++ b/.github/workflows/release-check.yml
@@ -43,13 +43,14 @@ jobs:
            exit 1
          fi
      - name: Validate release in org.cryptomator.Cryptomator.metainfo.xml file
+        if: ${{ ! (contains(github.event.head_commit.message, '[skip metadata check]') || contains(github.event.head_commit.message, '[metadata check skip]')) }}
        run: |
          if ! grep -q "<release date=\".*\" version=\"${{ steps.validate-pom-version.outputs.semVerStr }}\">" dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml; then
            echo "Release not set in dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml"
            exit 1
          fi
      - name: Cache NVD DB
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: ~/.m2/repository/org/owasp/dependency-check-data/
          key: dependency-check-${{ github.run_id }}
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -7,12 +7,12 @@ on:

 jobs:
  stale:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-slim
    permissions:
      issues: write
      pull-requests: write
    steps:
-      - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10.1.1
+      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
        with:
          days-before-stale: 365
          days-before-close: 90
--- a/.github/workflows/win-exe.yml
+++ b/.github/workflows/win-exe.yml
@@ -1,13 +1,48 @@
 name: Build Windows Installer

 on:
-  release:
-    types: [published]
+  schedule:
+    - cron: '0 19 20 * *'
+  workflow_call:
+    inputs:
+      semVerNum:
+        type: string
+        description: 'The Major.Minor.Patch part of the version'
+        required: true
+      revisionNum:
+        type: string
+        description: 'The revision number'
+        required: true
+      semVerSuffix:
+        type: string
+        description: 'The suffix of the version, including dash'
+        required: true
+      sign:
+        description: 'Sign binaries'
+        default: true
+        type: boolean
+      upload-to-draft:
+        type: boolean
+        default: true
+    outputs:
+      sha256-msi:
+        description: "SHA256 sum of the x64 msi"
+        value: ${{ jobs.build-msi.outputs.sha256sum}}
+      sha256-exe:
+        description: "SHA256 sum of the x64 exe"
+        value: ${{ jobs.build-exe.outputs.sha256sum}}
  workflow_dispatch:
    inputs:
-      version:
-        description: 'Version'
+      semVerNum:
+        description: 'The Major.Minor.Patch part of the version'
        required: false
+      revisionNum:
+        description: 'The revision number'
+        required: false
+      semVerSuffix:
+        description: 'The suffix of the version, including dash'
+        required: false
+        default: '-SNAPSHOT'
      sign:
        description: 'Sign binaries'
        required: false
@@ -22,33 +57,33 @@ on:


 env:
-  OPENJFX_JMODS_AMD64: 'https://download2.gluonhq.com/openjfx/25/openjfx-25_windows-x64_bin-jmods.zip'
-  OPENJFX_JMODS_AMD64_HASH: 'c8eb9fd039b00e0020cf6c3db8ed7876bf3ee4d27860aa697a247b83b8296ae7'
+  VERSION_NUM: ${{ inputs.semVerNum || '99.99.99'}}
+  REVISION_NUM: ${{ inputs.revisionNum || '0' }}
+  VERSION_SUFFIX: ${{ inputs.semVerSuffix || ''}}
+  OPENJFX_JMODS_AMD64: 'https://download2.gluonhq.com/openjfx/25.0.2/openjfx-25.0.2_windows-x64_bin-jmods.zip'
+  OPENJFX_JMODS_AMD64_HASH: '33d878dfac85590c4d77c518ed413e512d34a8479d90132b230a7ddd173576b3'
  WINFSP_MSI: 'https://github.com/winfsp/winfsp/releases/download/v2.1/winfsp-2.1.25156.msi'
  WINFSP_MSI_HASH: '073a70e00f77423e34bed98b86e600def93393ba5822204fac57a29324db9f7a'
  WINFSP_UNINSTALLER: 'https://github.com/cryptomator/winfsp-uninstaller/releases/latest/download/winfsp-uninstaller.exe'
+  WIX_VERSION: '6.0.2'

 defaults:
  run:
    shell: bash

 jobs:
-  get-version:
-    uses: ./.github/workflows/get-version.yml
-    with:
-      version: ${{ inputs.version }}
-
  build-msi:
    name: Build .msi Installer
    runs-on: ${{ matrix.os }}
-    needs: [ get-version ]
+    outputs:
+      sha256sum: ${{ steps.sha256sum.outputs.value }}
    strategy:
      matrix:
        include:
          - arch: x64
            os: windows-latest
-            java-dist: 'temurin' #cannot use temurin, see https://github.com/cryptomator/cryptomator/issues/3824#issuecomment-2829827427
-            java-version: '25.0.2+10.0.LTS'
+            java-dist: 'zulu' #cannot use temurin, see https://github.com/cryptomator/cryptomator/issues/3824#issuecomment-2829827427
+            java-version: '25.0.1+8'
            java-package: 'jdk'
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -62,14 +97,16 @@ jobs:
          cache: 'maven'
      - name: Install wix and extensions
        run: |
-          dotnet tool install --global wix --version 6.0.0
-          wix.exe extension add WixToolset.UI.wixext/6.0.0 --global
-          wix.exe extension add WixToolset.Util.wixext/6.0.0 --global
+          dotnet tool install --global wix --version ${WIX_VERSION}
+          wix.exe extension add --global WixToolset.UI.wixext/${WIX_VERSION}
+          wix.exe extension add --global WixToolset.Util.wixext/${WIX_VERSION}
+        env:
+          WIX_VERSION: ${{ env.WIX_VERSION }}
      - name: Download and extract JavaFX jmods from Gluon
        if: matrix.arch == 'x64'
        #In the last step we move all jmods files a dir level up because jmods are placed inside a directory in the zip
        run: |
-          curl --output openjfx-jmods.zip -L "${{ env.OPENJFX_JMODS_AMD64 }}"
+          curl --silent --fail-with-body --proto "=https" -L "${{ env.OPENJFX_JMODS_AMD64 }}" --output openjfx-jmods.zip
          if(!(Get-FileHash -Path openjfx-jmods.zip -Algorithm SHA256).Hash.ToLower().equals("${{ env.OPENJFX_JMODS_AMD64_HASH }}")) {
            throw "Wrong checksum of JMOD archive downloaded from ${{ env.OPENJFX_JMODS_AMD64 }}.";
          }
@@ -91,7 +128,7 @@ jobs:
            exit 1
          fi
      - name: Set version
-        run: mvn versions:set -DnewVersion=${{ needs.get-version.outputs.semVerStr }}
+        run: mvn versions:set -DnewVersion="${VERSION_NUM}${VERSION_SUFFIX}"
      - name: Run maven
        run: mvn -B clean package -Pwin -DskipTests
      - name: Patch target dir
@@ -131,13 +168,13 @@ jobs:
          --dest appdir
          --name Cryptomator
          --vendor "Skymatic GmbH"
-          --copyright "(C) 2016 - 2025 Skymatic GmbH"
-          --app-version "${{ needs.get-version.outputs.semVerNum }}.${{ needs.get-version.outputs.revNum }}"
+          --copyright "(C) 2016 - 2026 Skymatic GmbH"
+          --app-version "${VERSION_NUM}.${REVISION_NUM}"
          --java-options "--enable-preview"
          --java-options "--enable-native-access=javafx.graphics,org.cryptomator.jfuse.win,org.cryptomator.integrations.win"
          --java-options "-Xss5m"
          --java-options "-Xmx256m"
-          --java-options "-Dcryptomator.appVersion=\"${{ needs.get-version.outputs.semVerStr }}\""
+          --java-options "-Dcryptomator.appVersion=\"${VERSION_NUM}${VERSION_SUFFIX}\""
          --java-options "-Dfile.encoding=\"utf-8\""
          --java-options "-Djava.net.useSystemProxies=true"
          --java-options "-Dcryptomator.adminConfigPath=\"C:/ProgramData/Cryptomator/config.properties\""
@@ -148,12 +185,13 @@ jobs:
          --java-options "-Dcryptomator.mountPointsDir=\"@{userhome}/Cryptomator\""
          --java-options "-Dcryptomator.loopbackAlias=\"cryptomator-vault\""
          --java-options "-Dcryptomator.showTrayIcon=true"
-          --java-options "-Dcryptomator.buildNumber=\"msi-${{ needs.get-version.outputs.revNum }}\""
+          --java-options "-Dcryptomator.buildNumber=\"msi-${REVISION_NUM}\""
          --java-options "-Dcryptomator.integrationsWin.autoStartShellLinkName=\"Cryptomator\""
          --java-options "-Dcryptomator.integrationsWin.keychainPaths=\"@{appdata}/Cryptomator/keychain.json;@{userhome}/AppData/Roaming/Cryptomator/keychain.json\""
          --java-options "-Dcryptomator.integrationsWin.windowsHelloKeychainPaths=\"@{appdata}/Cryptomator/windowsHelloKeychain.json\""
          --java-options "-Dcryptomator.disableUpdateCheck=false"
          --java-options "-XX:ErrorFile=C:/cryptomator/cryptomator_crash.log"
+          --java-options "-Dcryptomator.hub.enableTrustOnFirstUse=true"
          --resource-dir dist/win/resources
          --icon dist/win/resources/Cryptomator.ico
          --add-launcher "Cryptomator (Debug)=dist/win/debug-launcher.properties"
@@ -185,20 +223,11 @@ jobs:
      - name: Extract wixhelper.dll for Codesigning #see https://github.com/cryptomator/cryptomator/issues/3130
        shell: pwsh
        run: |
-          $extractDir = "appdir/jpackage-jimage"
-          New-Item -Path $extractDir -ItemType Directory -Force | Out-Null
-
-          & "$env:JAVA_HOME\bin\jimage.exe" extract --dir $extractDir "$env:JAVA_HOME\lib\modules"
-
-          $wixhelper = Get-ChildItem -Path $extractDir -Recurse -File -Filter "wixhelper.dll" | Select-Object -First 1
-          if (-not $wixhelper) {
-            throw "wixhelper.dll not found in $env:JAVA_HOME\lib\modules"
-          }
-
-          Copy-Item -Path $wixhelper.FullName -Destination "appdir/wixhelper.dll" -Force
-          Remove-Item -Path $extractDir -Recurse -Force
+          New-Item -Path appdir/jpackage-jmod -ItemType Directory
+          & $env:JAVA_HOME\bin\jmod.exe extract --dir jpackage-jmod "${env:JAVA_HOME}\jmods\jdk.jpackage.jmod"
+          Get-ChildItem -Recurse -Path "jpackage-jmod" -File wixhelper.dll | Select-Object -Last 1 | Copy-Item -Destination "appdir"
      - name: Sign DLLs with Azure Trusted Signing
-        if: inputs.sign || github.event_name == 'release'
+        if: inputs.sign || github.event_name == 'schedule'
        uses: ./.github/actions/win-sign-action
        with:
          base-dir: ${{ github.workspace }}\appdir
@@ -207,17 +236,6 @@ jobs:
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
-      - name: Sign DLLs with Actalis CodeSigner
-        if: inputs.sign || github.event_name == 'release'
-        uses: skymatic/workflows/.github/actions/win-sign-action@957d3c2c08c56855fdac41e5afb9a7aca8c30dd9 # no specific version
-        with:
-          base-dir: 'appdir'
-          file-extensions: 'dll,exe,ps1'
-          recursive: true
-          sign-description: 'Cryptomator'
-          sign-url: 'https://cryptomator.org'
-          username: ${{ secrets.WIN_CODESIGN_USERNAME }}
-          password: ${{ secrets.WIN_CODESIGN_PW }}
      - name: Replace DLLs inside jars with signed ones
        shell: pwsh
        run: |
@@ -253,8 +271,8 @@ jobs:
          --dest installer
          --name Cryptomator
          --vendor "Skymatic GmbH"
-          --copyright "(C) 2016 - 2025 Skymatic GmbH"
-          --app-version "${{ needs.get-version.outputs.semVerNum }}.${{ needs.get-version.outputs.revNum}}"
+          --copyright "(C) 2016 - 2026 Skymatic GmbH"
+          --app-version "${VERSION_NUM}.${REVISION_NUM}"
          --win-menu
          --win-dir-chooser
          --win-shortcut-prompt
@@ -267,7 +285,7 @@ jobs:
          JP_WIXWIZARD_RESOURCES: ${{ github.workspace }}/dist/win/resources # requires abs path, used in resources/main.wxs
          JP_WIXHELPER_DIR: ${{ github.workspace }}\appdir
      - name: Sign MSI with Azure Trusted Signing
-        if: inputs.sign || github.event_name == 'release'
+        if: inputs.sign || github.event_name == 'schedule'
        uses: ./.github/actions/win-sign-action
        with:
          base-dir: ${{ github.workspace }}\installer
@@ -276,8 +294,12 @@ jobs:
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
+      - id: sha256sum
+        run: |
+          read -ra CMD_OUTPUT < <(sha256sum installer/Cryptomator-*.msi)
+          echo "value=${CMD_OUTPUT[0]}" >> $GITHUB_OUTPUT
      - name: Add possible alpha/beta tags and architecture to installer name
-        run: mv installer/Cryptomator-*.msi Cryptomator-${{ needs.get-version.outputs.semVerStr }}-${{ matrix.arch }}.msi
+        run: mv installer/Cryptomator-*.msi "Cryptomator-${VERSION_NUM}${VERSION_SUFFIX}-${{ matrix.arch }}.msi"
      - name: Create detached GPG signature with key 615D449FE6E6A235
        run: |
          echo "${GPG_PRIVATE_KEY}" | gpg --batch --quiet --import
@@ -286,7 +308,7 @@ jobs:
          GPG_PRIVATE_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }}
          GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
      - name: Upload artifacts
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: msi-${{ matrix.arch }}
          path: |
@@ -297,7 +319,9 @@ jobs:
  build-exe:
    name: Build .exe installer
    runs-on: ${{ matrix.os }}
-    needs: [ get-version, build-msi ]
+    needs: [ build-msi ]
+    outputs:
+      sha256sum: ${{ steps.sha256sum.outputs.value }}
    strategy:
      matrix:
        include:
@@ -311,11 +335,13 @@ jobs:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Install wix and extensions
        run: |
-          dotnet tool install --global wix --version 6.0.0
-          wix.exe extension add WixToolset.BootstrapperApplications.wixext/6.0.0 --global
-          wix.exe extension add WixToolset.Util.wixext/6.0.0 --global
+          dotnet tool install --global wix --version ${WIX_VERSION}
+          wix.exe extension add --global WixToolset.BootstrapperApplications.wixext/${WIX_VERSION}
+          wix.exe extension add --global WixToolset.Util.wixext/${WIX_VERSION}
+        env:
+          WIX_VERSION: ${{ env.WIX_VERSION }}
      - name: Download .msi
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          name: msi-${{ matrix.arch }}
          path: dist/win/bundle/resources
@@ -342,38 +368,39 @@ jobs:
        shell: pwsh
      - name: Download WinFsp
        run: |
-          curl --output $env:WINFSP_PATH -L ${{ env.WINFSP_MSI }}
-          $computedHash = (Get-FileHash -Path $env:WINFSP_PATH -Algorithm SHA256).Hash.ToLower()
-          if ($computedHash -ne "${{ env.WINFSP_MSI_HASH }}") {
-            throw "Checksum mismatch for $env:WINFSP_PATH (expected ${{ env.WINFSP_MSI_HASH }}, got $computedHash)."
+          curl --silent --fail-with-body --proto "=https" -L "$env:WINFSP_MSI" --output $env:WINFSP_PATH
+          $computedHash = (Get-FileHash -Path "$env:WINFSP_PATH" -Algorithm SHA256).Hash.ToLower()
+          if ($computedHash -ne "$env:WINFSP_MSI_HASH") {
+            throw "Checksum mismatch for ${env:WINFSP_PATH} (expected ${env:WINFSP_MSI_HASH}, got $computedHash)."
          }
        env:
          WINFSP_PATH: 'dist/win/bundle/resources/winfsp.msi'
        shell: pwsh
      - name: Download Legacy-WinFsp uninstaller
        run: |
-          curl --output dist/win/bundle/resources/winfsp-uninstaller.exe -L ${{ env.WINFSP_UNINSTALLER }}
+          curl --silent --fail-with-body --proto "=https" -L ${{ env.WINFSP_UNINSTALLER }} --output dist/win/bundle/resources/winfsp-uninstaller.exe
        shell: pwsh
      - name: Create Wix Burn bundle
        working-directory: dist/win
        run: >
          wix build
          -define BundleName="Cryptomator"
-          -define BundleVersion="${{ needs.get-version.outputs.semVerNum }}.${{ needs.get-version.outputs.revNum}}"
+          -define BundleVersion="${VERSION_NUM}.${REVISION_NUM}"
          -define BundleVendor="Skymatic GmbH"
-          -define BundleCopyright="(C) 2016 - 2025 Skymatic GmbH"
+          -define BundleCopyright="(C) 2016 - 2026 Skymatic GmbH"
          -define AboutUrl="https://cryptomator.org"
          -define HelpUrl="https://cryptomator.org/contact"
          -define UpdateUrl="https://cryptomator.org/downloads/"
          -ext "WixToolset.Util.wixext"
          -ext "WixToolset.BootstrapperApplications.wixext"
          ./bundle/bundleWithWinfsp.wxs
-          -out "../../installer/unsigned/Cryptomator-Installer.exe"
+          -out "../../installer/Cryptomator-Installer.exe"
      - name: Detach burn engine in preparation to sign
+        if: inputs.sign || github.event_name == 'schedule'
        run: >
-          wix burn detach installer/unsigned/Cryptomator-Installer.exe -engine tmp/engine.exe
+          wix burn detach installer/Cryptomator-Installer.exe -engine tmp/engine.exe
      - name: Sign WiX burn engine with Azure Trusted Signing
-        if: inputs.sign || github.event_name == 'release'
+        if: inputs.sign || github.event_name == 'schedule'
        uses: ./.github/actions/win-sign-action
        with:
          base-dir: ${{ github.workspace }}\tmp
@@ -383,21 +410,14 @@ jobs:
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
-      - name: Sign burn engine with Actalis CodeSigner
-        if: inputs.sign || github.event_name == 'release'
-        uses: skymatic/workflows/.github/actions/win-sign-action@957d3c2c08c56855fdac41e5afb9a7aca8c30dd9 # no specific version
-        with:
-          base-dir: 'tmp'
-          file-extensions: 'exe'
-          sign-description: 'Cryptomator Bundle Installer'
-          sign-url: 'https://cryptomator.org'
-          username: ${{ secrets.WIN_CODESIGN_USERNAME }}
-          password: ${{ secrets.WIN_CODESIGN_PW }}
      - name: Reattach signed burn engine to installer
-        run: >
-          wix burn reattach installer/unsigned/Cryptomator-Installer.exe -engine tmp/engine.exe -o installer/Cryptomator-Installer.exe
+        if: inputs.sign || github.event_name == 'schedule'
+        shell: pwsh
+        run: |
+          Move-Item -Path installer/Cryptomator-Installer.exe -Destination tmp/Cryptomator-Installer.exe
+          wix burn reattach tmp/Cryptomator-Installer.exe -engine tmp/engine.exe -o installer/Cryptomator-Installer.exe
      - name: Sign EXE installer with Azure Trusted Signing
-        if: inputs.sign || github.event_name == 'release'
+        if: inputs.sign || github.event_name == 'schedule'
        uses: ./.github/actions/win-sign-action
        with:
          base-dir: ${{ github.workspace }}\installer
@@ -407,18 +427,12 @@ jobs:
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
-      - name: Sign installer with Actalis CodeSigner
-        if: inputs.sign || github.event_name == 'release'
-        uses: skymatic/workflows/.github/actions/win-sign-action@957d3c2c08c56855fdac41e5afb9a7aca8c30dd9 # no specific version
-        with:
-          base-dir: 'installer'
-          file-extensions: 'exe'
-          sign-description: 'Cryptomator Bundle Installer'
-          sign-url: 'https://cryptomator.org'
-          username: ${{ secrets.WIN_CODESIGN_USERNAME }}
-          password: ${{ secrets.WIN_CODESIGN_PW }}
+      - id: sha256sum
+        run: |
+          read -ra CMD_OUTPUT < <(sha256sum installer/Cryptomator-*.exe)
+          echo "value=${CMD_OUTPUT[0]}" >> $GITHUB_OUTPUT
      - name: Add possible alpha/beta tags to installer name
-        run: mv installer/Cryptomator-Installer.exe Cryptomator-${{ needs.get-version.outputs.semVerStr }}-${{ matrix.executable-suffix }}.exe
+        run: mv installer/Cryptomator-Installer.exe "Cryptomator-${VERSION_NUM}${VERSION_SUFFIX}-${{ matrix.executable-suffix }}.exe"
      - name: Create detached GPG signature with key 615D449FE6E6A235
        run: |
          echo "${GPG_PRIVATE_KEY}" | gpg --batch --quiet --import
@@ -427,7 +441,7 @@ jobs:
          GPG_PRIVATE_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }}
          GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
      - name: Upload artifacts
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: exe-${{ matrix.executable-suffix }}
          path: |
@@ -437,58 +451,22 @@ jobs:

  publish:
    name: Publish installers to the github release
-    if: startsWith(github.ref, 'refs/tags/') && github.event.action == 'published'
+    if: inputs.upload-to-draft
    runs-on: ubuntu-latest
    needs: [ build-msi, build-exe ]
-    outputs:
-      download-url-msi-x64: ${{ fromJSON(steps.publish.outputs.assets)[0].browser_download_url }}
-      download-url-exe-x64: ${{ fromJSON(steps.publish.outputs.assets)[2].browser_download_url }}
    steps:
      - name: Download installers
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          merge-multiple: true
      - name: Publish installers on GitHub Releases
        id: publish
-        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
+        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
        with:
+          draft: true
          fail_on_unmatched_files: true
          token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
-          # do not change ordering of filelist, required for correct job output
          files: |
            *x64.msi
            *x64.exe
            *.asc
-
-  allowlist-msi-x64:
-    uses: ./.github/workflows/av-whitelist.yml
-    needs: [ publish ]
-    with:
-      url: ${{ needs.publish.outputs.download-url-msi-x64 }}
-    secrets: inherit
-
-  allowlist-exe-x64:
-    uses: ./.github/workflows/av-whitelist.yml
-    needs: [ publish, allowlist-msi-x64 ]
-    with:
-      url: ${{ needs.publish.outputs.download-url-exe-x64 }}
-    secrets: inherit
-
-  notify-winget:
-    name: Notify for winget-release
-    if: needs.get-version.outputs.versionType == 'stable'
-    needs: [publish, get-version]
-    runs-on: ubuntu-latest
-    steps:
-      - name: Slack Notification
-        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3
-        env:
-          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}
-          SLACK_USERNAME: 'Cryptobot'
-          SLACK_ICON: false
-          SLACK_ICON_EMOJI: ':bot:'
-          SLACK_CHANNEL: 'cryptomator-desktop'
-          SLACK_TITLE: "MSI packages of ${{ github.event.repository.name }} ${{ github.event.release.tag_name }} published."
-          SLACK_MESSAGE: "Ready to <https://github.com/${{ github.repository }}/actions/workflows/winget.yml| release them to winget>."
-          SLACK_FOOTER: false
-          MSG_MINIMAL: true
--- a/.github/workflows/winget.yml
+++ b/.github/workflows/winget.yml
@@ -18,7 +18,7 @@ jobs:
        env:
          GH_TOKEN: ${{ secrets.CRYPTOBOT_PR_TOKEN }}
      - name: Submit package
-        uses: vedantmgoyal2009/winget-releaser@19e706d4c9121098010096f9c495a70a7518b30f # no_specific_version
+        uses: vedantmgoyal2009/winget-releaser@7bd472be23763def6e16bd06cc8b1cdfab0e2fd5 # no_specific_version
        with:
          identifier: Cryptomator.Cryptomator
          version: ${{ inputs.tag }}
--- a/.idea/runConfigurations/Cryptomator_Linux.xml
+++ b/.idea/runConfigurations/Cryptomator_Linux.xml
@@ -2,7 +2,7 @@
  <configuration default="false" name="Cryptomator Linux" type="Application" factoryName="Application">
    <option name="MAIN_CLASS_NAME" value="org.cryptomator.launcher.Cryptomator" />
    <module name="cryptomator" />
-    <option name="VM_PARAMETERS" value="-Dcryptomator.settingsPath=&quot;@{userhome}/.config/Cryptomator/settings.json&quot; -Dcryptomator.p12Path=&quot;@{userhome}/.config/Cryptomator/key.p12&quot; -Dcryptomator.ipcSocketPath=&quot;@{userhome}/.config/Cryptomator/ipc.socket&quot; -Dcryptomator.logDir=&quot;@{userhome}/.local/share/Cryptomator/logs&quot; -Dcryptomator.pluginDir=&quot;@{userhome}/.local/share/Cryptomator/plugins&quot; -Dcryptomator.mountPointsDir=&quot;@{userhome}/.local/share/Cryptomator/mnt&quot; -Dcryptomator.showTrayIcon=true -Xss20m -Xmx512m --enable-preview --enable-native-access=org.cryptomator.jfuse.linux.amd64,org.cryptomator.jfuse.linux.aarch64,org.purejava.appindicator,javafx.graphics" />
+    <option name="VM_PARAMETERS" value="-Dcryptomator.settingsPath=&quot;@{userhome}/.config/Cryptomator/settings.json&quot; -Dcryptomator.p12Path=&quot;@{userhome}/.config/Cryptomator/key.p12&quot; -Dcryptomator.ipcSocketPath=&quot;@{userhome}/.config/Cryptomator/ipc.socket&quot; -Dcryptomator.logDir=&quot;@{userhome}/.local/share/Cryptomator/logs&quot; -Dcryptomator.pluginDir=&quot;@{userhome}/.local/share/Cryptomator/plugins&quot; -Dcryptomator.mountPointsDir=&quot;@{userhome}/.local/share/Cryptomator/mnt&quot; -Dcryptomator.showTrayIcon=true -Dcryptomator.hub.enableTrustOnFirstUse=true -Xss20m -Xmx512m --enable-preview --enable-native-access=org.cryptomator.jfuse.linux.amd64,org.cryptomator.jfuse.linux.aarch64,org.purejava.appindicator,javafx.graphics" />
    <method v="2">
      <option name="Make" enabled="true" />
    </method>
--- a/.idea/runConfigurations/Cryptomator_Linux_Dev.xml
+++ b/.idea/runConfigurations/Cryptomator_Linux_Dev.xml
@@ -2,7 +2,7 @@
  <configuration default="false" name="Cryptomator Linux Dev" type="Application" factoryName="Application">
    <option name="MAIN_CLASS_NAME" value="org.cryptomator.launcher.Cryptomator" />
    <module name="cryptomator" />
-    <option name="VM_PARAMETERS" value="-Dcryptomator.settingsPath=&quot;@{userhome}/.config/Cryptomator-Dev/settings.json&quot; -Dcryptomator.p12Path=&quot;@{userhome}/.config/Cryptomator-Dev/key.p12&quot; -Dcryptomator.ipcSocketPath=&quot;@{userhome}/.config/Cryptomator-Dev/ipc.socket&quot; -Dcryptomator.logDir=&quot;@{userhome}/.local/share/Cryptomator-Dev/logs&quot; -Dcryptomator.pluginDir=&quot;@{userhome}/.local/share/Cryptomator-Dev/plugins&quot; -Dcryptomator.mountPointsDir=&quot;@{userhome}/.local/share/Cryptomator-Dev/mnt&quot; -Dcryptomator.showTrayIcon=true -Dfuse.experimental=&quot;true&quot; -Xss20m -Xmx512m --enable-preview --enable-native-access=org.cryptomator.jfuse.linux.amd64,org.cryptomator.jfuse.linux.aarch64,org.purejava.appindicator,javafx.graphics" />
+    <option name="VM_PARAMETERS" value="-Dcryptomator.settingsPath=&quot;@{userhome}/.config/Cryptomator-Dev/settings.json&quot; -Dcryptomator.p12Path=&quot;@{userhome}/.config/Cryptomator-Dev/key.p12&quot; -Dcryptomator.ipcSocketPath=&quot;@{userhome}/.config/Cryptomator-Dev/ipc.socket&quot; -Dcryptomator.logDir=&quot;@{userhome}/.local/share/Cryptomator-Dev/logs&quot; -Dcryptomator.pluginDir=&quot;@{userhome}/.local/share/Cryptomator-Dev/plugins&quot; -Dcryptomator.mountPointsDir=&quot;@{userhome}/.local/share/Cryptomator-Dev/mnt&quot; -Dcryptomator.showTrayIcon=true -Dcryptomator.hub.enableTrustOnFirstUse=true -Dfuse.experimental=&quot;true&quot; -Xss20m -Xmx512m --enable-preview --enable-native-access=org.cryptomator.jfuse.linux.amd64,org.cryptomator.jfuse.linux.aarch64,org.purejava.appindicator,javafx.graphics" />
    <method v="2">
      <option name="Make" enabled="true" />
    </method>
--- a/.idea/runConfigurations/Cryptomator_Windows.xml
+++ b/.idea/runConfigurations/Cryptomator_Windows.xml
@@ -2,7 +2,7 @@
  <configuration default="false" name="Cryptomator Windows" type="Application" factoryName="Application">
    <option name="MAIN_CLASS_NAME" value="org.cryptomator.launcher.Cryptomator" />
    <module name="cryptomator" />
-    <option name="VM_PARAMETERS" value="-Dcryptomator.settingsPath=&quot;@{appdata}/Cryptomator/settings.json;@{userhome}/AppData/Roaming/Cryptomator/settings.json&quot; -Dcryptomator.ipcSocketPath=&quot;@{localappdata}/Cryptomator/ipc.socket&quot; -Dcryptomator.logDir=&quot;@{localappdata}/Cryptomator&quot; -Dcryptomator.pluginDir=&quot;@{appdata}/Cryptomator/Plugins&quot; -Dcryptomator.integrationsWin.keychainPaths=&quot;@{appdata}/Cryptomator/keychain.json;@{userhome}/AppData/Roaming/Cryptomator/keychain.json&quot; -Dcryptomator.integrationsWin.windowsHelloKeychainPaths=&quot;@{appdata}/Cryptomator/windowsHelloKeychain.json;@{userhome}/AppData/Roaming/Cryptomator/windowsHelloKeychain.json&quot; -Dcryptomator.p12Path=&quot;@{appdata}/Cryptomator/key.p12;@{userhome}/AppData/Roaming/Cryptomator/key.p12&quot; -Dcryptomator.mountPointsDir=&quot;@{userhome}/Cryptomator&quot; -Dcryptomator.showTrayIcon=true -Xss2m -Xmx512m --enable-preview --enable-native-access=org.cryptomator.jfuse.win,org.cryptomator.integrations.win,javafx.graphics" />
+    <option name="VM_PARAMETERS" value="-Dcryptomator.settingsPath=&quot;@{appdata}/Cryptomator/settings.json;@{userhome}/AppData/Roaming/Cryptomator/settings.json&quot; -Dcryptomator.ipcSocketPath=&quot;@{localappdata}/Cryptomator/ipc.socket&quot; -Dcryptomator.logDir=&quot;@{localappdata}/Cryptomator&quot; -Dcryptomator.pluginDir=&quot;@{appdata}/Cryptomator/Plugins&quot; -Dcryptomator.integrationsWin.keychainPaths=&quot;@{appdata}/Cryptomator/keychain.json;@{userhome}/AppData/Roaming/Cryptomator/keychain.json&quot; -Dcryptomator.integrationsWin.windowsHelloKeychainPaths=&quot;@{appdata}/Cryptomator/windowsHelloKeychain.json;@{userhome}/AppData/Roaming/Cryptomator/windowsHelloKeychain.json&quot; -Dcryptomator.p12Path=&quot;@{appdata}/Cryptomator/key.p12;@{userhome}/AppData/Roaming/Cryptomator/key.p12&quot; -Dcryptomator.mountPointsDir=&quot;@{userhome}/Cryptomator&quot; -Dcryptomator.showTrayIcon=true -Dcryptomator.hub.enableTrustOnFirstUse=true -Xss2m -Xmx512m --enable-preview --enable-native-access=org.cryptomator.jfuse.win,org.cryptomator.integrations.win,javafx.graphics" />
    <method v="2">
      <option name="Make" enabled="true" />
    </method>
--- a/.idea/runConfigurations/Cryptomator_Windows_Dev.xml
+++ b/.idea/runConfigurations/Cryptomator_Windows_Dev.xml
@@ -2,7 +2,7 @@
  <configuration default="false" name="Cryptomator Windows Dev" type="Application" factoryName="Application">
    <option name="MAIN_CLASS_NAME" value="org.cryptomator.launcher.Cryptomator" />
    <module name="cryptomator" />
-    <option name="VM_PARAMETERS" value="-Dcryptomator.settingsPath=&quot;@{appdata}/Cryptomator-Dev/settings.json;@{userhome}/AppData/Roaming/Cryptomator-Dev/settings.json&quot; -Dcryptomator.ipcSocketPath=&quot;@{localappdata}/Cryptomator-Dev/ipc.socket&quot; -Dcryptomator.logDir=&quot;@{localappdata}/Cryptomator-Dev&quot; -Dcryptomator.pluginDir=&quot;@{appdata}/Cryptomator-Dev/Plugins&quot; -Dcryptomator.integrationsWin.keychainPaths=&quot;@{appdata}/Cryptomator-Dev/keychain.json;@{userhome}/AppData/Roaming/Cryptomator-Dev/keychain.json&quot; -Dcryptomator.integrationsWin.windowsHelloKeychainPaths=&quot;@{appdata}/Cryptomator-Dev/windowsHelloKeychain.json;@{userhome}/AppData/Roaming/Cryptomator-Dev/windowsHelloKeychain.json&quot; -Dcryptomator.p12Path=&quot;@{appdata}/Cryptomator-Dev/key.p12;@{userhome}/AppData/Roaming/Cryptomator-Dev/key.p12&quot; -Dcryptomator.mountPointsDir=&quot;@{userhome}/Cryptomator-Dev&quot; -Dcryptomator.showTrayIcon=true -Xss2m -Xmx512m --enable-preview --enable-native-access=org.cryptomator.jfuse.win,org.cryptomator.integrations.win,javafx.graphics" />
+    <option name="VM_PARAMETERS" value="-Dcryptomator.settingsPath=&quot;@{appdata}/Cryptomator-Dev/settings.json;@{userhome}/AppData/Roaming/Cryptomator-Dev/settings.json&quot; -Dcryptomator.ipcSocketPath=&quot;@{localappdata}/Cryptomator-Dev/ipc.socket&quot; -Dcryptomator.logDir=&quot;@{localappdata}/Cryptomator-Dev&quot; -Dcryptomator.pluginDir=&quot;@{appdata}/Cryptomator-Dev/Plugins&quot; -Dcryptomator.integrationsWin.keychainPaths=&quot;@{appdata}/Cryptomator-Dev/keychain.json;@{userhome}/AppData/Roaming/Cryptomator-Dev/keychain.json&quot; -Dcryptomator.integrationsWin.windowsHelloKeychainPaths=&quot;@{appdata}/Cryptomator-Dev/windowsHelloKeychain.json;@{userhome}/AppData/Roaming/Cryptomator-Dev/windowsHelloKeychain.json&quot; -Dcryptomator.p12Path=&quot;@{appdata}/Cryptomator-Dev/key.p12;@{userhome}/AppData/Roaming/Cryptomator-Dev/key.p12&quot; -Dcryptomator.mountPointsDir=&quot;@{userhome}/Cryptomator-Dev&quot; -Dcryptomator.showTrayIcon=true -Dcryptomator.hub.enableTrustOnFirstUse=true -Xss2m -Xmx512m --enable-preview --enable-native-access=org.cryptomator.jfuse.win,org.cryptomator.integrations.win,javafx.graphics" />
    <method v="2">
      <option name="Make" enabled="true" />
    </method>
--- a/.idea/runConfigurations/Cryptomator_macOS.xml
+++ b/.idea/runConfigurations/Cryptomator_macOS.xml
@@ -5,7 +5,7 @@
    </envs>
    <option name="MAIN_CLASS_NAME" value="org.cryptomator.launcher.Cryptomator" />
    <module name="cryptomator" />
-    <option name="VM_PARAMETERS" value="-Dapple.awt.enableTemplateImages=true -Dcryptomator.settingsPath=&quot;@{userhome}/Library/Application Support/Cryptomator/settings.json&quot; -Dcryptomator.p12Path=&quot;@{userhome}/Library/Application Support/Cryptomator/key.p12&quot; -Dcryptomator.ipcSocketPath=&quot;@{userhome}/Library/Application Support/Cryptomator/ipc.socket&quot; -Dcryptomator.logDir=&quot;@{userhome}/Library/Logs/Cryptomator&quot; -Dcryptomator.pluginDir=&quot;@{userhome}/Library/Application Support/Cryptomator/Plugins&quot; -Dcryptomator.mountPointsDir=&quot;@{userhome}/Cryptomator&quot; -Dcryptomator.showTrayIcon=true -Dcryptomator.integrationsMac.keychainServiceName=Cryptomator -Dcryptomator.updateMechanism=org.cryptomator.macos.update.DmgUpdateMechanism -Xss2m -Xmx512m -ea --enable-preview --enable-native-access=org.cryptomator.jfuse.mac,javafx.graphics" />
+    <option name="VM_PARAMETERS" value="-Dapple.awt.enableTemplateImages=true -Dcryptomator.settingsPath=&quot;@{userhome}/Library/Application Support/Cryptomator/settings.json&quot; -Dcryptomator.p12Path=&quot;@{userhome}/Library/Application Support/Cryptomator/key.p12&quot; -Dcryptomator.ipcSocketPath=&quot;@{userhome}/Library/Application Support/Cryptomator/ipc.socket&quot; -Dcryptomator.logDir=&quot;@{userhome}/Library/Logs/Cryptomator&quot; -Dcryptomator.pluginDir=&quot;@{userhome}/Library/Application Support/Cryptomator/Plugins&quot; -Dcryptomator.mountPointsDir=&quot;@{userhome}/Cryptomator&quot; -Dcryptomator.showTrayIcon=true -Dcryptomator.integrationsMac.keychainServiceName=Cryptomator -Dcryptomator.updateMechanism=org.cryptomator.macos.update.DmgUpdateMechanism -Dcryptomator.hub.enableTrustOnFirstUse=true -Xss2m -Xmx512m -ea --enable-preview --enable-native-access=org.cryptomator.jfuse.mac,javafx.graphics" />
    <method v="2">
      <option name="Make" enabled="true" />
    </method>
--- a/.idea/runConfigurations/Cryptomator_macOS_Dev.xml
+++ b/.idea/runConfigurations/Cryptomator_macOS_Dev.xml
@@ -5,7 +5,7 @@
    </envs>
    <option name="MAIN_CLASS_NAME" value="org.cryptomator.launcher.Cryptomator" />
    <module name="cryptomator" />
-    <option name="VM_PARAMETERS" value="-Dapple.awt.enableTemplateImages=true -Dcryptomator.settingsPath=&quot;@{userhome}/Library/Application Support/Cryptomator-Dev/settings.json&quot; -Dcryptomator.p12Path=&quot;@{userhome}/Library/Application Support/Cryptomator-Dev/key.p12&quot; -Dcryptomator.ipcSocketPath=&quot;@{userhome}/Library/Application Support/Cryptomator-Dev/ipc.socket&quot; -Dcryptomator.logDir=&quot;@{userhome}/Library/Logs/Cryptomator-Dev&quot; -Dcryptomator.pluginDir=&quot;@{userhome}/Library/Application Support/Cryptomator-Dev/Plugins&quot; -Dcryptomator.mountPointsDir=&quot;@{userhome}/Library/Application Support/Cryptomator-Dev/mnt&quot; -Dcryptomator.showTrayIcon=true -Dcryptomator.integrationsMac.keychainServiceName=Cryptomator -Xss2m -Xmx512m -ea --enable-preview --enable-native-access=org.cryptomator.jfuse.mac,javafx.graphics" />
+    <option name="VM_PARAMETERS" value="-Dapple.awt.enableTemplateImages=true -Dcryptomator.settingsPath=&quot;@{userhome}/Library/Application Support/Cryptomator-Dev/settings.json&quot; -Dcryptomator.p12Path=&quot;@{userhome}/Library/Application Support/Cryptomator-Dev/key.p12&quot; -Dcryptomator.ipcSocketPath=&quot;@{userhome}/Library/Application Support/Cryptomator-Dev/ipc.socket&quot; -Dcryptomator.logDir=&quot;@{userhome}/Library/Logs/Cryptomator-Dev&quot; -Dcryptomator.pluginDir=&quot;@{userhome}/Library/Application Support/Cryptomator-Dev/Plugins&quot; -Dcryptomator.mountPointsDir=&quot;@{userhome}/Library/Application Support/Cryptomator-Dev/mnt&quot; -Dcryptomator.showTrayIcon=true -Dcryptomator.integrationsMac.keychainServiceName=Cryptomator -Dcryptomator.hub.enableTrustOnFirstUse=true -Xss2m -Xmx512m -ea --enable-preview --enable-native-access=org.cryptomator.jfuse.mac,javafx.graphics" />
    <method v="2">
      <option name="Make" enabled="true" />
    </method>
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,7 +7,45 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 The changelog starts with version 1.19.0.
 Changes to prior versions can be found on the [Github release page](https://github.com/cryptomator/cryptomator/releases).

-## [Unreleased](https://github.com/cryptomator/cryptomator/compare/1.18.0...HEAD)
+
+## [Unreleased](https://github.com/cryptomator/cryptomator/compare/1.19.2...HEAD)
+
+### Changed
+* Refactored release pipeline to allow immutable releases ([#4205](https://github.com/cryptomator/cryptomator/pull/4205))
+
+
+## [1.19.2](https://github.com/cryptomator/cryptomator/releases/1.19.2) - 2026-03-20
+
+### Security
+* Cryptomamtor Hub Vaults: Additional patch for (#4179, [GHSA-34rf-rwr3-7g43](https://github.com/cryptomator/cryptomator/security/advisories/GHSA-34rf-rwr3-7g43))
+
+
+## [1.19.1](https://github.com/cryptomator/cryptomator/releases/1.19.1) - 2026-03-12
+
+### Security
+* Cryptomamtor Hub Vaults: Fixed possible man-in-the-middle attack with tampered vault config (#4179, [GHSA-34rf-rwr3-7g43](https://github.com/cryptomator/cryptomator/security/advisories/GHSA-34rf-rwr3-7g43))
+* Disallow unencrypted http connections to hub by default ([CVE-2026-32309](https://github.com/cryptomator/cryptomator/security/advisories/GHSA-vv33-h7qx-c264))
+* Disallow loading of masterkey file from arbitrary paths (#4180, [CVE-2026-32310](https://github.com/cryptomator/cryptomator/security/advisories/GHSA-5phc-5pfx-hr52))
+* Fixed not-configured plugin directory does not disable plugin search ([#4176](https://github.com/cryptomator/cryptomator/pull/4176))
+
+### Added
+* Trust on first use, adding new config properties `cryptomator.hub.allowedHosts` and `cryptomator.hub.enableTrustOnFirstUse` (#4179)
+
+### Fixed
+* Fixed Finder window opens twice when revealing vault on macOS ([#4177](https://github.com/cryptomator/cryptomator/pull/4177))
+* Fixed app does not start due to secret service detection failure on Linux ([#4175](https://github.com/cryptomator/cryptomator/pull/4175))
+
+### Changed
+* Pin version of appimagetool([#4181](https://github.com/cryptomator/cryptomator/pull/4181))
+* Updated translations
+* Updated dependencies:
+  * `org.cryptomator:integrations-api` from 1.8.0-beta1 to 1.8.0
+  * `org.cryptomator:integrations-linux` from 1.7.0-beta4 to 1.7.0
+  * `org.cryptomator:integrations-mac` from 1.5.0-beta3 to 1.5.0
+
+
+
+## [1.19.0](https://github.com/cryptomator/cryptomator/releases/tag/1.19.0) - 2026-03-09

 ### Added
 * Self-Update Mechanism ([#3948](https://github.com/cryptomator/cryptomator/pull/3948))
@@ -19,25 +57,34 @@ Changes to prior versions can be found on the [Github release page](https://gith
 * Show Archived Vault Dialog on unlock when Hub returns 410 ([#4081](https://github.com/cryptomator/cryptomator/pull/4081))
 * Support automatic app theme selection according to OS theme on Linux ([#4027](https://github.com/cryptomator/cryptomator/issues/4027))
 * Admin configuration: Allow overwriting certain app properties by external config file ([#4105](https://github.com/cryptomator/cryptomator/pull/4105))
+* New keychain backend using [secret service API](https://specifications.freedesktop.org/secret-service/0.2) for Linux ([#4025](https://github.com/cryptomator/cryptomator/pull/4025))
+* Liquid Glass icon for macOS ([#4166](https://github.com/cryptomator/cryptomator/pull/4166))
+
+### Fixed
+* Fixed password reset/show recovery possible for vaults without masterkey file ([#4120](https://github.com/cryptomator/cryptomator/pull/4120))
+* Fixed restore vault config failed due to selecting a directory instead of file ([#4141](https://github.com/cryptomator/cryptomator/issues/4141))
+* Fixed leaking of cleartext paths into application log ([GHSA-j83j-mwhc-rcgw](https://github.com/cryptomator/cryptomator/security/advisories/GHSA-j83j-mwhc-rcgw))

 ### Changed
-* Built using JDK 25 ([#4031](https://github.com/cryptomator/cryptomator/issues/4031))
-* Modernized Template for GitHub Releases
 * Disable user defined app start config on Windows ([#4132](https://github.com/cryptomator/cryptomator/issues/4132))
+* Disable plugin loading by default ([#4136](https://github.com/cryptomator/cryptomator/4136))
+* Use JDK 25 ([#4031](https://github.com/cryptomator/cryptomator/pull/4031))
+* Update JavaFX to 25.0.2 ([#4145](https://github.com/cryptomator/cryptomator/pull/4145))
+* Updated translations
 * Updated dependencies
-  * `ch.qos.logback:*` from 1.5.19 to 1.5.31
-  * `com.fasterxml.jackson.core:jackson-databind` from 2.20.0 to 2.21.0
-  * `com.fasterxml.jackson.datatype:jackson-datatype-jsr310` from 2.20.0 to 2.21.0
+  * `ch.qos.logback:*` from 1.5.19 to 1.5.32
+  * `com.fasterxml.jackson.core:jackson-databind` from 2.20.0 to 2.21.1
+  * `com.fasterxml.jackson.datatype:jackson-datatype-jsr310` from 2.20.0 to 2.21.1
  * `com.github.ben-manes.caffeine:caffeine` from 3.2.2 to 3.2.3
-  * `com.google.dagger:*` from 2.57.2 to 2.59.1
+  * `com.google.dagger:*` from 2.57.2 to 2.59.2
  * `org.apache.commons:commons-lang3` from 3.19.0 to 3.20.0
-  * `org.cryptomator:cryptofs` from 2.9.0 to 2.10.0-beta3
+  * `org.cryptomator:cryptofs` from 2.9.0 to 2.10.0
  * `org.cryptomator:cryptolib` from 2.2.1 to 2.2.2
-  * `org.cryptomator:fuse-nio-adapter` from 5.1.0 to 6.0.0
+  * `org.cryptomator:fuse-nio-adapter` from 5.1.0 to 6.0.1
  * `org.cryptomator:integrations-api` from 1.7.0 to 1.8.0-beta1
  * `org.cryptomator:integrations-linux` from 1.6.1 to 1.7.0-beta4
  * `org.cryptomator:integrations-mac` from 1.4.1 to 1.5.0-beta3
  * `org.cryptomator:integrations-win` from 1.5.1 to 1.6.0
  * `org.cryptomator:webdav-nio-adapter` from 3.0.0 to 3.0.1
-
+  * `org.cryptomator:webdav-nio-adapter-servlet` to 1.2.12

--- a/README.md
+++ b/README.md
@@ -78,7 +78,7 @@ For more information on the security details visit [cryptomator.org](https://doc

 ### Dependencies

-* JDK 24 (e.g. temurin, zulu)
+* JDK 25 (e.g. temurin, zulu)
 * Maven 3

 ### Run Maven
--- a/dist/common/cryptomator.config
+++ b/dist/common/cryptomator.config
--- a/dist/linux/appimage/build.sh
+++ b/dist/linux/appimage/build.sh
@@ -23,12 +23,12 @@ mvn -B -f ../../../pom.xml clean package -Plinux -DskipTests
 cp ../../../LICENSE.txt ../../../target
 cp ../../../target/cryptomator-*.jar ../../../target/mods

-JAVAFX_VERSION=25
+JAVAFX_VERSION=25.0.2
 JAVAFX_ARCH="x64"
-JAVAFX_JMODS_SHA256='96e520f48610d8ffb94ca30face1f11ffe8a977ddc1c4ff80b1a9e9f048bd94e'
+JAVAFX_JMODS_SHA256='e0a9c29d8cf3af9b8b48848b43f87b5785bc107c53a951b19668ce05842bba1b'
 if [ "${CPU_ARCH}" = "aarch64" ]; then
    JAVAFX_ARCH="aarch64"
-    JAVAFX_JMODS_SHA256='951c52481af0ec5885b06f1ebaa8a10da7e8ea23c5e1ef3e2f6f11fa1b3a7ce1'
+    JAVAFX_JMODS_SHA256='c3408f818693cce09e59829a8e862a82c7695fdfcd585c41cfd527f5fc3fe646'
 fi

 # download javaFX jmods
@@ -82,7 +82,7 @@ ${JAVA_HOME}/bin/jpackage \
    --vendor "Skymatic GmbH" \
    --java-options "--enable-preview" \
    --java-options "--enable-native-access=javafx.graphics,org.cryptomator.jfuse.linux.amd64,org.cryptomator.jfuse.linux.aarch64,org.purejava.appindicator" \
-    --copyright "(C) 2016 - 2025 Skymatic GmbH" \
+    --copyright "(C) 2016 - 2026 Skymatic GmbH" \
    --java-options "-Xss5m" \
    --java-options "-Xmx256m" \
    --app-version "${VERSION}.${REVISION_NO}" \
@@ -99,6 +99,7 @@ ${JAVA_HOME}/bin/jpackage \
    --java-options "-Dcryptomator.buildNumber=\"appimage-${REVISION_NO}\"" \
    --java-options "-Dcryptomator.networking.truststore.p12Path=\"/etc/cryptomator/certs.p12\"" \
    --java-options "-XX:ErrorFile=/cryptomator/cryptomator_crash.log" \
+    --java-options "-Dcryptomator.hub.enableTrustOnFirstUse=true" \
    --resource-dir ../resources

 # transform AppDir
@@ -123,7 +124,7 @@ ln -s org.cryptomator.Cryptomator.metainfo.xml Cryptomator.AppDir/usr/share/meta
 ln -s bin/cryptomator.sh Cryptomator.AppDir/AppRun

 # load AppImageTool
-curl -L https://github.com/AppImage/appimagetool/releases/download/continuous/appimagetool-${CPU_ARCH}.AppImage -o /tmp/appimagetool.AppImage
+curl -L https://github.com/AppImage/appimagetool/releases/download/1.9.1/appimagetool-${CPU_ARCH}.AppImage -o /tmp/appimagetool.AppImage
 chmod +x /tmp/appimagetool.AppImage

 # create AppImage
--- a/dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml
+++ b/dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml
@@ -73,6 +73,7 @@
 	<url type="faq">https://community.cryptomator.org/c/kb/faq</url>
 	<url type="help">https://docs.cryptomator.org/</url>
 	<url type="translate">https://translate.cryptomator.org</url>
+	<url type="vcs-browser">https://github.com/cryptomator/cryptomator</url>

 	<developer id="de.skymatic">
 		<name>Skymatic GmbH</name>
@@ -83,6 +84,15 @@
 	</content_rating>

 	<releases>
+		<release date="2026-03-20" version="1.19.2">
+			<url type="details">https://github.com/cryptomator/cryptomator/releases/1.19.2</url>
+		</release>
+		<release date="2026-03-12" version="1.19.1">
+			<url type="details">https://github.com/cryptomator/cryptomator/releases/1.19.1</url>
+		</release>
+		<release date="2026-03-09" version="1.19.0">
+			<url type="details">https://github.com/cryptomator/cryptomator/releases/1.19.0</url>
+		</release>
 		<release date="2025-11-12" version="1.18.0">
 			<url type="details">https://github.com/cryptomator/cryptomator/releases/1.18.0</url>
 		</release>
--- a/dist/linux/debian/rules
+++ b/dist/linux/debian/rules
@@ -46,7 +46,7 @@ override_dh_auto_build:
 		--vendor "Skymatic GmbH" \
 		--java-options "--enable-preview" \
 		--java-options "--enable-native-access=javafx.graphics,org.cryptomator.jfuse.linux.amd64,org.cryptomator.jfuse.linux.aarch64,org.purejava.appindicator" \
-		--copyright "(C) 2016 - 2025 Skymatic GmbH" \
+		--copyright "(C) 2016 - 2026 Skymatic GmbH" \
 		--java-options "-Xss5m" \
 		--java-options "-Xmx256m" \
 		--java-options "-Dfile.encoding=\"utf-8\"" \
@@ -64,6 +64,7 @@ override_dh_auto_build:
 		--java-options "-Dcryptomator.disableUpdateCheck=\"${DISABLE_UPDATE_CHECK}\"" \
 		--java-options "-Dcryptomator.integrationsLinux.autoStartCmd=\"cryptomator\"" \
 		--java-options "-Dcryptomator.networking.truststore.p12Path=\"/etc/cryptomator/certs.p12\"" \
+		--java-options "-Dcryptomator.hub.enableTrustOnFirstUse=true" \
 		--app-version "${VERSION_NUM}.${REVISION_NUM}" \
 		--resource-dir resources \
 		--verbose
--- a/dist/linux/flatpak/build-aux/fusermount-wrapper.sh
+++ b/dist/linux/flatpak/build-aux/fusermount-wrapper.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+# From: https://gitlab.gnome.org/GNOME/gnome-builder/-/blob/main/build-aux/flatpak/fusermount-wrapper.sh
+
+if [ -z "$_FUSE_COMMFD" ]; then
+    FD_ARGS=
+else
+    FD_ARGS="--env=_FUSE_COMMFD=${_FUSE_COMMFD} --forward-fd=${_FUSE_COMMFD}"
+fi
+
+if [ -e /proc/self/fd/3 ] && [ 3 != "$_FUSE_COMMFD" ]; then
+    FD_ARGS="$FD_ARGS --forward-fd=3"
+fi
+
+exec flatpak-spawn --host --forward-fd=1 --forward-fd=2 $FD_ARGS fusermount3 "$@"
--- a/dist/linux/flatpak/org.cryptomator.Cryptomator.TEMPLATE.yaml
+++ b/dist/linux/flatpak/org.cryptomator.Cryptomator.TEMPLATE.yaml
@@ -0,0 +1,182 @@
+app-id: org.cryptomator.Cryptomator
+command: cryptomator
+runtime: org.freedesktop.Platform
+runtime-version: '25.08'
+sdk: org.freedesktop.Sdk
+separate-locales: false
+finish-args:
+  # Required for FUSE, see https://github.com/flathub/org.cryptomator.Cryptomator/pull/68#issuecomment-1935136502
+  - --device=all
+  # Set the PATH environment variable in the application, as flatpak is resetting the shell's PATH
+  - --env=PATH=/app/bin/:/usr/bin/
+  # Allow filesystem access to the user's home dir
+  # Needed to manage vaults there
+  - --filesystem=home
+  # Reading system certificates
+  - --filesystem=host-etc:ro
+  # Allow access to the XDG data directory
+  # Needed to connect to KeePassXC's UNIX domain socket
+  - --filesystem=xdg-run/org.keepassxc.KeePassXC.BrowserServer
+  - --filesystem=xdg-run/app/org.keepassxc.KeePassXC/
+  # Share IPC namespace with the host, without it the X11 shared memory extension will not work
+  - --share=ipc
+  # Allow access to the network
+  - --share=network
+  # Show windows using X11
+  - --socket=x11
+  # Needed to reveal encrypted files
+  - --talk-name=org.freedesktop.FileManager1
+  # Run any command on the host
+  # Needed to spawn fusermount on the host
+  - --talk-name=org.freedesktop.Flatpak
+  # Allow desktop notifications
+  - --talk-name=org.freedesktop.Notifications
+  # Allow access to the GNOME secret service API and to talk to the GNOME keyring daemon
+  - --talk-name=org.freedesktop.secrets
+  - --talk-name=org.gnome.keyring
+  # Allow to talk to the KDE kwallet daemon
+  - --talk-name=org.kde.kwalletd5
+  - --talk-name=org.kde.kwalletd6
+  # Needed to talk to the gvfs daemons over D-Bus and list mounts using the GIO APIs
+  - --talk-name=org.gtk.vfs.*
+  # Allow access to appindicator icons
+  - --talk-name=org.ayatana
+  # Allow access to appindicator icons on KDE
+  - --talk-name=org.kde.StatusNotifierWatcher
+cleanup:
+  - /include
+  - /lib/pkgconfig
+modules:
+  - shared-modules/libayatana-appindicator/libayatana-appindicator-gtk3.json
+  - name: libfuse
+    buildsystem: meson
+    config-opts:
+      - -Dexamples=false
+      - -Dinitscriptdir=
+      - -Duseroot=false
+      - -Dtests=false
+      # don't install rules on the host
+      - -Dudevrulesdir=/tmp/
+    sources:
+      - type: archive
+        url: https://github.com/libfuse/libfuse/releases/download/fuse-3.16.2/fuse-3.16.2.tar.gz
+        sha256: f797055d9296b275e981f5f62d4e32e089614fc253d1ef2985851025b8a0ce87
+        x-checker-data:
+          type: anitya
+          project-id: 861
+          url-template: https://github.com/libfuse/libfuse/releases/download/fuse-$version/fuse-$version.tar.gz
+          versions: {<: '3.17.0'}
+  - name: host-command-wrapper
+    buildsystem: simple
+    build-commands:
+      - install fusermount-wrapper.sh /app/bin/fusermount3
+    sources:
+      - type: file
+        path: build-aux/fusermount-wrapper.sh
+  - name: cryptomator
+    buildsystem: simple
+    build-options:
+      build-args:
+        - --share=network
+      env:
+        PATH: /app/bin:/usr/bin
+        MAVEN_OPTS: -Dmaven.repo.local=.m2/repository
+        JAVA_HOME: jdk
+        JMODS_PATH: jmods
+        VERSION: $FLATPAK_VERSION
+        REVISION_NO: '$FLATPAK_REVISION'
+    build-commands:
+      # Setup Java
+      - tar xvfz jdk.tar.gz --transform 's!^[^/]*!jdk!'
+      - mkdir jmods
+      - unzip -j openjfx.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d jmods
+      # Setup Maven
+      - mkdir maven
+      - tar xf maven.tar.gz --strip-components=1 --exclude=jansi-native --directory=maven
+      # Build project
+      - maven/bin/mvn clean package -DskipTests -P"linux-$(uname -m)"
+      - cp target/cryptomator-*.jar target/mods
+      - cd target
+      - $JAVA_HOME/bin/jlink
+        --output runtime
+        --module-path $JMODS_PATH
+        --add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,javafx.base,javafx.graphics,javafx.controls,javafx.fxml,jdk.crypto.ec,jdk.crypto.cryptoki,jdk.unsupported,jdk.security.auth,jdk.accessibility,jdk.management.jfr,jdk.net,java.compiler
+        --no-header-files
+        --no-man-pages
+        --strip-debug
+        --compress=zip-0
+      - $JAVA_HOME/bin/jpackage
+        --type app-image
+        --runtime-image runtime
+        --input target/libs
+        --module-path target/mods
+        --module org.cryptomator.desktop/org.cryptomator.launcher.Cryptomator
+        --dest .
+        --name Cryptomator
+        --vendor 'Skymatic GmbH'
+        --copyright '(C) 2016 - 2026 Skymatic GmbH'
+        --java-options '--enable-native-access=javafx.graphics,org.cryptomator.jfuse.linux.amd64,org.cryptomator.jfuse.linux.aarch64,org.purejava.appindicator'
+        --java-options "--sun-misc-unsafe-memory-access=allow"
+        --java-options '-Xss5m'
+        --java-options '-Xmx256m'
+        --java-options '-Dfile.encoding='utf-8''
+        --java-options '-Djava.net.useSystemProxies=true'
+        --java-options "-Dcryptomator.appVersion='${VERSION}'"
+        --java-options "-Dcryptomator.buildNumber='flatpak-${REVISION_NO}'"
+        --java-options '-Dcryptomator.ipcSocketPath='@{userhome}/.config/Cryptomator/ipc.socket''
+        --java-options '-Dcryptomator.adminConfigPath='/run/host/etc/cryptomator/config.properties''
+        --java-options '-Dcryptomator.logDir='@{userhome}/.local/share/Cryptomator/logs''
+        --java-options '-Dcryptomator.mountPointsDir='@{userhome}/.local/share/Cryptomator/mnt''
+        --java-options '-Dcryptomator.pluginDir='@{userhome}/.local/share/Cryptomator/plugins''
+        --java-options '-Dcryptomator.p12Path='@{userhome}/.config/Cryptomator/key.p12''
+        --java-options '-Dcryptomator.settingsPath='@{userhome}/.config/Cryptomator/settings.json:~/.Cryptomator/settings.json''
+        --java-options '-Dcryptomator.showTrayIcon=true'
+        --java-options '-Dcryptomator.updateMechanism=org.cryptomator.linux.update.FlatpakUpdater'
+        --java-options '-Dcryptomator.networking.truststore.p12Path='/run/host/etc/cryptomator/certs.p12''
+        --java-options '-Dcryptomator.hub.enableTrustOnFirstUse=true'
+        --app-version "${VERSION}.${REVISION_NO}"
+        --verbose
+      - cp -R Cryptomator /app/
+      - ln -s /app/Cryptomator/bin/Cryptomator /app/bin/cryptomator
+      - cp -R /app/lib/* /app/Cryptomator/lib/app/
+      - install -D -m0644 -t /app/share/applications/ dist/linux/common/org.cryptomator.Cryptomator.desktop
+      - install -D -m0644 -t /app/share/icons/hicolor/scalable/apps/ dist/linux/common/org.cryptomator.Cryptomator.svg
+      - install -D -m0644 -T dist/linux/common/org.cryptomator.Cryptomator.tray.svg /app/share/icons/hicolor/symbolic/apps/org.cryptomator.Cryptomator.tray-symbolic.svg
+      - install -D -m0644 -T dist/linux/common/org.cryptomator.Cryptomator.tray-unlocked.svg /app/share/icons/hicolor/symbolic/apps/org.cryptomator.Cryptomator.tray-unlocked-symbolic.svg
+      - install -D -m0644 -t /app/share/metainfo/ dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml
+    sources:
+      - $CRYPTOMATOR_SOURCE
+      - type: file
+        dest-filename: jdk.tar.gz
+        only-arches:
+          - x86_64
+        url: https://github.com/adoptium/temurin25-binaries/releases/download/jdk-25.0.2%2B10/OpenJDK25U-jdk_x64_linux_hotspot_25.0.2_10.tar.gz
+        sha512: 29043fde119a031c2ca8d57aed445fedd9e7f74608fcdc7a809076ba84cfd1c31f08de2ecccf352e159fdcd1cae172395ed46363007552ff242057826c81ab3a
+      - type: file
+        dest-filename: jdk.tar.gz
+        only-arches:
+          - aarch64
+        url: https://github.com/adoptium/temurin25-binaries/releases/download/jdk-25.0.2%2B10/OpenJDK25U-jdk_aarch64_linux_hotspot_25.0.2_10.tar.gz
+        sha512: f1d3ccec3e1f1bed9d632f14b9223709d6e5c2e0d922125d068870dd3016492a2ca8f08924d4a9d0dc5eb2159fa09efee366a748fd0093475baf29e5c70c781a
+      - type: file
+        dest-filename: openjfx.zip
+        only-arches:
+          - x86_64
+        url: https://download2.gluonhq.com/openjfx/25.0.2/openjfx-25.0.2_linux-x64_bin-jmods.zip
+        sha512: 21f550217101c513f9eb1d7947eba30cb79618238e6539ce770e54e84b01574cdaeba40af602391145f163dd8e43e3794395467413152f13ffffeff948b0ca1b
+      - type: file
+        dest-filename: openjfx.zip
+        only-arches:
+          - aarch64
+        url: https://download2.gluonhq.com/openjfx/25.0.2/openjfx-25.0.2_linux-aarch64_bin-jmods.zip
+        sha512: a9268409b3803e386490bf1319d0f0a14173cebe862c12254cd51b430ee0a297437d9e38d5ebeae0da8899be898b312b103330d09dcfd3e63c1e7d15f2f14311
+      - type: file
+        dest-filename: maven.tar.gz
+        url: https://repo1.maven.org/maven2/org/apache/maven/apache-maven/3.9.13/apache-maven-3.9.13-bin.tar.gz
+        sha512: d9ccd44ba2991586e359c29eb86780ae8ff4ec1b88b0b8af3af074803472690cf2017782a9c4401343c62cbcd056231db9612e1e551cbd9747c21746d732c015
+        x-checker-data:
+          type: anitya
+          project-id: 1894
+          stable-only: true
+          url-template: https://repo1.maven.org/maven2/org/apache/maven/apache-maven/$version/apache-maven-$version-bin.tar.gz
+          versions: {<: '4.0'}
--- a/dist/linux/makepkg/PKGBUILD.template
+++ b/dist/linux/makepkg/PKGBUILD.template
@@ -0,0 +1,119 @@
+# Maintainer: Aaron Graves <linux@ajgraves.com>
+# Contributor: Julian Raufelder <arch@raufelder.com>
+# Contributor: Morten Linderud <morten@linderud.pw>
+# Contributor: Sebastian Stenzel <sebastian.stenzel@gmail.com>
+# Contributor: Armin Schrenk <armin.schrenk@skymatic.de>
+
+pkgname=cryptomator
+pkgver=$PKG_VERSION
+pkgrel=$PKG_RELEASE
+pkgdesc="Multiplatform transparent client-side encryption of your files in the cloud."
+arch=('any')
+url="https://cryptomator.org/"
+license=('GPL3')
+depends=('fuse3' 'alsa-lib' 'hicolor-icon-theme' 'libxtst' 'libnet' 'libxrender')
+makedepends=('maven' 'unzip')
+optdepends=('keepassxc-cryptomator: Use KeePassXC to store vault passwords' 'ttf-hanazono: Install this font when using Japanese system language')
+_jdkver=25.0.2+10
+_jfxver=25.0.2
+_src_app_dir=cryptomator-${pkgver//_/-}
+source=($SOURCES);
+source_x86_64=("jdk-${_jdkver}.tar.gz::https://github.com/adoptium/temurin${_jdkver:0:2}-binaries/releases/download/jdk-${_jdkver//\+/%2B}/OpenJDK${_jdkver:0:2}U-jdk_x64_linux_hotspot_${_jdkver//\+/_}.tar.gz"
+               "openjfx-${_jfxver}.zip::https://download2.gluonhq.com/openjfx/${_jfxver}/openjfx-${_jfxver}_linux-x64_bin-jmods.zip")
+source_aarch64=("jdk-${_jdkver}.tar.gz::https://github.com/adoptium/temurin${_jdkver:0:2}-binaries/releases/download/jdk-${_jdkver//\+/%2B}/OpenJDK${_jdkver:0:2}U-jdk_aarch64_linux_hotspot_${_jdkver//\+/_}.tar.gz"
+                "openjfx-${_jfxver}.zip::https://download2.gluonhq.com/openjfx/${_jfxver}/openjfx-${_jfxver}_linux-aarch64_bin-jmods.zip")
+noextract=("jdk-${_jdkver}.tar.gz" "openjfx-${_jfxver}.zip")
+sha256sums=($SOURCES_SHA)
+sha256sums_x86_64=('987387933b64b9833846dee373b640440d3e1fd48a04804ec01a6dbf718e8ab8'
+                   'e0a9c29d8cf3af9b8b48848b43f87b5785bc107c53a951b19668ce05842bba1b')
+sha256sums_aarch64=('a9d73e711d967dc44896d4f430f73a68fd33590dabc29a7f2fb9f593425b854c'
+                    'c3408f818693cce09e59829a8e862a82c7695fdfcd585c41cfd527f5fc3fe646')
+options=('!strip')
+
+validpgpkeys=('58117AFA1F85B3EEC154677D615D449FE6E6A235')
+
+build() {
+  export JAVA_HOME="${srcdir}/jdk-${_jdkver}"
+  JMODS_PATH="${srcdir}/openjfx-${_jfxver}-jmods"
+  #JEP 493
+  if ! $(${JAVA_HOME}/bin/jlink --help | grep -q "Linking from run-time image enabled"); then
+      JMODS_PATH="${JMODS_PATH}:${JAVA_HOME}/jmods:"
+  fi
+
+  tar xfz "jdk-${_jdkver}.tar.gz"
+
+  mkdir "openjfx-${_jfxver}-jmods"
+  unzip -j "openjfx-${_jfxver}.zip" \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d "openjfx-${_jfxver}-jmods"
+
+  cd "${srcdir}/${_src_app_dir}"
+
+  mvn -B clean package -DskipTests -Plinux
+
+  cp LICENSE.txt target
+  cp target/cryptomator-*.jar target/mods
+
+  cd target
+
+  "$JAVA_HOME/bin/jlink" \
+    --output runtime \
+    --module-path "$JMODS_PATH" \
+    --add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,javafx.base,javafx.graphics,javafx.controls,javafx.fxml,jdk.crypto.ec,jdk.crypto.cryptoki,jdk.unsupported,jdk.security.auth,jdk.accessibility,jdk.management.jfr,jdk.net,java.compiler \
+    --strip-native-commands \
+    --no-header-files \
+    --no-man-pages \
+    --strip-debug \
+    --compress=zip-0
+
+  ##Note: jpackage does not allow -beta suffixes, have to strip those
+  "$JAVA_HOME/bin/jpackage" \
+    --type app-image \
+    --runtime-image runtime \
+    --input libs \
+    --module-path mods \
+    --module org.cryptomator.desktop/org.cryptomator.launcher.Cryptomator \
+    --dest . \
+    --name cryptomator \
+    --vendor "Skymatic GmbH" \
+    --copyright "(C) 2016 - 2026 Skymatic GmbH" \
+    --java-options "--enable-preview" \
+    --java-options '--enable-native-access=javafx.graphics,org.cryptomator.jfuse.linux.amd64,org.cryptomator.jfuse.linux.aarch64,org.purejava.appindicator' \
+    --java-options "-Xss5m" \
+    --java-options "-Xmx256m" \
+    --java-options "-Dfile.encoding=\"utf-8\"" \
+    --java-options "-Djava.net.useSystemProxies=true" \
+    --java-options "-Dcryptomator.adminConfigPath=\"/etc/cryptomator/config.properties\"" \
+    --java-options "-Dcryptomator.appVersion=\"${pkgver//_/-}\"" \
+    --java-options "-Dcryptomator.buildNumber=\"aur-${pkgrel}\"" \
+    --java-options "-Dcryptomator.disableUpdateCheck=true" \
+    --java-options "-Dcryptomator.integrationsLinux.autoStartCmd=\"cryptomator\"" \
+    --java-options "-Dcryptomator.ipcSocketPath=\"@{userhome}/.config/Cryptomator/ipc.socket\"" \
+    --java-options "-Dcryptomator.logDir=\"@{userhome}/.local/share/Cryptomator/logs\"" \
+    --java-options "-Dcryptomator.mountPointsDir=\"@{userhome}/.local/share/Cryptomator/mnt\"" \
+    --java-options "-Dcryptomator.networking.truststore.p12Path=\"/etc/cryptomator/certs.p12\"" \
+    --java-options "-Dcryptomator.pluginDir=\"@{userhome}/.local/share/Cryptomator/plugins\"" \
+    --java-options "-Dcryptomator.p12Path=\"@{userhome}/.config/Cryptomator/key.p12\"" \
+    --java-options "-Dcryptomator.settingsPath=\"@{userhome}/.config/Cryptomator/settings.json:~/.Cryptomator/settings.json\"" \
+    --java-options "-Dcryptomator.showTrayIcon=true" \
+    --java-options "-Dcryptomator.hub.enableTrustOnFirstUse=true" \
+    --app-version "${pkgver//_*/}" \
+    --verbose
+}
+
+package() {
+  install -Dm644 "${srcdir}/${_src_app_dir}/dist/linux/common/application-vnd.cryptomator.vault.xml" "${pkgdir}/usr/share/mime/packages/cryptomator-vault.xml"
+  install -Dm644 "${srcdir}/${_src_app_dir}/dist/linux/common/org.cryptomator.Cryptomator.desktop" "${pkgdir}/usr/share/applications/org.cryptomator.Cryptomator.desktop"
+  install -Dm644 "${srcdir}/${_src_app_dir}/dist/linux/common/org.cryptomator.Cryptomator256.png" "${pkgdir}/usr/share/icons/hicolor/256x256/apps/org.cryptomator.Cryptomator.png"
+  install -Dm644 "${srcdir}/${_src_app_dir}/dist/linux/common/org.cryptomator.Cryptomator512.png" "${pkgdir}/usr/share/icons/hicolor/512x512/apps/org.cryptomator.Cryptomator.png"
+  install -Dm644 "${srcdir}/${_src_app_dir}/dist/linux/common/org.cryptomator.Cryptomator.svg" "${pkgdir}/usr/share/icons/hicolor/scalable/apps/org.cryptomator.Cryptomator.svg"
+  install -Dm644 "${srcdir}/${_src_app_dir}/dist/linux/common/org.cryptomator.Cryptomator.tray.svg" "${pkgdir}/usr/share/icons/hicolor/scalable/apps/org.cryptomator.Cryptomator.tray.svg"
+  install -Dm644 "${srcdir}/${_src_app_dir}/dist/linux/common/org.cryptomator.Cryptomator.tray-unlocked.svg" "${pkgdir}/usr/share/icons/hicolor/scalable/apps/org.cryptomator.Cryptomator.tray-unlocked.svg"
+  install -Dm644 "${srcdir}/${_src_app_dir}/dist/linux/common/org.cryptomator.Cryptomator.tray.svg" "${pkgdir}/usr/share/icons/hicolor/symbolic/apps/org.cryptomator.Cryptomator.tray-symbolic.svg"
+  install -Dm644 "${srcdir}/${_src_app_dir}/dist/linux/common/org.cryptomator.Cryptomator.tray-unlocked.svg" "${pkgdir}/usr/share/icons/hicolor/symbolic/apps/org.cryptomator.Cryptomator.tray-unlocked-symbolic.svg"
+
+  mkdir -p "${pkgdir}/opt/cryptomator/"
+  cp -R "${srcdir}/${_src_app_dir}/target/cryptomator" "${pkgdir}/opt/"
+  install -Dm644 "${srcdir}/${_src_app_dir}/target/LICENSE.txt" -t "${pkgdir}/usr/share/licenses/${pkgname}"
+
+  mkdir -p "${pkgdir}/usr/bin"
+  ln -s "/opt/cryptomator/bin/cryptomator" "${pkgdir}/usr/bin/cryptomator"
+}
--- a/dist/mac/.gitignore
+++ b/dist/mac/.gitignore
@@ -1,2 +1 @@
 embedded.provisionprofile
-xcuserdata/
--- a/dist/mac/DockTilePlugin/CryptomatorDockTilePlugin.swift
+++ b/dist/mac/DockTilePlugin/CryptomatorDockTilePlugin.swift
@@ -1,19 +0,0 @@
-//
-//  CryptomatorDockTilePlugin.swift
-//  Integrations
-//
-//  Created by Tobias Hagemann on 22.09.25.
-//  Copyright © 2025 Cryptomator. All rights reserved.
-//
-
-import AppKit
-
-class CryptomatorDockTilePlugin: NSObject, NSDockTilePlugIn {
-	func setDockTile(_ dockTile: NSDockTile?) {
-		guard let dockTile = dockTile, let image = Bundle(for: Self.self).image(forResource: "Cryptomator") else {
-			return
-		}
-		dockTile.contentView = NSImageView(image: image)
-		dockTile.display()
-	}
-}
--- a/dist/mac/DockTilePlugin/DockTilePlugin.xcodeproj/project.pbxproj
+++ b/dist/mac/DockTilePlugin/DockTilePlugin.xcodeproj/project.pbxproj
@@ -1,314 +0,0 @@
-// !$*UTF8*$!
-{
-	archiveVersion = 1;
-	classes = {
-	};
-	objectVersion = 77;
-	objects = {
-
-/* Begin PBXBuildFile section */
-		74E08DE12E8584DE007E665C /* CryptomatorDockTilePlugin.swift in Sources */ = {isa = PBXBuildFile; fileRef = 74E08DE02E85847E007E665C /* CryptomatorDockTilePlugin.swift */; };
-		74E08DED2E858532007E665C /* Cryptomator.icns in Resources */ = {isa = PBXBuildFile; fileRef = 74E08DEC2E858532007E665C /* Cryptomator.icns */; };
-/* End PBXBuildFile section */
-
-/* Begin PBXFileReference section */
-		74E08DD92E858467007E665C /* Cryptomator.docktileplugin */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = Cryptomator.docktileplugin; sourceTree = BUILT_PRODUCTS_DIR; };
-		74E08DE02E85847E007E665C /* CryptomatorDockTilePlugin.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = CryptomatorDockTilePlugin.swift; sourceTree = "<group>"; };
-		74E08DEC2E858532007E665C /* Cryptomator.icns */ = {isa = PBXFileReference; lastKnownFileType = image.icns; name = Cryptomator.icns; path = ../resources/Cryptomator.icns; sourceTree = SOURCE_ROOT; };
-/* End PBXFileReference section */
-
-/* Begin PBXFrameworksBuildPhase section */
-		74E08DD62E858467007E665C /* Frameworks */ = {
-			isa = PBXFrameworksBuildPhase;
-			buildActionMask = 2147483647;
-			files = (
-			);
-			runOnlyForDeploymentPostprocessing = 0;
-		};
-/* End PBXFrameworksBuildPhase section */
-
-/* Begin PBXGroup section */
-		74E08DD02E858467007E665C = {
-			isa = PBXGroup;
-			children = (
-				74E08DE02E85847E007E665C /* CryptomatorDockTilePlugin.swift */,
-				74E08DEC2E858532007E665C /* Cryptomator.icns */,
-				74E08DDA2E858467007E665C /* Products */,
-			);
-			sourceTree = "<group>";
-		};
-		74E08DDA2E858467007E665C /* Products */ = {
-			isa = PBXGroup;
-			children = (
-				74E08DD92E858467007E665C /* Cryptomator.docktileplugin */,
-			);
-			name = Products;
-			sourceTree = "<group>";
-		};
-/* End PBXGroup section */
-
-/* Begin PBXNativeTarget section */
-		74E08DD82E858467007E665C /* DockTilePlugin */ = {
-			isa = PBXNativeTarget;
-			buildConfigurationList = 74E08DDD2E858467007E665C /* Build configuration list for PBXNativeTarget "DockTilePlugin" */;
-			buildPhases = (
-				74E08DD52E858467007E665C /* Sources */,
-				74E08DD62E858467007E665C /* Frameworks */,
-				74E08DD72E858467007E665C /* Resources */,
-			);
-			buildRules = (
-			);
-			dependencies = (
-			);
-			name = DockTilePlugin;
-			packageProductDependencies = (
-			);
-			productName = DockTilePlugin;
-			productReference = 74E08DD92E858467007E665C /* Cryptomator.docktileplugin */;
-			productType = "com.apple.product-type.bundle";
-		};
-/* End PBXNativeTarget section */
-
-/* Begin PBXProject section */
-		74E08DD12E858467007E665C /* Project object */ = {
-			isa = PBXProject;
-			attributes = {
-				BuildIndependentTargetsInParallel = 1;
-				LastUpgradeCheck = 2600;
-				ORGANIZATIONNAME = Cryptomator;
-				TargetAttributes = {
-					74E08DD82E858467007E665C = {
-						CreatedOnToolsVersion = 26.0.1;
-					};
-				};
-			};
-			buildConfigurationList = 74E08DD42E858467007E665C /* Build configuration list for PBXProject "DockTilePlugin" */;
-			developmentRegion = en;
-			hasScannedForEncodings = 0;
-			knownRegions = (
-				en,
-				Base,
-			);
-			mainGroup = 74E08DD02E858467007E665C;
-			minimizedProjectReferenceProxies = 1;
-			preferredProjectObjectVersion = 77;
-			productRefGroup = 74E08DDA2E858467007E665C /* Products */;
-			projectDirPath = "";
-			projectRoot = "";
-			targets = (
-				74E08DD82E858467007E665C /* DockTilePlugin */,
-			);
-		};
-/* End PBXProject section */
-
-/* Begin PBXResourcesBuildPhase section */
-		74E08DD72E858467007E665C /* Resources */ = {
-			isa = PBXResourcesBuildPhase;
-			buildActionMask = 2147483647;
-			files = (
-				74E08DED2E858532007E665C /* Cryptomator.icns in Resources */,
-			);
-			runOnlyForDeploymentPostprocessing = 0;
-		};
-/* End PBXResourcesBuildPhase section */
-
-/* Begin PBXSourcesBuildPhase section */
-		74E08DD52E858467007E665C /* Sources */ = {
-			isa = PBXSourcesBuildPhase;
-			buildActionMask = 2147483647;
-			files = (
-				74E08DE12E8584DE007E665C /* CryptomatorDockTilePlugin.swift in Sources */,
-			);
-			runOnlyForDeploymentPostprocessing = 0;
-		};
-/* End PBXSourcesBuildPhase section */
-
-/* Begin XCBuildConfiguration section */
-		74E08DDB2E858467007E665C /* Debug */ = {
-			isa = XCBuildConfiguration;
-			buildSettings = {
-				ALWAYS_SEARCH_USER_PATHS = NO;
-				ASSETCATALOG_COMPILER_GENERATE_SWIFT_ASSET_SYMBOL_EXTENSIONS = YES;
-				CLANG_ANALYZER_NONNULL = YES;
-				CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE;
-				CLANG_CXX_LANGUAGE_STANDARD = "gnu++20";
-				CLANG_ENABLE_MODULES = YES;
-				CLANG_ENABLE_OBJC_ARC = YES;
-				CLANG_ENABLE_OBJC_WEAK = YES;
-				CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES;
-				CLANG_WARN_BOOL_CONVERSION = YES;
-				CLANG_WARN_COMMA = YES;
-				CLANG_WARN_CONSTANT_CONVERSION = YES;
-				CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS = YES;
-				CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR;
-				CLANG_WARN_DOCUMENTATION_COMMENTS = YES;
-				CLANG_WARN_EMPTY_BODY = YES;
-				CLANG_WARN_ENUM_CONVERSION = YES;
-				CLANG_WARN_INFINITE_RECURSION = YES;
-				CLANG_WARN_INT_CONVERSION = YES;
-				CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES;
-				CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF = YES;
-				CLANG_WARN_OBJC_LITERAL_CONVERSION = YES;
-				CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR;
-				CLANG_WARN_QUOTED_INCLUDE_IN_FRAMEWORK_HEADER = YES;
-				CLANG_WARN_RANGE_LOOP_ANALYSIS = YES;
-				CLANG_WARN_STRICT_PROTOTYPES = YES;
-				CLANG_WARN_SUSPICIOUS_MOVE = YES;
-				CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE;
-				CLANG_WARN_UNREACHABLE_CODE = YES;
-				CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
-				COPY_PHASE_STRIP = NO;
-				DEBUG_INFORMATION_FORMAT = dwarf;
-				DEVELOPMENT_TEAM = YZQJQUHA3L;
-				ENABLE_STRICT_OBJC_MSGSEND = YES;
-				ENABLE_TESTABILITY = YES;
-				ENABLE_USER_SCRIPT_SANDBOXING = YES;
-				GCC_C_LANGUAGE_STANDARD = gnu17;
-				GCC_DYNAMIC_NO_PIC = NO;
-				GCC_NO_COMMON_BLOCKS = YES;
-				GCC_OPTIMIZATION_LEVEL = 0;
-				GCC_PREPROCESSOR_DEFINITIONS = (
-					"DEBUG=1",
-					"$(inherited)",
-				);
-				GCC_WARN_64_TO_32_BIT_CONVERSION = YES;
-				GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR;
-				GCC_WARN_UNDECLARED_SELECTOR = YES;
-				GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE;
-				GCC_WARN_UNUSED_FUNCTION = YES;
-				GCC_WARN_UNUSED_VARIABLE = YES;
-				LOCALIZATION_PREFERS_STRING_CATALOGS = YES;
-				MACOSX_DEPLOYMENT_TARGET = 11.5;
-				MTL_ENABLE_DEBUG_INFO = INCLUDE_SOURCE;
-				MTL_FAST_MATH = YES;
-				ONLY_ACTIVE_ARCH = YES;
-				SDKROOT = macosx;
-				SWIFT_VERSION = 5.0;
-			};
-			name = Debug;
-		};
-		74E08DDC2E858467007E665C /* Release */ = {
-			isa = XCBuildConfiguration;
-			buildSettings = {
-				ALWAYS_SEARCH_USER_PATHS = NO;
-				ASSETCATALOG_COMPILER_GENERATE_SWIFT_ASSET_SYMBOL_EXTENSIONS = YES;
-				CLANG_ANALYZER_NONNULL = YES;
-				CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE;
-				CLANG_CXX_LANGUAGE_STANDARD = "gnu++20";
-				CLANG_ENABLE_MODULES = YES;
-				CLANG_ENABLE_OBJC_ARC = YES;
-				CLANG_ENABLE_OBJC_WEAK = YES;
-				CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES;
-				CLANG_WARN_BOOL_CONVERSION = YES;
-				CLANG_WARN_COMMA = YES;
-				CLANG_WARN_CONSTANT_CONVERSION = YES;
-				CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS = YES;
-				CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR;
-				CLANG_WARN_DOCUMENTATION_COMMENTS = YES;
-				CLANG_WARN_EMPTY_BODY = YES;
-				CLANG_WARN_ENUM_CONVERSION = YES;
-				CLANG_WARN_INFINITE_RECURSION = YES;
-				CLANG_WARN_INT_CONVERSION = YES;
-				CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES;
-				CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF = YES;
-				CLANG_WARN_OBJC_LITERAL_CONVERSION = YES;
-				CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR;
-				CLANG_WARN_QUOTED_INCLUDE_IN_FRAMEWORK_HEADER = YES;
-				CLANG_WARN_RANGE_LOOP_ANALYSIS = YES;
-				CLANG_WARN_STRICT_PROTOTYPES = YES;
-				CLANG_WARN_SUSPICIOUS_MOVE = YES;
-				CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE;
-				CLANG_WARN_UNREACHABLE_CODE = YES;
-				CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
-				COPY_PHASE_STRIP = NO;
-				DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";
-				DEVELOPMENT_TEAM = YZQJQUHA3L;
-				ENABLE_NS_ASSERTIONS = NO;
-				ENABLE_STRICT_OBJC_MSGSEND = YES;
-				ENABLE_USER_SCRIPT_SANDBOXING = YES;
-				GCC_C_LANGUAGE_STANDARD = gnu17;
-				GCC_NO_COMMON_BLOCKS = YES;
-				GCC_WARN_64_TO_32_BIT_CONVERSION = YES;
-				GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR;
-				GCC_WARN_UNDECLARED_SELECTOR = YES;
-				GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE;
-				GCC_WARN_UNUSED_FUNCTION = YES;
-				GCC_WARN_UNUSED_VARIABLE = YES;
-				LOCALIZATION_PREFERS_STRING_CATALOGS = YES;
-				MACOSX_DEPLOYMENT_TARGET = 11.5;
-				MTL_ENABLE_DEBUG_INFO = NO;
-				MTL_FAST_MATH = YES;
-				SDKROOT = macosx;
-				SWIFT_VERSION = 5.0;
-			};
-			name = Release;
-		};
-		74E08DDE2E858467007E665C /* Debug */ = {
-			isa = XCBuildConfiguration;
-			buildSettings = {
-				CODE_SIGN_STYLE = Manual;
-				COMBINE_HIDPI_IMAGES = YES;
-				CURRENT_PROJECT_VERSION = 1;
-				DEVELOPMENT_TEAM = "";
-				GENERATE_INFOPLIST_FILE = YES;
-				INFOPLIST_KEY_NSHumanReadableCopyright = "Copyright © 2025 Cryptomator. All rights reserved.";
-				INFOPLIST_KEY_NSPrincipalClass = CryptomatorDockTilePlugin;
-				INSTALL_PATH = "$(LOCAL_LIBRARY_DIR)/Bundles";
-				MARKETING_VERSION = 1.0;
-				PRODUCT_BUNDLE_IDENTIFIER = org.cryptomator.DockTilePlugin;
-				PRODUCT_NAME = Cryptomator;
-				PROVISIONING_PROFILE_SPECIFIER = "";
-				SKIP_INSTALL = YES;
-				STRING_CATALOG_GENERATE_SYMBOLS = YES;
-				SWIFT_EMIT_LOC_STRINGS = YES;
-				WRAPPER_EXTENSION = docktileplugin;
-			};
-			name = Debug;
-		};
-		74E08DDF2E858467007E665C /* Release */ = {
-			isa = XCBuildConfiguration;
-			buildSettings = {
-				CODE_SIGN_STYLE = Manual;
-				COMBINE_HIDPI_IMAGES = YES;
-				CURRENT_PROJECT_VERSION = 1;
-				DEVELOPMENT_TEAM = "";
-				GENERATE_INFOPLIST_FILE = YES;
-				INFOPLIST_KEY_NSHumanReadableCopyright = "Copyright © 2025 Cryptomator. All rights reserved.";
-				INFOPLIST_KEY_NSPrincipalClass = CryptomatorDockTilePlugin;
-				INSTALL_PATH = "$(LOCAL_LIBRARY_DIR)/Bundles";
-				MARKETING_VERSION = 1.0;
-				PRODUCT_BUNDLE_IDENTIFIER = org.cryptomator.DockTilePlugin;
-				PRODUCT_NAME = Cryptomator;
-				PROVISIONING_PROFILE_SPECIFIER = "";
-				SKIP_INSTALL = YES;
-				STRING_CATALOG_GENERATE_SYMBOLS = YES;
-				SWIFT_EMIT_LOC_STRINGS = YES;
-				WRAPPER_EXTENSION = docktileplugin;
-			};
-			name = Release;
-		};
-/* End XCBuildConfiguration section */
-
-/* Begin XCConfigurationList section */
-		74E08DD42E858467007E665C /* Build configuration list for PBXProject "DockTilePlugin" */ = {
-			isa = XCConfigurationList;
-			buildConfigurations = (
-				74E08DDB2E858467007E665C /* Debug */,
-				74E08DDC2E858467007E665C /* Release */,
-			);
-			defaultConfigurationIsVisible = 0;
-			defaultConfigurationName = Release;
-		};
-		74E08DDD2E858467007E665C /* Build configuration list for PBXNativeTarget "DockTilePlugin" */ = {
-			isa = XCConfigurationList;
-			buildConfigurations = (
-				74E08DDE2E858467007E665C /* Debug */,
-				74E08DDF2E858467007E665C /* Release */,
-			);
-			defaultConfigurationIsVisible = 0;
-			defaultConfigurationName = Release;
-		};
-/* End XCConfigurationList section */
-	};
-	rootObject = 74E08DD12E858467007E665C /* Project object */;
-}
--- a/dist/mac/DockTilePlugin/DockTilePlugin.xcodeproj/project.xcworkspace/contents.xcworkspacedata
+++ b/dist/mac/DockTilePlugin/DockTilePlugin.xcodeproj/project.xcworkspace/contents.xcworkspacedata
@@ -1,7 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<Workspace
-   version = "1.0">
-   <FileRef
-      location = "self:">
-   </FileRef>
-</Workspace>
--- a/dist/mac/DockTilePlugin/DockTilePlugin.xcodeproj/xcshareddata/xcschemes/DockTilePlugin.xcscheme
+++ b/dist/mac/DockTilePlugin/DockTilePlugin.xcodeproj/xcshareddata/xcschemes/DockTilePlugin.xcscheme
@@ -1,67 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<Scheme
-   LastUpgradeVersion = "2600"
-   version = "1.7">
-   <BuildAction
-      parallelizeBuildables = "YES"
-      buildImplicitDependencies = "YES"
-      buildArchitectures = "Automatic">
-      <BuildActionEntries>
-         <BuildActionEntry
-            buildForTesting = "YES"
-            buildForRunning = "YES"
-            buildForProfiling = "YES"
-            buildForArchiving = "YES"
-            buildForAnalyzing = "YES">
-            <BuildableReference
-               BuildableIdentifier = "primary"
-               BlueprintIdentifier = "74E08DD82E858467007E665C"
-               BuildableName = "Cryptomator.docktileplugin"
-               BlueprintName = "DockTilePlugin"
-               ReferencedContainer = "container:DockTilePlugin.xcodeproj">
-            </BuildableReference>
-         </BuildActionEntry>
-      </BuildActionEntries>
-   </BuildAction>
-   <TestAction
-      buildConfiguration = "Debug"
-      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
-      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
-      shouldUseLaunchSchemeArgsEnv = "YES"
-      shouldAutocreateTestPlan = "YES">
-   </TestAction>
-   <LaunchAction
-      buildConfiguration = "Debug"
-      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
-      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
-      launchStyle = "0"
-      useCustomWorkingDirectory = "NO"
-      ignoresPersistentStateOnLaunch = "NO"
-      debugDocumentVersioning = "YES"
-      debugServiceExtension = "internal"
-      allowLocationSimulation = "YES">
-   </LaunchAction>
-   <ProfileAction
-      buildConfiguration = "Release"
-      shouldUseLaunchSchemeArgsEnv = "YES"
-      savedToolIdentifier = ""
-      useCustomWorkingDirectory = "NO"
-      debugDocumentVersioning = "YES">
-      <MacroExpansion>
-         <BuildableReference
-            BuildableIdentifier = "primary"
-            BlueprintIdentifier = "74E08DD82E858467007E665C"
-            BuildableName = "Cryptomator.docktileplugin"
-            BlueprintName = "DockTilePlugin"
-            ReferencedContainer = "container:DockTilePlugin.xcodeproj">
-         </BuildableReference>
-      </MacroExpansion>
-   </ProfileAction>
-   <AnalyzeAction
-      buildConfiguration = "Debug">
-   </AnalyzeAction>
-   <ArchiveAction
-      buildConfiguration = "Release"
-      revealArchiveInOrganizer = "YES">
-   </ArchiveAction>
-</Scheme>
--- a/dist/mac/dmg/build.sh
+++ b/dist/mac/dmg/build.sh
@@ -24,7 +24,7 @@ rm -rf runtime dmg *.app *.dmg
 # set variables
 APP_NAME="Cryptomator"
 VENDOR="Skymatic GmbH"
-COPYRIGHT_YEARS="2016 - 2025"
+COPYRIGHT_YEARS="2016 - 2026"
 PACKAGE_IDENTIFIER="org.cryptomator"
 MAIN_JAR_GLOB="cryptomator-*.jar"
 MODULE_AND_MAIN_CLASS="org.cryptomator.desktop/org.cryptomator.launcher.Cryptomator"
@@ -32,15 +32,15 @@ REVISION_NO=`git rev-list --count HEAD`
 VERSION_NO=`mvn -f../../../pom.xml help:evaluate -Dexpression=project.version -q -DforceStdout | sed -rn 's/.*([0-9]+\.[0-9]+\.[0-9]+).*/\1/p'`
 FUSE_LIB="FUSE-T"

-JAVAFX_VERSION=25
+JAVAFX_VERSION=25.0.2
 JAVAFX_ARCH="undefined"
 JAVAFX_JMODS_SHA256="undefined"
 if [ "$(machine)" = "arm64e" ]; then
    JAVAFX_ARCH="aarch64"
-    JAVAFX_JMODS_SHA256="13f8c0513c40c95881479fbcf0465a29a60217393fb0656f5e4eab78a9442fba"
+    JAVAFX_JMODS_SHA256="4cd258001c75af7047005c5c891e2400ed11d24fbb09412324c0cbaf8b503c5a"
 else
    JAVAFX_ARCH="x64"
-    JAVAFX_JMODS_SHA256="0eba73fb28a24c845175d16fa2f8c081c936ce6de1be9b79eb6119fa32e53d52"
+    JAVAFX_JMODS_SHA256="0b4d8463f03901b7425d94628e4116b7078abb8dd540fbec415266fac20bda5c"
 fi
 JAVAFX_JMODS_URL="https://download2.gluonhq.com/openjfx/${JAVAFX_VERSION}/openjfx-${JAVAFX_VERSION}_osx-${JAVAFX_ARCH}_bin-jmods.zip"

@@ -125,28 +125,17 @@ ${JAVA_HOME}/bin/jpackage \
    --java-options "-Dcryptomator.showTrayIcon=true" \
    --java-options "-Dcryptomator.updateMechanism=org.cryptomator.macos.update.DmgUpdateMechanism" \
    --java-options "-Dcryptomator.buildNumber=\"dmg-${REVISION_NO}\"" \
+    --java-options "-Dcryptomator.hub.enableTrustOnFirstUse=true" \
    --mac-package-identifier ${PACKAGE_IDENTIFIER} \
    --resource-dir ../resources

 # transform app dir
 cp ../resources/${APP_NAME}-Vault.icns ${APP_NAME}.app/Contents/Resources/
+cp ../resources/Assets.car ${APP_NAME}.app/Contents/Resources/
 sed -i '' "s|###BUNDLE_SHORT_VERSION_STRING###|${VERSION_NO}|g" ${APP_NAME}.app/Contents/Info.plist
 sed -i '' "s|###BUNDLE_VERSION###|${REVISION_NO}|g" ${APP_NAME}.app/Contents/Info.plist
 cp ../embedded.provisionprofile ${APP_NAME}.app/Contents/

-# build and install dock tile plugin
-echo "Building and installing Cryptomator.docktileplugin..."
-DERIVED_DATA_PATH=../DockTilePlugin/build
-xcodebuild -project ../DockTilePlugin/DockTilePlugin.xcodeproj \
-           -scheme DockTilePlugin \
-           -configuration Release \
-           -derivedDataPath ${DERIVED_DATA_PATH} \
-           -quiet \
-           clean build
-mkdir -p ${APP_NAME}.app/Contents/PlugIns
-cp -R ${DERIVED_DATA_PATH}/Build/Products/Release/Cryptomator.docktileplugin ${APP_NAME}.app/Contents/PlugIns/
-rm -rf ${DERIVED_DATA_PATH}
-
 # generate license
 mvn -B -f../../../pom.xml license:add-third-party \
    -Dlicense.thirdPartyFilename=license.rtf \
--- a/dist/mac/resources/Assets.car
+++ b/dist/mac/resources/Assets.car
--- a/dist/mac/resources/Info.plist
+++ b/dist/mac/resources/Info.plist
@@ -12,6 +12,8 @@
  <string>Cryptomator</string>
  <key>CFBundleIconFile</key>
  <string>Cryptomator.icns</string>
+  <key>CFBundleIconName</key>
+  <string>Cryptomator</string>
  <key>CFBundleIdentifier</key>
  <string>org.cryptomator</string>
  <key>CFBundleInfoDictionaryVersion</key>
@@ -117,8 +119,5 @@
  <!-- allow utilization of integrated GPU, see https://developer.apple.com/library/mac/qa/qa1734/_index.html -->
  <key>NSSupportsAutomaticGraphicsSwitching</key>
  <true/>
-  <!-- register dock tile plugin -->
-  <key>NSDockTilePlugIn</key>
-  <string>Cryptomator.docktileplugin</string>
 </dict>
 </plist>
--- a/dist/win/build.ps1
+++ b/dist/win/build.ps1
@@ -34,20 +34,20 @@ if ((Get-Command "mvn" -ErrorAction SilentlyContinue) -eq $null)
 }
 if ((Get-Command 'wix' -ErrorAction SilentlyContinue) -eq $null)
 {
-   Write-Error 'Unable to find wix in your PATH (try: dotnet tool install --global wix --version 6.0.0)'
+   Write-Error 'Unable to find wix in your PATH (try: dotnet tool install --global wix --version 6.0.2)'
   exit 1
 }
 $wixExtensions = & wix.exe extension list --global | Out-String
 if ($wixExtensions -notmatch 'WixToolset.UI.wixext') {
-    Write-Error 'Wix UI extension missing. Please install it with: wix.exe extension add WixToolset.UI.wixext/6.0.0 --global)'
+    Write-Error 'Wix UI extension missing. Please install it with: wix.exe extension add WixToolset.UI.wixext/6.0.2 --global)'
    exit 1
 }
 if ($wixExtensions -notmatch 'WixToolset.Util.wixext') {
-    Write-Error 'Wix Util extension missing. Please install it with: wix.exe extension add WixToolset.Util.wixext/6.0.0 --global)'
+    Write-Error 'Wix Util extension missing. Please install it with: wix.exe extension add WixToolset.Util.wixext/6.0.2 --global)'
    exit 1
 }
 if ($wixExtensions -notmatch 'WixToolset.BootstrapperApplications.wixext') {
-    Write-Error 'Wix Bootstrapper extension missing. Please install it with: wix.exe extension add WixToolset.BootstrapperApplications.wixext/6.0.0 --global)'
+    Write-Error 'Wix Bootstrapper extension missing. Please install it with: wix.exe extension add WixToolset.BootstrapperApplications.wixext/6.0.2 --global)'
    exit 1
 }

@@ -93,9 +93,9 @@ switch ($archName) {
        $jmodPaths = "$Env:JAVA_HOME/jmods"
    }
    'x64' {
-		$javaFxVersion='25'
+		$javaFxVersion='25.0.2'
 		$javaFxJmodsUrl = "https://download2.gluonhq.com/openjfx/${javaFxVersion}/openjfx-${javaFxVersion}_windows-x64_bin-jmods.zip"
-		$javaFxJmodsSHA256 = 'c8eb9fd039b00e0020cf6c3db8ed7876bf3ee4d27860aa697a247b83b8296ae7'
+		$javaFxJmodsSHA256 = '33d878dfac85590c4d77c518ed413e512d34a8479d90132b230a7ddd173576b3'
 		$javaFxJmods = '.\resources\jfxJmods.zip'

 		if( !(Test-Path -Path $javaFxJmods) ) {
@@ -167,6 +167,7 @@ $javaOptions = @(
 "--java-options", "-Dcryptomator.showTrayIcon=true"
 "--java-options", "-Dcryptomator.buildNumber=`"msi-$revisionNo`""
 "--java-options", "-Dcryptomator.disableUpdateCheck=false"
+"--java-options", "-Dcryptomator.hub.enableTrustOnFirstUse=true"
 )


--- a/dist/win/contrib/patchWebDAV.bat
+++ b/dist/win/contrib/patchWebDAV.bat
@@ -4,15 +4,18 @@
 :: This file must be located in the INSTALLDIR

 set "LOOPBACK_ALIAS=%1"
+set "ACTION=%2"
+if "%ACTION%"=="" set "ACTION=install"

 :: Log for debugging
 echo LOOPBACK_ALIAS=%LOOPBACK_ALIAS%
+echo ACTION=%ACTION%

 :: Change to INSTALLDIR
 cd %~dp0
 :: Execute the PowerShell script
 powershell -NoLogo -NoProfile -NonInteractive -ExecutionPolicy RemoteSigned -File .\patchWebDAV.ps1^
- -LoopbackAlias %LOOPBACK_ALIAS%
+ -LoopbackAlias %LOOPBACK_ALIAS% -Action %ACTION%

 :: Return the exit code from PowerShell
 exit /b %ERRORLEVEL%
--- a/dist/win/contrib/patchWebDAV.ps1
+++ b/dist/win/contrib/patchWebDAV.ps1
@@ -1,15 +1,17 @@
 #Requires -RunAsAdministrator
 Param(
-	[Parameter(Mandatory, HelpMessage="Please provide an alias for 127.0.0.1")][string] $LoopbackAlias
+	[Parameter(Mandatory, HelpMessage="Please provide an alias for 127.0.0.1")][string] $LoopbackAlias,
+	[string] $Action = "install"
 )

+New-Variable -Name "sysdir" -Value ([Environment]::SystemDirectory) -Option Constant -Scope Global
+New-Variable -Name "hostsFile" -Value "$sysdir\drivers\etc\hosts" -Option Constant -Scope Global
+
 # Adds an alias for 127.0.0.1 to the hosts file
 function Add-AliasToHost {
    param (
        [string]$LoopbackAlias
    )
-    $sysdir = [Environment]::SystemDirectory
-    $hostsFile = "$sysdir\drivers\etc\hosts"
    $aliasLine = "127.0.0.1 $LoopbackAlias"

    foreach ($line in Get-Content $hostsFile) {
@@ -18,9 +20,26 @@ function Add-AliasToHost {
        }
    }

-    Add-Content -Path $hostsFile -Encoding ascii -Value "`r`n$aliasLine"
+    $content = Get-Content $hostsFile
+    $content += "`r`n$aliasLine"
+
+    $content | Set-Content "$hostsFile.tmp" -Encoding ascii
+    Move-Item "$hostsFile.tmp" $hostsFile -Force
 }

+# Removes an alias for 127.0.0.1 from the hosts file
+function Remove-AliasFromHost {
+    param (
+    	[string]$LoopbackAlias
+    )
+    $aliasLine = "127.0.0.1 $LoopbackAlias"
+
+    $content = Get-Content $hostsFile
+    $newContent = $content | Where-Object { $_ -ne $aliasLine }
+
+    $newContent | Set-Content "$hostsFile.tmp" -Encoding ascii
+	Move-Item "$hostsFile.tmp" $hostsFile -Force
+}

 # Sets in the registry the webclient file size limit to the maximum value
 function Set-WebDAVFileSizeLimit {
@@ -54,14 +73,20 @@ function Edit-ProviderOrder {
    New-ItemProperty -Path $RegistryPath -Name $Name -Value $UpdatedOrder -PropertyType String -Force | Out-Null
 }

+if ($Action -eq "install") {
+	Add-AliasToHost $LoopbackAlias
+    Write-Output 'Ensured alias exists in hosts file'

-Add-AliasToHost $LoopbackAlias
-Write-Output 'Ensured alias exists in hosts file'
+	Set-WebDAVFileSizeLimit
+    Write-Output 'Set WebDAV file size limit'

-Set-WebDAVFileSizeLimit
-Write-Output 'Set WebDAV file size limit'
-
-Edit-ProviderOrder
-Write-Output 'Ensured correct provider order'
+    Edit-ProviderOrder
+    Write-Output 'Ensured correct provider order'
+} elseif ($Action -eq "uninstall") {
+    Remove-AliasFromHost $LoopbackAlias
+    Write-Output 'Ensured alias removed from hosts file'
+} else {
+	Write-Error "Invalid action: $Action. Only 'install' or 'uninstall' are valid."
+}

 exit 0
--- a/dist/win/resources/main.wxs
+++ b/dist/win/resources/main.wxs
@@ -109,7 +109,7 @@
          </ns0:CreateFolder>
        </ns0:Component>
        <ns0:Component Id="AdminConfigFile" NeverOverwrite="yes" Permanent="yes">
-          <ns0:File Id="EmptyAdminConfig" Source="$(env.JP_WIXWIZARD_RESOURCES)\..\..\common\cryptomator.config" Name="cryptomator.config" KeyPath="yes">
+          <ns0:File Id="EmptyAdminConfig" Source="$(env.JP_WIXWIZARD_RESOURCES)\..\..\common\config.properties" Name="config.properties" KeyPath="yes">
            <util:PermissionEx User="SYSTEM" GenericAll="yes"/>
            <util:PermissionEx User="Administrators" GenericAll="yes"/>
            <util:PermissionEx User="Users" GenericRead="yes" GenericExecute="yes"/>
@@ -158,9 +158,13 @@
    <ns0:CustomAction Id="DisableUserConfig" BinaryRef="Wix4UtilCA_$(sys.BUILDARCHSHORT)" DllEntry="WixQuietExec" Execute="deferred" Return="ignore" Impersonate="no"/>

    <!-- WebDAV patches -->
-    <ns0:SetProperty Id="PatchWebDAV" Value="&quot;[INSTALLDIR]patchWebDAV.bat&quot; &quot;$(var.LoopbackAlias)&quot;" Sequence="execute" Before="PatchWebDAV" />
+    <ns0:SetProperty Id="PatchWebDAV" Value="&quot;[INSTALLDIR]patchWebDAV.bat&quot; &quot;$(var.LoopbackAlias)&quot; install" Sequence="execute" Before="PatchWebDAV" />
    <ns0:CustomAction Id="PatchWebDAV" BinaryRef="Wix4UtilCA_$(sys.BUILDARCHSHORT)" DllEntry="WixQuietExec" Execute="deferred" Return="ignore" Impersonate="no"/>

+    <!-- WebDAV patches (Uninstall) -->
+    <ns0:SetProperty Id="PatchWebDAVUninstall" Value="&quot;[INSTALLDIR]patchWebDAV.bat&quot; &quot;$(var.LoopbackAlias)&quot; uninstall" Sequence="execute" Before="PatchWebDAVUninstall" />
+    <ns0:CustomAction Id="PatchWebDAVUninstall" BinaryRef="Wix4UtilCA_$(sys.BUILDARCHSHORT)" DllEntry="WixQuietExec" Execute="deferred" Return="ignore" Impersonate="no"/>
+
    <!-- Update check configuration -->
    <ns0:SetProperty Id="PatchUpdateCheck" Value="&quot;[INSTALLDIR]patchUpdateCheck.bat&quot; &quot;[DISABLEUPDATECHECK]&quot;" Sequence="execute" Before="PatchUpdateCheck" />
    <ns0:CustomAction Id="PatchUpdateCheck" BinaryRef="Wix4UtilCA_$(sys.BUILDARCHSHORT)" DllEntry="WixQuietExec64" Execute="deferred" Return="ignore" Impersonate="no"/>
@@ -214,9 +218,8 @@

      <ns0:RemoveExistingProducts After="InstallValidate"/> <!-- Moved from CostInitialize, due to Wix4CloseApplications_* -->
      <ns0:Custom Action="DisableUserConfig" After="InstallFiles" Condition="NOT (Installed AND (NOT REINSTALL) AND (NOT UPGRADINGPRODUCTCODE) AND REMOVE)"/>
-      <!-- Skip action on uninstall -->
-      <!-- TODO: don't skip action, but remove cryptomator alias from hosts file -->
      <ns0:Custom Action="PatchWebDAV" After="DisableUserConfig" Condition="NOT (Installed AND (NOT REINSTALL) AND (NOT UPGRADINGPRODUCTCODE) AND REMOVE)"/>
+      <ns0:Custom Action="PatchWebDAVUninstall" Before="RemoveFiles" Condition="Installed AND (NOT REINSTALL) AND (NOT UPGRADINGPRODUCTCODE) AND REMOVE" />
      <!-- Configure update check setting if property is provided -->
      <ns0:Custom Action="PatchUpdateCheck" After="PatchWebDAV" Condition="DISABLEUPDATECHECK AND NOT (Installed AND (NOT REINSTALL) AND (NOT UPGRADINGPRODUCTCODE) AND REMOVE)"/>
    </ns0:InstallExecuteSequence>
@@ -228,4 +231,4 @@
    <ns0:WixVariable Id="WixUIBannerBmp" Value="$(env.JP_WIXWIZARD_RESOURCES)\banner.bmp" />
    <ns0:WixVariable Id="WixUIDialogBmp" Value="$(env.JP_WIXWIZARD_RESOURCES)\background.bmp" />
  </ns0:Package>
-</ns0:Wix>
+</ns0:Wix>
--- a/pom.xml
+++ b/pom.xml
@@ -3,7 +3,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>org.cryptomator</groupId>
 	<artifactId>cryptomator</artifactId>
-	<version>1.19.0-SNAPSHOT</version>
+	<version>1.20.0-SNAPSHOT</version>
 	<name>Cryptomator Desktop App</name>

 	<organization>
@@ -33,45 +33,46 @@
 		<nonModularGroupIds>org.ow2.asm,org.apache.jackrabbit,org.apache.httpcomponents</nonModularGroupIds>

 		<!-- cryptomator dependencies -->
-		<cryptomator.cryptofs.version>2.10.0-beta3</cryptomator.cryptofs.version>
+		<cryptomator.cryptofs.version>2.10.0</cryptomator.cryptofs.version>
 		<cryptomator.cryptolib.version>2.2.2</cryptomator.cryptolib.version>
-		<cryptomator.integrations.version>1.8.0-beta1</cryptomator.integrations.version>
+		<cryptomator.integrations.version>1.8.0</cryptomator.integrations.version>
 		<cryptomator.integrations.win.version>1.6.0</cryptomator.integrations.win.version>
-		<cryptomator.integrations.mac.version>1.5.0-beta3</cryptomator.integrations.mac.version>
-		<cryptomator.integrations.linux.version>1.7.0-beta4</cryptomator.integrations.linux.version>
-		<cryptomator.fuse.version>6.0.0</cryptomator.fuse.version>
+		<cryptomator.integrations.mac.version>1.5.0</cryptomator.integrations.mac.version>
+		<cryptomator.integrations.linux.version>1.7.0</cryptomator.integrations.linux.version>
+		<cryptomator.fuse.version>6.0.1</cryptomator.fuse.version>
 		<cryptomator.webdav.version>3.0.1</cryptomator.webdav.version>
+		<cryptomator.webdav-servlet.version>1.2.12</cryptomator.webdav-servlet.version>

 		<!-- 3rd party dependencies -->
 		<caffeine.version>3.2.3</caffeine.version>
 		<commons-lang3.version>3.20.0</commons-lang3.version>
-		<dagger.version>2.59.1</dagger.version>
+		<dagger.version>2.59.2</dagger.version>
 		<easybind.version>2.2</easybind.version>
-		<jackson.version>2.21.0</jackson.version>
-		<javafx.version>25</javafx.version>
-		<jwt.version>4.5.0</jwt.version>
+		<jackson.version>2.21.1</jackson.version>
+		<javafx.version>25.0.2</javafx.version>
+		<jwt.version>4.5.1</jwt.version>
 		<nimbus-jose.version>10.5</nimbus-jose.version>
-		<logback.version>1.5.31</logback.version>
+		<logback.version>1.5.32</logback.version>
 		<slf4j.version>2.0.17</slf4j.version>
 		<tinyoauth2.version>0.8.1</tinyoauth2.version>
 		<zxcvbn.version>1.9.0</zxcvbn.version>

 		<!-- test dependencies -->
-		<junit.jupiter.version>5.13.4</junit.jupiter.version>
-		<mockito.version>5.20.0</mockito.version>
+		<junit.jupiter.version>6.0.3</junit.jupiter.version>
+		<mockito.version>5.22.0</mockito.version>
 		<hamcrest.version>3.0</hamcrest.version>

 		<!-- build-time dependencies -->
-		<jetbrains.annotations.version>26.0.2-1</jetbrains.annotations.version>
-		<dependency-check.version>12.1.5</dependency-check.version>
+		<jetbrains.annotations.version>26.1.0</jetbrains.annotations.version>
+		<dependency-check.version>12.2.0</dependency-check.version>
 		<jacoco.version>0.8.14</jacoco.version>
-		<license-generator.version>2.7.0</license-generator.version>
-		<junit-tree-reporter.version>1.4.0</junit-tree-reporter.version>
-		<mvn-compiler.version>3.14.1</mvn-compiler.version>
-		<mvn-resources.version>3.3.1</mvn-resources.version>
-		<mvn-dependency.version>3.8.1</mvn-dependency.version>
-		<mvn-surefire.version>3.5.4</mvn-surefire.version>
-		<mvn-jar.version>3.4.2</mvn-jar.version>
+		<license-generator.version>2.7.1</license-generator.version>
+		<junit-tree-reporter.version>1.5.1</junit-tree-reporter.version>
+		<mvn-compiler.version>3.15.0</mvn-compiler.version>
+		<mvn-resources.version>3.5.0</mvn-resources.version>
+		<mvn-dependency.version>3.10.0</mvn-dependency.version>
+		<mvn-surefire.version>3.5.3</mvn-surefire.version>
+		<mvn-jar.version>3.5.0</mvn-jar.version>

 		<!-- Property used by surefire to determine jacoco engine -->
 		<surefire.jacoco.args></surefire.jacoco.args>
@@ -93,6 +94,11 @@

 	<dependencies>
 		<!-- Cryptomator Libs -->
+		<dependency>
+			<groupId>org.cryptomator</groupId>
+			<artifactId>webdav-nio-adapter-servlet</artifactId>
+			<version>${cryptomator.webdav-servlet.version}</version>
+		</dependency>
 		<dependency>
 			<groupId>org.cryptomator</groupId>
 			<artifactId>cryptolib</artifactId>
@@ -521,11 +527,57 @@
 		</profile>

 		<profile>
-			<id>linux</id>
+			<id>linux-aarch64</id>
 			<activation>
 				<os>
 					<family>unix</family>
 					<name>Linux</name>
+					<arch>aarch64</arch>
+				</os>
+				<property>
+					<name>idea.version</name>
+				</property>
+			</activation>
+			<dependencies>
+				<dependency>
+					<groupId>org.cryptomator</groupId>
+					<artifactId>integrations-linux</artifactId>
+					<version>${cryptomator.integrations.linux.version}</version>
+				</dependency>
+				<dependency>
+					<groupId>org.openjfx</groupId>
+					<artifactId>javafx-base</artifactId>
+					<version>${javafx.version}</version>
+					<classifier>linux-aarch64</classifier>
+				</dependency>
+				<dependency>
+					<groupId>org.openjfx</groupId>
+					<artifactId>javafx-graphics</artifactId>
+					<version>${javafx.version}</version>
+					<classifier>linux-aarch64</classifier>
+				</dependency>
+				<dependency>
+					<groupId>org.openjfx</groupId>
+					<artifactId>javafx-controls</artifactId>
+					<version>${javafx.version}</version>
+					<classifier>linux-aarch64</classifier>
+				</dependency>
+				<dependency>
+					<groupId>org.openjfx</groupId>
+					<artifactId>javafx-fxml</artifactId>
+					<version>${javafx.version}</version>
+					<classifier>linux-aarch64</classifier>
+				</dependency>
+			</dependencies>
+		</profile>
+
+		<profile>
+			<id>linux-x86_64</id>
+			<activation>
+				<os>
+					<family>unix</family>
+					<name>Linux</name>
+					<arch>amd64</arch>
 				</os>
 				<property>
 					<name>idea.version</name>
--- a/src/main/java/module-info.java
+++ b/src/main/java/module-info.java
@@ -13,6 +13,7 @@ import org.cryptomator.common.locationpresets.OneDriveLinuxLocationPresetsProvid
 import org.cryptomator.common.locationpresets.OneDriveMacLocationPresetsProvider;
 import org.cryptomator.common.locationpresets.OneDriveWindowsLocationPresetsProvider;
 import org.cryptomator.common.locationpresets.PCloudLocationPresetsProvider;
+import org.cryptomator.integrations.revealpath.RevealPathService;
 import org.cryptomator.integrations.tray.TrayMenuController;
 import org.cryptomator.integrations.uiappearance.UiAppearanceProvider;
 import org.cryptomator.logging.LogbackConfiguratorFactory;
@@ -20,6 +21,7 @@ import org.cryptomator.networking.SSLContextProvider;
 import org.cryptomator.networking.SSLContextWithMacKeychain;
 import org.cryptomator.networking.SSLContextWithPKCS12TrustStore;
 import org.cryptomator.networking.SSLContextWithWindowsCertStore;
+import org.cryptomator.ui.fxapp.JfxRevealPathService;
 import org.cryptomator.ui.fxapp.JfxUiAppearanceProvider;
 import org.cryptomator.ui.traymenu.AwtTrayMenuController;

@@ -64,6 +66,7 @@ open module org.cryptomator.desktop {
 	uses org.cryptomator.event.NotificationHandler;

 	provides UiAppearanceProvider with JfxUiAppearanceProvider;
+	provides RevealPathService with JfxRevealPathService;
 	provides TrayMenuController with AwtTrayMenuController;
 	provides Configurator with LogbackConfiguratorFactory;
 	provides SSLContextProvider with SSLContextWithWindowsCertStore, SSLContextWithMacKeychain, SSLContextWithPKCS12TrustStore;
--- a/src/main/java/org/cryptomator/common/CommonsModule.java
+++ b/src/main/java/org/cryptomator/common/CommonsModule.java
@@ -22,8 +22,6 @@ import javax.inject.Named;
 import javax.inject.Singleton;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
-import java.util.Comparator;
-import java.util.Optional;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.ScheduledExecutorService;
 import java.util.concurrent.SynchronousQueue;
@@ -76,8 +74,8 @@ public abstract class CommonsModule {

 	@Provides
 	@Singleton
-	static Optional<RevealPathService> provideRevealPathService() {
-		return RevealPathService.get().findFirst();
+	static RevealPathService provideRevealPathService() {
+		return RevealPathService.get().findFirst().orElseThrow();
 	}


--- a/src/main/java/org/cryptomator/common/Environment.java
+++ b/src/main/java/org/cryptomator/common/Environment.java
@@ -9,10 +9,13 @@ import org.slf4j.LoggerFactory;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
+import java.util.Arrays;
 import java.util.Optional;
+import java.util.Set;
 import java.util.Spliterator;
 import java.util.Spliterators;
 import java.util.function.Predicate;
+import java.util.stream.Collectors;
 import java.util.stream.Stream;
 import java.util.stream.StreamSupport;

@@ -20,20 +23,22 @@ public class Environment {

 	private static final Logger LOG = LoggerFactory.getLogger(Environment.class);
 	private static final int DEFAULT_MIN_PW_LENGTH = 8;
-	private static final String SETTINGS_PATH_PROP_NAME = "cryptomator.settingsPath";
-	private static final String IPC_SOCKET_PATH_PROP_NAME = "cryptomator.ipcSocketPath";
-	private static final String KEYCHAIN_PATHS_PROP_NAME = "cryptomator.integrationsWin.keychainPaths";
-	private static final String WINDOWS_HELLO_KEYCHAIN_PATHS_PROP_NAME = "cryptomator.integrationsWin.windowsHelloKeychainPaths";
-	private static final String P12_PATH_PROP_NAME = "cryptomator.p12Path";
-	private static final String LOG_DIR_PROP_NAME = "cryptomator.logDir";
-	private static final String LOOPBACK_ALIAS_PROP_NAME = "cryptomator.loopbackAlias";
-	private static final String MOUNTPOINT_DIR_PROP_NAME = "cryptomator.mountPointsDir";
-	private static final String MIN_PW_LENGTH_PROP_NAME = "cryptomator.minPwLength";
-	private static final String APP_VERSION_PROP_NAME = "cryptomator.appVersion";
-	private static final String BUILD_NUMBER_PROP_NAME = "cryptomator.buildNumber";
-	private static final String PLUGIN_DIR_PROP_NAME = "cryptomator.pluginDir";
-	private static final String TRAY_ICON_PROP_NAME = "cryptomator.showTrayIcon";
-	private static final String DISABLE_UPDATE_CHECK_PROP_NAME = "cryptomator.disableUpdateCheck";
+	public static final String SETTINGS_PATH_PROP_NAME = "cryptomator.settingsPath";
+	public static final String IPC_SOCKET_PATH_PROP_NAME = "cryptomator.ipcSocketPath";
+	public static final String KEYCHAIN_PATHS_PROP_NAME = "cryptomator.integrationsWin.keychainPaths";
+	public static final String WINDOWS_HELLO_KEYCHAIN_PATHS_PROP_NAME = "cryptomator.integrationsWin.windowsHelloKeychainPaths";
+	public static final String P12_PATH_PROP_NAME = "cryptomator.p12Path";
+	public static final String LOG_DIR_PROP_NAME = "cryptomator.logDir";
+	public static final String LOOPBACK_ALIAS_PROP_NAME = "cryptomator.loopbackAlias";
+	public static final String MOUNTPOINT_DIR_PROP_NAME = "cryptomator.mountPointsDir";
+	public static final String MIN_PW_LENGTH_PROP_NAME = "cryptomator.minPwLength";
+	public static final String APP_VERSION_PROP_NAME = "cryptomator.appVersion";
+	public static final String BUILD_NUMBER_PROP_NAME = "cryptomator.buildNumber";
+	public static final String PLUGIN_DIR_PROP_NAME = "cryptomator.pluginDir";
+	public static final String TRAY_ICON_PROP_NAME = "cryptomator.showTrayIcon";
+	public static final String DISABLE_UPDATE_CHECK_PROP_NAME = "cryptomator.disableUpdateCheck";
+	public static final String HUB_ALLOWED_HOSTS_PROP_NAME = "cryptomator.hub.allowedHosts";
+	public static final String HUB_TOFU_PROP_NAME = "cryptomator.hub.enableTrustOnFirstUse";

 	private Environment() {}

@@ -57,6 +62,8 @@ public class Environment {
 		logCryptomatorSystemProperty(PLUGIN_DIR_PROP_NAME);
 		logCryptomatorSystemProperty(TRAY_ICON_PROP_NAME);
 		logCryptomatorSystemProperty(DISABLE_UPDATE_CHECK_PROP_NAME);
+		logCryptomatorSystemProperty(HUB_ALLOWED_HOSTS_PROP_NAME);
+		logCryptomatorSystemProperty(HUB_TOFU_PROP_NAME);
 	}

 	public static Environment getInstance() {
@@ -145,6 +152,18 @@ public class Environment {
 		return Boolean.getBoolean(DISABLE_UPDATE_CHECK_PROP_NAME);
 	}

+	public Set<String> hubAllowedHosts() {
+		var allowedHubHostsString = System.getProperty(HUB_ALLOWED_HOSTS_PROP_NAME, "");
+		return Arrays.stream(allowedHubHostsString.split(","))
+				.map(String::trim)
+				.filter(Predicate.not(String::isEmpty))
+				.collect(Collectors.toUnmodifiableSet());
+	}
+
+	public boolean hubTrustOnFirstUse() {
+		return Boolean.getBoolean(HUB_TOFU_PROP_NAME);
+	}
+
 	private Optional<Path> getPath(String propertyName) {
 		String value = System.getProperty(propertyName);
 		return Optional.ofNullable(value).map(Paths::get);
--- a/src/main/java/org/cryptomator/common/SubstitutingProperties.java
+++ b/src/main/java/org/cryptomator/common/SubstitutingProperties.java
@@ -1,7 +1,7 @@
 package org.cryptomator.common;

 import org.jetbrains.annotations.VisibleForTesting;
-import org.slf4j.LoggerFactory;
+import org.slf4j.Logger;

 import java.util.Map;
 import java.util.Properties;
@@ -13,10 +13,12 @@ public class SubstitutingProperties extends PropertiesDecorator {
 	private static final Pattern TEMPLATE = Pattern.compile("@\\{(\\w+)}");

 	private final Map<String, String> env;
+	private final Logger logger;

-	public SubstitutingProperties(Properties props, Map<String, String> systemEnvironment) {
+	public SubstitutingProperties(Properties props, Map<String, String> systemEnvironment, Logger logger) {
 		super(props);
 		this.env = systemEnvironment;
+		this.logger = logger;
 	}

 	@Override
@@ -44,7 +46,7 @@ public class SubstitutingProperties extends PropertiesDecorator {
 					case "localappdata" -> resolveFrom("LOCALAPPDATA", Source.ENV);
 					case "userhome" -> resolveFrom("user.home", Source.PROPS);
 					default -> {
-						LoggerFactory.getLogger(SubstitutingProperties.class).warn("Unknown variable {} in property value {}.", match.group(), value);
+						logger.warn("Unknown variable {} in property value {}.", match.group(), value);
 						yield match.group();
 					}
 				});
@@ -56,7 +58,7 @@ public class SubstitutingProperties extends PropertiesDecorator {
 			case PROPS -> delegate.getProperty(key);
 		};
 		if (val == null) {
-			LoggerFactory.getLogger(SubstitutingProperties.class).warn("Variable {} used for substitution not found in {}. Replaced with empty string.", key, src);
+			logger.warn("Variable {} used for substitution not found in {}. Replaced with empty string.", key, src);
 			return "";
 		} else {
 			return Matcher.quoteReplacement(val);
--- a/src/main/java/org/cryptomator/common/settings/Settings.java
+++ b/src/main/java/org/cryptomator/common/settings/Settings.java
@@ -24,9 +24,12 @@ import javafx.beans.property.SimpleStringProperty;
 import javafx.beans.property.StringProperty;
 import javafx.collections.FXCollections;
 import javafx.collections.ObservableList;
+import javafx.collections.ObservableSet;
 import javafx.geometry.NodeOrientation;
 import java.nio.file.Path;
 import java.time.Instant;
+import java.util.HashSet;
+import java.util.Set;

 public class Settings {

@@ -78,6 +81,7 @@ public class Settings {
 	public final ObjectProperty<Instant> lastSuccessfulUpdateCheck;
 	public final ObjectProperty<Path> previouslyUsedVaultDirectory;
 	public final StringProperty lastUpdateAttemptedByVersion;
+	public final ObservableSet<String> trustedHosts;

 	public static Settings create(SettingsProvider provider, Environment env) {
 		var defaults = new SettingsJson();
@@ -118,6 +122,7 @@ public class Settings {
 		this.lastSuccessfulUpdateCheck = new SimpleObjectProperty<>(this, "lastSuccessfulUpdateCheck", json.lastSuccessfulUpdateCheck);
 		this.previouslyUsedVaultDirectory = new SimpleObjectProperty<>(this, "previouslyUsedVaultDirectory", json.previouslyUsedVaultDirectory);
 		this.lastUpdateAttemptedByVersion = new SimpleStringProperty(this, "lastUpdateAttemptedByVersion", json.lastUpdateAttemptedByVersion);
+		this.trustedHosts = FXCollections.observableSet(json.trustedHosts);

 		this.directories.addAll(json.directories.stream().map(VaultSettings::new).toList());

@@ -149,6 +154,7 @@ public class Settings {
 		lastSuccessfulUpdateCheck.addListener(this::somethingChanged);
 		previouslyUsedVaultDirectory.addListener(this::somethingChanged);
 		lastUpdateAttemptedByVersion.addListener(this::somethingChanged);
+		trustedHosts.addListener(this::somethingChanged);
 	}

 	@SuppressWarnings("deprecation")
@@ -207,6 +213,7 @@ public class Settings {
 		json.lastSuccessfulUpdateCheck = lastSuccessfulUpdateCheck.get();
 		json.previouslyUsedVaultDirectory = previouslyUsedVaultDirectory.get();
 		json.lastUpdateAttemptedByVersion = lastUpdateAttemptedByVersion.get();
+		json.trustedHosts = Set.copyOf(trustedHosts);
 		return json;
 	}

--- a/src/main/java/org/cryptomator/common/settings/SettingsJson.java
+++ b/src/main/java/org/cryptomator/common/settings/SettingsJson.java
@@ -4,17 +4,23 @@ import com.fasterxml.jackson.annotation.JsonFormat;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonInclude;
 import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.annotation.JsonSetter;
+import com.fasterxml.jackson.annotation.Nulls;

 import java.nio.file.Path;
 import java.time.Instant;
+import java.util.ArrayList;
+import java.util.HashSet;
 import java.util.List;
+import java.util.Set;

@JsonIgnoreProperties(ignoreUnknown = true)
@JsonInclude(JsonInclude.Include.NON_NULL)
 class SettingsJson {

 	@JsonProperty("directories")
-	List<VaultSettingsJson> directories = List.of();
+	@JsonSetter(nulls = Nulls.AS_EMPTY)
+	List<VaultSettingsJson> directories = new ArrayList<>();

 	@JsonProperty("writtenByVersion")
 	String writtenByVersion;
@@ -99,4 +105,8 @@ class SettingsJson {

 	@JsonProperty("lastUpdateAttemptedByVersion")
 	String lastUpdateAttemptedByVersion;
+
+	@JsonProperty("trustedHosts")
+	@JsonSetter(nulls = Nulls.AS_EMPTY)
+	Set<String> trustedHosts = new HashSet<>();
 }
--- a/src/main/java/org/cryptomator/launcher/AdminPropertiesFactory.java
+++ b/src/main/java/org/cryptomator/launcher/AdminPropertiesFactory.java
@@ -27,6 +27,8 @@ import java.util.Set;
 *     <li>cryptomator.p12Path</li>
 *     <li>cryptomator.mountPointsDir</li>
 *     <li>cryptomator.disableUpdateCheck</li>
+ *     <li>cryptomator.hub.allowedHosts</li>
+ *     <li>cryptomator.hub.enableTrustOnFirstUse</li>
 * </ul>
 *
 * @see Properties
@@ -42,7 +44,9 @@ class AdminPropertiesFactory {
 			"cryptomator.pluginDir", //
 			"cryptomator.p12Path", //
 			"cryptomator.mountPointsDir", //
-			"cryptomator.disableUpdateCheck");
+			"cryptomator.disableUpdateCheck", //
+ 			"cryptomator.hub.allowedHosts", //
+			"cryptomator.hub.enableTrustOnFirstUse");


 	/**
--- a/src/main/java/org/cryptomator/launcher/Cryptomator.java
+++ b/src/main/java/org/cryptomator/launcher/Cryptomator.java
@@ -36,7 +36,7 @@ public class Cryptomator {

 	static {
 		var adminProps = AdminPropertiesFactory.create();
-		var lazyProcessedProps = new SubstitutingProperties(adminProps, System.getenv());
+		var lazyProcessedProps = new SubstitutingProperties(adminProps, System.getenv(), EventualLogger.INSTANCE);
 		System.setProperties(lazyProcessedProps);
 		CRYPTOMATOR_COMPONENT = DaggerCryptomatorComponent.factory().create(STARTUP_TIME);
 		LOG = LoggerFactory.getLogger(Cryptomator.class);
@@ -65,7 +65,6 @@ public class Cryptomator {
 	}

 	public static void main(String[] args) {
-		EventualLogger.INSTANCE.drainTo(LOG);
 		var printVersion = Optional.ofNullable(args) //
 				.stream() //Streams either one element (the args-array) or zero elements
 				.flatMap(Arrays::stream) //
@@ -91,10 +90,11 @@ public class Cryptomator {
 	 * @return Nonzero exit code in case of an error.
 	 */
 	private int run(String[] args) {
+		debugMode.initialize();
+		EventualLogger.INSTANCE.drainTo(LOG);
 		env.log();
 		LOG.debug("Dagger graph initialized after {}ms", System.currentTimeMillis() - STARTUP_TIME);
 		LOG.info("Starting Cryptomator {} on {} {} ({})", env.getAppVersion(), SystemUtils.OS_NAME, SystemUtils.OS_VERSION, SystemUtils.OS_ARCH);
-		debugMode.initialize();
 		supportedLanguages.applyPreferred();
 		changeDefaultSSLContext();
 		/*
--- a/src/main/java/org/cryptomator/networking/SSLContextDifferentTrustStoreBase.java
+++ b/src/main/java/org/cryptomator/networking/SSLContextDifferentTrustStoreBase.java
@@ -18,7 +18,7 @@ abstract class SSLContextDifferentTrustStoreBase implements SSLContextProvider {
 	public SSLContext getContext(SecureRandom csprng) throws SSLContextBuildException {
 		try {
 			KeyStore truststore = getTruststore();
-			truststore.load(null, null);
+			ensureLoaded(truststore);

 			TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
 			tmf.init(truststore);
@@ -30,4 +30,13 @@ abstract class SSLContextDifferentTrustStoreBase implements SSLContextProvider {
 			throw new SSLContextBuildException(e);
 		}
 	}
+
+	static void ensureLoaded(KeyStore truststore) throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException {
+		try {
+			truststore.aliases();
+		} catch (KeyStoreException e) {
+			// Not initialized yet (e.g. custom KeyStore SPI); initialize without replacing preloaded stores.
+			truststore.load(null, null);
+		}
+	}
 }
--- a/src/main/java/org/cryptomator/networking/SSLContextWithWindowsCertStore.java
+++ b/src/main/java/org/cryptomator/networking/SSLContextWithWindowsCertStore.java
@@ -1,21 +1,73 @@
 package org.cryptomator.networking;

+import org.cryptomator.common.Nullable;
 import org.cryptomator.integrations.common.OperatingSystem;
+import org.jetbrains.annotations.VisibleForTesting;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;

+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.Provider;
+import java.security.cert.CertificateException;
+import java.util.List;
+import java.util.Properties;

 /**
- * SSLContextProvider for Windows using the Windows certificate store as trust store
+ * SSLContextProvider for Windows using the Windows certificate store as trust store and the bundled JDK cacerts as fallback
 * <p>
 * In order to work, the jdk.crypto.mscapi jmod is needed
 */
@OperatingSystem(OperatingSystem.Value.WINDOWS)
 public class SSLContextWithWindowsCertStore extends SSLContextDifferentTrustStoreBase implements SSLContextProvider {

+	private static final Logger LOG = LoggerFactory.getLogger(SSLContextWithWindowsCertStore.class);
+	private static final String DEFAULT_TRUSTSTORE_PASSWORD = "changeit"; //default JDK cacerts password
+
 	@Override
-	KeyStore getTruststore() throws KeyStoreException {
-		return KeyStore.getInstance("WINDOWS-ROOT");
+	KeyStore getTruststore() throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException {
+		var windowsKeyStore = KeyStore.getInstance("WINDOWS-ROOT");
+		var jdkKeyStore = getShippedCaCertsStore();
+		if (jdkKeyStore == null) {
+			return windowsKeyStore;
+		}
+
+		ensureLoaded(windowsKeyStore);
+		ensureLoaded(jdkKeyStore);
+		try {
+			CombinedKeyStoreSpi spi = CombinedKeyStoreSpi.create(windowsKeyStore, jdkKeyStore);
+			Provider dummyProvider = new Provider("CombinedKeyStoreProvider", "1.0", "Provides a combined, read-only KeyStore") {};
+			return new KeyStore(spi, dummyProvider, "CombinedKeyStoreProvider") {};
+		} catch (IllegalArgumentException e) {
+			throw new KeyStoreException(e);
+		}
+	}
+
+	@Nullable
+	KeyStore getShippedCaCertsStore() {
+		return getCaCertsStoreByProperties(System.getProperties());
+	}
+
+	//for testability
+	@VisibleForTesting
+	@Nullable
+	KeyStore getCaCertsStoreByProperties(Properties props) {
+		var javaHome = Path.of(props.getProperty("java.home"));
+		var trustStorePassword = props.getProperty("javax.net.ssl.trustStorePassword", DEFAULT_TRUSTSTORE_PASSWORD).toCharArray();
+		for (var candidate : List.of(javaHome.resolve("lib/security/cacerts"), javaHome.resolve("conf/security/cacerts"))) {
+			try {
+				if (Files.isRegularFile(candidate)) {
+					return KeyStore.getInstance(candidate.toFile(), trustStorePassword);
+				}
+			} catch (CertificateException | KeyStoreException | IOException | NoSuchAlgorithmException e) {
+				LOG.info("Unable to load fallback cacerts {} file. Skipping fallback.", candidate, e);
+			}
+		}
+		return null;
 	}

 }
--- a/src/main/java/org/cryptomator/ui/common/FxmlFile.java
+++ b/src/main/java/org/cryptomator/ui/common/FxmlFile.java
@@ -19,6 +19,7 @@ public enum FxmlFile {
 	HEALTH_START("/fxml/health_start.fxml"), //
 	HEALTH_CHECK_LIST("/fxml/health_check_list.fxml"), //
 	HUB_NO_KEYCHAIN("/fxml/hub_no_keychain.fxml"), //
+	HUB_CHECK_HOST_TRUST("/fxml/hub_check_host_trust.fxml"), //
 	HUB_AUTH_FLOW("/fxml/hub_auth_flow.fxml"), //
 	HUB_INVALID_LICENSE("/fxml/hub_invalid_license.fxml"), //
 	HUB_RECEIVE_KEY("/fxml/hub_receive_key.fxml"), //
@@ -29,6 +30,7 @@ public enum FxmlFile {
 	HUB_REGISTER_FAILED("/fxml/hub_register_failed.fxml"), //
 	HUB_REGISTER_DEVICE("/fxml/hub_register_device.fxml"), //
 	HUB_UNAUTHORIZED_DEVICE("/fxml/hub_unauthorized_device.fxml"), //
+	HUB_UNTRUSTED_HOST("/fxml/hub_untrusted_host.fxml"), //
 	HUB_REQUIRE_ACCOUNT_INIT("/fxml/hub_require_account_init.fxml"), //
 	LOCK_FORCED("/fxml/lock_forced.fxml"), //
 	LOCK_FAILED("/fxml/lock_failed.fxml"), //
--- a/src/main/java/org/cryptomator/ui/common/VaultService.java
+++ b/src/main/java/org/cryptomator/ui/common/VaultService.java
@@ -1,17 +1,16 @@
 package org.cryptomator.ui.common;

-import dagger.Lazy;
 import org.cryptomator.common.vaults.Vault;
 import org.cryptomator.common.vaults.VaultState;
 import org.cryptomator.integrations.mount.Mountpoint;
 import org.cryptomator.integrations.mount.UnmountFailedException;
+import org.cryptomator.integrations.revealpath.RevealFailedException;
+import org.cryptomator.integrations.revealpath.RevealPathService;
 import org.cryptomator.ui.fxapp.FxApplicationScoped;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

 import javax.inject.Inject;
-import javafx.application.Application;
-import javafx.application.HostServices;
 import javafx.concurrent.Task;
 import javafx.stage.Stage;
 import java.io.IOException;
@@ -28,12 +27,12 @@ public class VaultService {

 	private static final Logger LOG = LoggerFactory.getLogger(VaultService.class);

-	private final Lazy<Application> application;
+	private final RevealPathService revealPathService;
 	private final ExecutorService executorService;

 	@Inject
-	public VaultService(Lazy<Application> application, ExecutorService executorService) {
-		this.application = application;
+	public VaultService(RevealPathService revealPathService, ExecutorService executorService) {
+		this.revealPathService = revealPathService;
 		this.executorService = executorService;
 	}

@@ -47,9 +46,9 @@ public class VaultService {
 	 * @param vault The vault to reveal
 	 */
 	public Task<Vault> createRevealTask(Vault vault) {
-		Task<Vault> task = new RevealVaultTask(vault, application.get().getHostServices());
-		task.setOnSucceeded(evt -> LOG.info("Revealed {}", vault.getDisplayName()));
-		task.setOnFailed(evt -> LOG.error("Failed to reveal " + vault.getDisplayName(), evt.getSource().getException()));
+		Task<Vault> task = new RevealVaultTask(vault, revealPathService);
+		task.setOnSucceeded(_ -> LOG.info("Revealed {}", vault.getDisplayName()));
+		task.setOnFailed(evt -> LOG.warn("Failed to reveal {}", vault.getDisplayName(), evt.getSource().getException()));
 		return task;
 	}

@@ -110,19 +109,18 @@ public class VaultService {
 	private static class RevealVaultTask extends Task<Vault> {

 		private final Vault vault;
-		private final HostServices hostServices;
+		private final RevealPathService rs;

-		public RevealVaultTask(Vault vault, HostServices hostServices) {
+		public RevealVaultTask(Vault vault, RevealPathService revealPathService) {
 			this.vault = vault;
-			this.hostServices = hostServices;
-			setOnFailed(evt -> LOG.error("Failed to reveal " + vault.getDisplayName(), getException()));
+			this.rs = revealPathService;
 		}

 		@Override
-		protected Vault call() {
+		protected Vault call() throws RevealFailedException {
 			switch (vault.getMountPoint()) {
 				case null -> LOG.warn("Not currently mounted");
-				case Mountpoint.WithPath m -> hostServices.showDocument(m.uri().toString());
+				case Mountpoint.WithPath m -> rs.reveal(m.path());
 				case Mountpoint.WithUri m -> LOG.info("Vault mounted at {}", m.uri()); // TODO show in UI?
 			}
 			return vault;
--- a/src/main/java/org/cryptomator/ui/decryptname/DecryptFileNamesViewController.java
+++ b/src/main/java/org/cryptomator/ui/decryptname/DecryptFileNamesViewController.java
@@ -58,8 +58,6 @@ public class DecryptFileNamesViewController implements FxController {
 	private final Stage window;
 	private final Vault vault;
 	private final ResourceBundle resourceBundle;
-	private final List<Path> initialList;
-
 	@FXML
 	public TableColumn<CipherAndCleartext, String> ciphertextColumn;
 	@FXML
@@ -68,12 +66,11 @@ public class DecryptFileNamesViewController implements FxController {
 	public TableView<CipherAndCleartext> cipherToCleartextTable;

 	@Inject
-	public DecryptFileNamesViewController(@DecryptNameWindow Stage window, @DecryptNameWindow Vault vault, @DecryptNameWindow List<Path> pathsToDecrypt, ResourceBundle resourceBundle) {
+	public DecryptFileNamesViewController(@DecryptNameWindow Stage window, @DecryptNameWindow Vault vault, ResourceBundle resourceBundle) {
 		this.window = window;
 		this.vault = vault;
 		this.resourceBundle = resourceBundle;
 		this.mapping = new SimpleListProperty<>(FXCollections.observableArrayList());
-		this.initialList = pathsToDecrypt;
 	}

 	@FXML
@@ -97,8 +94,7 @@ public class DecryptFileNamesViewController implements FxController {
 		});
 		cipherToCleartextTable.setOnDragDropped(event -> {
 			if (event.getGestureSource() == null && event.getDragboard().hasFiles()) {
-				checkAndDecrypt(event.getDragboard().getFiles().stream().map(File::toPath).toList());
-				cipherToCleartextTable.setItems(mapping);
+				decrypt(event.getDragboard().getFiles().stream().map(File::toPath).toList());
 			}
 		});
 		cipherToCleartextTable.setOnDragExited(_ -> cipherToCleartextTable.setItems(mapping));
@@ -124,9 +120,7 @@ public class DecryptFileNamesViewController implements FxController {
 				});
 			}
 		});
-		if (!initialList.isEmpty()) {
-			checkAndDecrypt(initialList);
-		}
+		window.setOnHidden(_ -> mapping.clear());
 	}

 	private void copySingleCelltoClipboard() {
@@ -149,10 +143,18 @@ public class DecryptFileNamesViewController implements FxController {
 		fileChooser.setInitialDirectory(vault.getPath().toFile());
 		var ciphertextNodes = fileChooser.showOpenMultipleDialog(window);
 		if (ciphertextNodes != null) {
-			checkAndDecrypt(ciphertextNodes.stream().map(File::toPath).toList());
+			decrypt(ciphertextNodes.stream().map(File::toPath).toList());
 		}
 	}

+	public void decrypt(List<Path> pathsToDecrypt) {
+		if (pathsToDecrypt.isEmpty()) {
+			return;
+		}
+		checkAndDecrypt(pathsToDecrypt);
+		cipherToCleartextTable.setItems(mapping);
+	}
+
 	private void checkAndDecrypt(List<Path> pathsToDecrypt) {
 		mapping.clear();
 		//Assumption: All files are in the same directory
--- a/src/main/java/org/cryptomator/ui/decryptname/DecryptNameComponent.java
+++ b/src/main/java/org/cryptomator/ui/decryptname/DecryptNameComponent.java
@@ -28,23 +28,28 @@ public interface DecryptNameComponent {
 	@FxmlScene(FxmlFile.DECRYPTNAMES)
 	Lazy<Scene> decryptNamesView();

+	DecryptFileNamesViewController controller();
+
 	@DecryptNameWindow
 	Vault vault();

-	default void showDecryptFileNameWindow() {
+	default void showDecryptFileNameWindow(List<Path> pathsToDecrypt) {
 		Stage s = window();
 		s.setScene(decryptNamesView().get());
 		s.sizeToScene();
 		if (vault().isUnlocked()) {
+			controller().decrypt(pathsToDecrypt);
 			s.show();
+			s.requestFocus();
 		} else {
 			LOG.error("Aborted showing DecryptFileName window: vault state is not {}, but {}.", VaultState.Value.UNLOCKED, vault().getState());
+			s.close();
 		}
 	}

 	@Subcomponent.Factory
 	interface Factory {

-		DecryptNameComponent create(@BindsInstance @DecryptNameWindow Vault vault, @BindsInstance @Named("windowOwner") Stage owner, @BindsInstance @DecryptNameWindow List<Path> pathsToDecrypt);
+		DecryptNameComponent create(@BindsInstance @DecryptNameWindow Vault vault, @BindsInstance @Named("windowOwner") Stage owner);
 	}
 }
--- a/src/main/java/org/cryptomator/ui/eventview/EventListCellController.java
+++ b/src/main/java/org/cryptomator/ui/eventview/EventListCellController.java
@@ -2,18 +2,17 @@ package org.cryptomator.ui.eventview;

 import org.apache.commons.lang3.SystemUtils;
 import org.cryptomator.common.Constants;
-import org.cryptomator.cryptofs.event.FileIsInUseEvent;
-import org.cryptomator.event.FSEventBucket;
-import org.cryptomator.event.FSEventBucketContent;
-import org.cryptomator.event.FileSystemEventAggregator;
 import org.cryptomator.common.Nullable;
 import org.cryptomator.common.ObservableUtil;
-import org.cryptomator.cryptofs.CryptoPath;
 import org.cryptomator.cryptofs.event.BrokenDirFileEvent;
 import org.cryptomator.cryptofs.event.BrokenFileNodeEvent;
 import org.cryptomator.cryptofs.event.ConflictResolutionFailedEvent;
 import org.cryptomator.cryptofs.event.ConflictResolvedEvent;
 import org.cryptomator.cryptofs.event.DecryptionFailedEvent;
+import org.cryptomator.cryptofs.event.FileIsInUseEvent;
+import org.cryptomator.event.FSEventBucket;
+import org.cryptomator.event.FSEventBucketContent;
+import org.cryptomator.event.FileSystemEventAggregator;
 import org.cryptomator.integrations.revealpath.RevealFailedException;
 import org.cryptomator.integrations.revealpath.RevealPathService;
 import org.cryptomator.ui.common.FxController;
@@ -46,7 +45,6 @@ import java.time.ZoneId;
 import java.time.format.DateTimeFormatter;
 import java.time.format.FormatStyle;
 import java.util.Map;
-import java.util.Optional;
 import java.util.ResourceBundle;
 import java.util.function.Function;

@@ -57,7 +55,6 @@ public class EventListCellController implements FxController {
 	private static final DateTimeFormatter LOCAL_TIME_FORMATTER = DateTimeFormatter.ofLocalizedTime(FormatStyle.SHORT).withZone(ZoneId.systemDefault());

 	private final FileSystemEventAggregator fileSystemEventAggregator;
-	@Nullable
 	private final RevealPathService revealService;
 	private final ResourceBundle resourceBundle;
 	private final ObjectProperty<Map.Entry<FSEventBucket, FSEventBucketContent>> eventEntry;
@@ -82,15 +79,17 @@ public class EventListCellController implements FxController {
 	Button eventActionsButton;

 	@Inject
-	public EventListCellController(FileSystemEventAggregator fileSystemEventAggregator, Optional<RevealPathService> revealService, ResourceBundle resourceBundle) {
+	public EventListCellController(FileSystemEventAggregator fileSystemEventAggregator,
+								   RevealPathService revealService,
+								   ResourceBundle resourceBundle) {
 		this.fileSystemEventAggregator = fileSystemEventAggregator;
-		this.revealService = revealService.orElseGet(() -> null);
+		this.revealService = revealService;
 		this.resourceBundle = resourceBundle;
 		this.eventEntry = new SimpleObjectProperty<>(null);
 		this.eventMessage = new SimpleStringProperty();
 		this.eventDescription = new SimpleStringProperty();
 		this.eventIcon = new SimpleObjectProperty<>();
-		this.eventCount = ObservableUtil.mapWithDefault(eventEntry, e -> e.getValue().count() == 1? "" : "("+ e.getValue().count() +")", "");
+		this.eventCount = ObservableUtil.mapWithDefault(eventEntry, e -> e.getValue().count() == 1 ? "" : "(" + e.getValue().count() + ")", "");
 		this.vaultUnlocked = ObservableUtil.mapWithDefault(eventEntry.flatMap(e -> e.getKey().vault().unlockedProperty()), Function.identity(), false);
 		this.readableTime = ObservableUtil.mapWithDefault(eventEntry, e -> LOCAL_TIME_FORMATTER.format(e.getValue().mostRecentEvent().getTimestamp()), "");
 		this.readableDate = ObservableUtil.mapWithDefault(eventEntry, e -> LOCAL_DATE_FORMATTER.format(e.getValue().mostRecentEvent().getTimestamp()), "");
@@ -136,13 +135,8 @@ public class EventListCellController implements FxController {
 		eventMessage.setValue(resourceBundle.getString("eventView.entry.inUse.message"));
 		var indexFileName = fiiue.cleartextPath().lastIndexOf("/");
 		eventDescription.setValue(fiiue.cleartextPath().substring(indexFileName + 1));
-		if (revealService != null) {
-			addLocalizedAction("eventView.entry.inUse.showDecrypted", () -> reveal(revealService, convertVaultPathToSystemPath(fiiue.cleartextPath())));
-			addLocalizedAction("eventView.entry.inUse.showEncrypted", () -> reveal(revealService, fiiue.ciphertextPath()));
-		} else {
-			addLocalizedAction("eventView.entry.inUse.copyDecrypted", () -> copyToClipboard(convertVaultPathToSystemPath(fiiue.cleartextPath()).toString()));
-			addLocalizedAction("eventView.entry.inUse.copyEncrypted", () -> copyToClipboard(fiiue.ciphertextPath().toString()));
-		}
+		addLocalizedAction("eventView.entry.inUse.showDecrypted", () -> reveal(revealService, convertVaultPathToSystemPath(fiiue.cleartextPath())));
+		addLocalizedAction("eventView.entry.inUse.showEncrypted", () -> reveal(revealService, fiiue.ciphertextPath()));

 		var userAndDevice = fiiue.owner().split(Constants.HUB_USER_DEVICE_SEPARATOR);
 		var user = userAndDevice[0];
@@ -156,11 +150,7 @@ public class EventListCellController implements FxController {
 		eventIcon.setValue(FontAwesome5Icon.TIMES);
 		eventMessage.setValue(resourceBundle.getString("eventView.entry.brokenFileNode.message"));
 		eventDescription.setValue(bfe.ciphertextPath().getFileName().toString());
-		if (revealService != null) {
-			addLocalizedAction("eventView.entry.brokenFileNode.showEncrypted", () -> reveal(revealService, bfe.ciphertextPath()));
-		} else {
-			addLocalizedAction("eventView.entry.brokenFileNode.copyEncrypted", () -> copyToClipboard(bfe.ciphertextPath().toString()));
-		}
+		addLocalizedAction("eventView.entry.brokenFileNode.showEncrypted", () -> reveal(revealService, bfe.ciphertextPath()));
 		addLocalizedAction("eventView.entry.brokenFileNode.copyDecrypted", () -> copyToClipboard(convertVaultPathToSystemPath(bfe.cleartextPath()).toString()));
 	}

@@ -168,46 +158,29 @@ public class EventListCellController implements FxController {
 		eventIcon.setValue(FontAwesome5Icon.CHECK);
 		eventMessage.setValue(resourceBundle.getString("eventView.entry.conflictResolved.message"));
 		eventDescription.setValue(cre.resolvedCiphertextPath().getFileName().toString());
-		if (revealService != null) {
-			addLocalizedAction("eventView.entry.conflictResolved.showDecrypted", () -> reveal(revealService, convertVaultPathToSystemPath(cre.resolvedCleartextPath())));
-		} else {
-			addLocalizedAction("eventView.entry.conflictResolved.copyDecrypted", () -> copyToClipboard(convertVaultPathToSystemPath(cre.resolvedCleartextPath()).toString()));
-		}
+		addLocalizedAction("eventView.entry.conflictResolved.showDecrypted", () -> reveal(revealService, convertVaultPathToSystemPath(cre.resolvedCleartextPath())));
 	}

 	private void adjustToConflictEvent(ConflictResolutionFailedEvent cfe) {
 		eventIcon.setValue(FontAwesome5Icon.COMPRESS_ALT);
 		eventMessage.setValue(resourceBundle.getString("eventView.entry.conflict.message"));
 		eventDescription.setValue(cfe.conflictingCiphertextPath().getFileName().toString());
-		if (revealService != null) {
-			addLocalizedAction("eventView.entry.conflict.showDecrypted", () -> reveal(revealService, convertVaultPathToSystemPath(cfe.canonicalCleartextPath())));
-			addLocalizedAction("eventView.entry.conflict.showEncrypted", () -> reveal(revealService, cfe.conflictingCiphertextPath()));
-		} else {
-			addLocalizedAction("eventView.entry.conflict.copyDecrypted", () -> copyToClipboard(convertVaultPathToSystemPath(cfe.canonicalCleartextPath()).toString()));
-			addLocalizedAction("eventView.entry.conflict.copyEncrypted", () -> copyToClipboard(cfe.conflictingCiphertextPath().toString()));
-		}
+		addLocalizedAction("eventView.entry.conflict.showDecrypted", () -> reveal(revealService, convertVaultPathToSystemPath(cfe.canonicalCleartextPath())));
+		addLocalizedAction("eventView.entry.conflict.showEncrypted", () -> reveal(revealService, cfe.conflictingCiphertextPath()));
 	}

 	private void adjustToDecryptionFailedEvent(DecryptionFailedEvent dfe) {
 		eventIcon.setValue(FontAwesome5Icon.BAN);
 		eventMessage.setValue(resourceBundle.getString("eventView.entry.decryptionFailed.message"));
 		eventDescription.setValue(dfe.ciphertextPath().getFileName().toString());
-		if (revealService != null) {
-			addLocalizedAction("eventView.entry.decryptionFailed.showEncrypted", () -> reveal(revealService, dfe.ciphertextPath()));
-		} else {
-			addLocalizedAction("eventView.entry.decryptionFailed.copyEncrypted", () -> copyToClipboard(dfe.ciphertextPath().toString()));
-		}
+		addLocalizedAction("eventView.entry.decryptionFailed.showEncrypted", () -> reveal(revealService, dfe.ciphertextPath()));
 	}

 	private void adjustToBrokenDirFileEvent(BrokenDirFileEvent bde) {
 		eventIcon.setValue(FontAwesome5Icon.TIMES);
 		eventMessage.setValue(resourceBundle.getString("eventView.entry.brokenDirFile.message"));
 		eventDescription.setValue(bde.ciphertextPath().getParent().getFileName().toString());
-		if (revealService != null) {
-			addLocalizedAction("eventView.entry.brokenDirFile.showEncrypted", () -> reveal(revealService, bde.ciphertextPath()));
-		} else {
-			addLocalizedAction("eventView.entry.brokenDirFile.copyEncrypted", () -> copyToClipboard(bde.ciphertextPath().toString()));
-		}
+		addLocalizedAction("eventView.entry.brokenDirFile.showEncrypted", () -> reveal(revealService, bde.ciphertextPath()));
 	}

 	private void addLocalizedAction(String localizationKey, Runnable action) {
@@ -270,7 +243,7 @@ public class EventListCellController implements FxController {
 		}

 		var mountPoint = v.getMountPoint().uri().getPath();
-		if(SystemUtils.IS_OS_WINDOWS) {
+		if (SystemUtils.IS_OS_WINDOWS) {
 			mountPoint = mountPoint.substring(1); //strip away any leading "/", otherwise there are errors
 		}
 		return Path.of(mountPoint, vaultInternalPath.substring(1)); //vaultPaths are always absolute
--- a/src/main/java/org/cryptomator/ui/fxapp/FxApplication.java
+++ b/src/main/java/org/cryptomator/ui/fxapp/FxApplication.java
@@ -10,16 +10,20 @@ import org.slf4j.LoggerFactory;

 import javax.inject.Inject;
 import javax.inject.Named;
+import javafx.application.Application;
 import javafx.application.Platform;
 import java.time.Duration;
 import java.time.Instant;
 import java.util.concurrent.TimeUnit;
+import java.util.concurrent.atomic.AtomicReference;

@FxApplicationScoped
 public class FxApplication {

 	private static final Logger LOG = LoggerFactory.getLogger(FxApplication.class);

+	static final AtomicReference<Application> INSTANCE = new AtomicReference<>();
+
 	private final long startupTime;
 	private final Environment environment;
 	private final Settings settings;
@@ -33,7 +37,8 @@ public class FxApplication {
 	private final FxNotificationManager notificationManager;

 	@Inject
-	FxApplication(@Named("startupTime") long startupTime, //
+	FxApplication(Application fxApp,
+				   @Named("startupTime") long startupTime, //
 				  Environment environment, //
 				  Settings settings, //
 				  AppLaunchEventHandler launchEventHandler, //
@@ -55,6 +60,8 @@ public class FxApplication {
 		this.autoUnlocker = autoUnlocker;
 		this.fxFSEventList = fxFSEventList;
 		this.notificationManager = notificationManager;
+
+		INSTANCE.set(fxApp);
 	}

 	public void start() {
--- a/src/main/java/org/cryptomator/ui/fxapp/FxApplicationModule.java
+++ b/src/main/java/org/cryptomator/ui/fxapp/FxApplicationModule.java
@@ -64,17 +64,6 @@ abstract class FxApplicationModule {
 		return builder.build();
 	}

-	@Provides
-	@FxApplicationScoped
-	static MainWindowComponent provideMainWindowComponent(MainWindowComponent.Builder builder) {
-		return builder.build();
-	}
-
-	@Provides
-	@FxApplicationScoped
-	static PreferencesComponent providePreferencesComponent(PreferencesComponent.Builder builder) {
-		return builder.build();
-	}

 	@Provides
 	@FxApplicationScoped
@@ -88,10 +77,4 @@ abstract class FxApplicationModule {
 		return factory.create();
 	}

-	@Provides
-	@FxApplicationScoped
-	static NotificationComponent provideNotificationComponent(NotificationComponent.Factory factory) {
-		return factory.create();
-	}
-
 }
--- a/src/main/java/org/cryptomator/ui/fxapp/FxApplicationWindows.java
+++ b/src/main/java/org/cryptomator/ui/fxapp/FxApplicationWindows.java
@@ -39,6 +39,7 @@ import java.util.Optional;
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.CompletionStage;
 import java.util.concurrent.ExecutorService;
+import java.util.function.Supplier;

@FxApplicationScoped
 public class FxApplicationWindows {
@@ -47,15 +48,15 @@ public class FxApplicationWindows {

 	private final Stage primaryStage;
 	private final Optional<TrayIntegrationProvider> trayIntegration;
-	private final Lazy<MainWindowComponent> mainWindow;
-	private final Lazy<PreferencesComponent> preferencesWindow;
+	private final CachedLazy<MainWindowComponent> mainWindow;
+	private final CachedLazy<PreferencesComponent> preferencesWindow;
 	private final QuitComponent.Builder quitWindowBuilder;
 	private final UnlockComponent.Factory unlockWorkflowFactory;
 	private final UpdateReminderComponent.Factory updateReminderWindowFactory;
 	private final LockComponent.Factory lockWorkflowFactory;
 	private final ErrorComponent.Factory errorWindowFactory;
-	private final Lazy<EventViewComponent> eventViewWindow;
-	private final Lazy<NotificationComponent> notificationWindow;
+	private final CachedLazy<EventViewComponent> eventViewWindow;
+	private final CachedLazy<NotificationComponent> notificationWindow;
 	private final ExecutorService executor;
 	private final VaultOptionsComponent.Factory vaultOptionsWindow;
 	private final ShareVaultComponent.Factory shareVaultWindow;
@@ -65,8 +66,8 @@ public class FxApplicationWindows {
 	@Inject
 	public FxApplicationWindows(@PrimaryStage Stage primaryStage, //
 								Optional<TrayIntegrationProvider> trayIntegration, //
-								Lazy<MainWindowComponent> mainWindow, //
-								Lazy<PreferencesComponent> preferencesWindow, //
+								MainWindowComponent.Builder mainWindowBuilder, //
+								PreferencesComponent.Builder preferencesWindowBuilder, //
 								QuitComponent.Builder quitWindowBuilder, //
 								UnlockComponent.Factory unlockWorkflowFactory, //
 								UpdateReminderComponent.Factory updateReminderWindowFactory, //
@@ -74,21 +75,21 @@ public class FxApplicationWindows {
 								ErrorComponent.Factory errorWindowFactory, //
 								VaultOptionsComponent.Factory vaultOptionsWindow, //
 								ShareVaultComponent.Factory shareVaultWindow, //
-								Lazy<EventViewComponent> eventViewWindow, //
-								Lazy<NotificationComponent> notificationWindow,
+								EventViewComponent.Factory eventViewWindowFactory, //
+								NotificationComponent.Factory notificationWindowFactory, //
 								ExecutorService executor, //
 								Dialogs dialogs) {
 		this.primaryStage = primaryStage;
 		this.trayIntegration = trayIntegration;
-		this.mainWindow = mainWindow;
-		this.preferencesWindow = preferencesWindow;
+		this.mainWindow = new CachedLazy<>(mainWindowBuilder::build);
+		this.preferencesWindow = new CachedLazy<>(preferencesWindowBuilder::build);
 		this.quitWindowBuilder = quitWindowBuilder;
 		this.unlockWorkflowFactory = unlockWorkflowFactory;
 		this.updateReminderWindowFactory = updateReminderWindowFactory;
 		this.lockWorkflowFactory = lockWorkflowFactory;
 		this.errorWindowFactory = errorWindowFactory;
-		this.eventViewWindow = eventViewWindow;
-		this.notificationWindow = notificationWindow;
+		this.eventViewWindow = new CachedLazy<>(eventViewWindowFactory::create);
+		this.notificationWindow = new CachedLazy<>(notificationWindowFactory::create);
 		this.executor = executor;
 		this.vaultOptionsWindow = vaultOptionsWindow;
 		this.shareVaultWindow = shareVaultWindow;
@@ -218,4 +219,29 @@ public class FxApplicationWindows {
 			LOG.error("Failed to display stage", error);
 		}
 	}
+
+	private static class CachedLazy<T> implements Lazy<T> {
+
+		private final Supplier<T> supplier;
+		private volatile T instance = null;
+
+		public CachedLazy(Supplier<T> supplier) {
+			this.supplier = supplier;
+		}
+
+		@Override
+		public T get() {
+			T value = instance;
+			if (value == null) {
+				synchronized (this) {
+					value = instance;
+					if (value == null) {
+						value = supplier.get();
+						instance = value;
+					}
+				}
+			}
+			return instance;
+		}
+	}
 }
--- a/src/main/java/org/cryptomator/ui/fxapp/JfxRevealPathService.java
+++ b/src/main/java/org/cryptomator/ui/fxapp/JfxRevealPathService.java
@@ -0,0 +1,37 @@
+package org.cryptomator.ui.fxapp;
+
+import org.cryptomator.integrations.common.DisplayName;
+import org.cryptomator.integrations.common.OperatingSystem;
+import org.cryptomator.integrations.common.Priority;
+import org.cryptomator.integrations.revealpath.RevealFailedException;
+import org.cryptomator.integrations.revealpath.RevealPathService;
+
+import java.nio.file.Path;
+
+/**
+ * A {@link RevealPathService} service implementation using the JavaFX {@link javafx.application.HostServices#showDocument(String)} to reveal documents.
+ * <p>
+ * Internally the HostServices class uses GTK on Linux.
+ *
+ * @implNote {@link #reveal(Path)} only succeeds when the class {@link FxApplication} is initialized.
+ */
+@DisplayName("JavaFX HostServices (GTK)")
+@OperatingSystem(OperatingSystem.Value.LINUX)
+@Priority(10)
+public class JfxRevealPathService implements RevealPathService {
+
+	@Override
+	public void reveal(Path p) throws RevealFailedException {
+		var fxApp = FxApplication.INSTANCE.get();
+		if (fxApp != null) {
+			fxApp.getHostServices().showDocument(p.toUri().toString());
+		} else {
+			throw new RevealFailedException("JavaFX Application not initialized");
+		}
+	}
+
+	@Override
+	public boolean isSupported() {
+		return true;
+	}
+}
--- a/src/main/java/org/cryptomator/ui/health/ReportWriter.java
+++ b/src/main/java/org/cryptomator/ui/health/ReportWriter.java
@@ -4,9 +4,12 @@ import com.google.common.base.Throwables;
 import org.cryptomator.common.Environment;
 import org.cryptomator.common.vaults.Vault;
 import org.cryptomator.cryptofs.VaultConfig;
+import org.cryptomator.integrations.revealpath.RevealFailedException;
+import org.cryptomator.integrations.revealpath.RevealPathService;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;

 import javax.inject.Inject;
-import javafx.application.Application;
 import java.io.BufferedWriter;
 import java.io.IOException;
 import java.io.OutputStreamWriter;
@@ -25,6 +28,7 @@ import java.util.stream.Collectors;
@HealthCheckScoped
 public class ReportWriter {

+	private static final Logger LOG = LoggerFactory.getLogger(ReportWriter.class);
 	private static final String REPORT_HEADER = """
 			*******************************************
 			*     Cryptomator Vault Health Report     *
@@ -43,14 +47,14 @@ public class ReportWriter {

 	private final Vault vault;
 	private final VaultConfig vaultConfig;
-	private final Application application;
+	private final RevealPathService revealPathService;
 	private final Path exportDestination;

 	@Inject
-	public ReportWriter(@HealthCheckWindow Vault vault, AtomicReference<VaultConfig> vaultConfigRef, Application application, Environment env) {
+	public ReportWriter(@HealthCheckWindow Vault vault, AtomicReference<VaultConfig> vaultConfigRef, RevealPathService revealPathService, Environment env) {
 		this.vault = vault;
 		this.vaultConfig = Objects.requireNonNull(vaultConfigRef.get());
-		this.application = application;
+		this.revealPathService = revealPathService;
 		this.exportDestination = env.getLogDir().orElse(Path.of(System.getProperty("user.home"))).resolve("healthReport_" + vault.getDisplayName() + "_" + TIME_STAMP.format(Instant.now()) + ".log");
 	}

@@ -92,7 +96,11 @@ public class ReportWriter {
 	}

 	private void reveal() {
-		application.getHostServices().showDocument(exportDestination.getParent().toUri().toString());
+		try {
+			revealPathService.reveal(exportDestination.getParent());
+		} catch (RevealFailedException e) {
+			LOG.warn("Failed to reveal export destination location of report", e);
+		}
 	}

 }
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/AuthFlowController.java
@@ -1,6 +1,5 @@
 package org.cryptomator.ui.keyloading.hub;

-import com.nimbusds.jose.JWEObject;
 import dagger.Lazy;
 import org.cryptomator.ui.common.FxController;
 import org.cryptomator.ui.common.FxmlFile;
@@ -12,8 +11,6 @@ import javax.inject.Inject;
 import javax.inject.Named;
 import javafx.application.Application;
 import javafx.application.Platform;
-import javafx.beans.binding.Bindings;
-import javafx.beans.binding.StringBinding;
 import javafx.beans.property.ObjectProperty;
 import javafx.beans.property.SimpleObjectProperty;
 import javafx.concurrent.WorkerStateEvent;
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/CheckHostTrustController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/CheckHostTrustController.java
@@ -0,0 +1,179 @@
+package org.cryptomator.ui.keyloading.hub;
+
+import dagger.Lazy;
+import org.cryptomator.common.Environment;
+import org.cryptomator.common.settings.Settings;
+import org.cryptomator.ui.common.FxController;
+import org.cryptomator.ui.common.FxmlFile;
+import org.cryptomator.ui.common.FxmlScene;
+import org.cryptomator.ui.keyloading.KeyLoading;
+import org.cryptomator.ui.keyloading.KeyLoadingScoped;
+import org.jetbrains.annotations.VisibleForTesting;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.inject.Inject;
+import javafx.application.Platform;
+import javafx.beans.property.SimpleStringProperty;
+import javafx.beans.property.StringProperty;
+import javafx.fxml.FXML;
+import javafx.scene.Scene;
+import javafx.scene.text.Text;
+import javafx.scene.text.TextFlow;
+import javafx.stage.Stage;
+import java.net.URI;
+import java.util.ResourceBundle;
+import java.util.Set;
+import java.util.SortedSet;
+import java.util.TreeSet;
+import java.util.concurrent.CompletableFuture;
+
+@KeyLoadingScoped
+public class CheckHostTrustController implements FxController {
+
+	private static final Logger LOG = LoggerFactory.getLogger(CheckHostTrustController.class);
+	private static final String CHECK_KEY = "hub.checkHostTrust.message.check";
+	private static final String ASK_SINGULAR_KEY = "hub.checkHostTrust.message.ask";
+	private static final String ASK_PLURAL_KEY = "hub.checkHostTrust.message.ask.plural";
+	private static final String TRUSTED_CRYPTOMATOR_CLOUD_DOMAIN = ".cryptomator.cloud";
+
+	private final Stage window;
+	private final HubConfig hubConfig;
+	private final URI canonicalHubUri;
+	private final URI canonicalAuthUri;
+	private final Lazy<Scene> authFlowScene;
+	private final Lazy<Scene> untrustedHostScene;
+	private final CompletableFuture<ReceivedKey> result;
+	private final Settings settings;
+	private final Environment env;
+	private final ResourceBundle resourceBundle;
+	private final SortedSet<String> hostnames;
+	private final StringProperty messageLabel;
+
+	@FXML
+	private TextFlow hostnamesFlow;
+
+	@Inject
+	public CheckHostTrustController(@KeyLoading Stage window, //
+									HubConfig hubConfig, //
+									@FxmlScene(FxmlFile.HUB_AUTH_FLOW) Lazy<Scene> authFlowScene, //
+									@FxmlScene(FxmlFile.HUB_UNTRUSTED_HOST) Lazy<Scene> untrustedHostScene, //
+									CompletableFuture<ReceivedKey> result, //
+									Settings settings, //
+									Environment env, //
+									ResourceBundle resourceBundle) {
+		this.window = window;
+		this.hubConfig = hubConfig;
+		this.canonicalHubUri = hubConfig.getApiBaseUrl();
+		this.canonicalAuthUri = URI.create(hubConfig.authEndpoint);
+		this.authFlowScene = authFlowScene;
+		this.untrustedHostScene = untrustedHostScene;
+		this.result = result;
+		this.settings = settings;
+		this.env = env;
+		this.resourceBundle = resourceBundle;
+		this.hostnames = new TreeSet<>();
+		this.messageLabel = new SimpleStringProperty(resourceBundle.getString(CHECK_KEY));
+	}
+
+	@FXML
+	public void initialize() {
+		if (!isConsistentHubConfig()) {
+			LOG.warn("Inconsistent hub config detected. Denying access to protect the user.");
+			deny();
+		} else if (isAllCryptomatorCloud() && !isAnyHttpHost()) {
+			trust(); // trust *.cryptomator.cloud by default, domain is owned by Cryptomator maintainers
+		} else if (containsAllowedHosts(env.hubAllowedHosts())) {
+			trust(); // trust hosts explicitly allowlisted via system property
+		} else if (isAnyHttpHost() && !isAllLocalhost()) {
+			LOG.warn("Denying attempt to connect to hub instance via unencrypted HTTP.");
+			deny(); // never trust http hosts except for local testing
+		} else if (env.hubTrustOnFirstUse() && containsAllowedHosts(settings.trustedHosts)) {
+			trust(); // trust hosts previously allowlisted by the user
+		} else if (env.hubTrustOnFirstUse()) {
+			hostnames.add(getAuthority(canonicalHubUri));
+			hostnames.add(getAuthority(canonicalAuthUri));
+			renderHostnames(); // ask user whether to trust these hosts
+		} else {
+			LOG.warn("Cryptomator is not allowed to connect to {}. Check your {} config.", getAuthority(canonicalHubUri), Environment.HUB_ALLOWED_HOSTS_PROP_NAME);
+			deny();
+		}
+	}
+
+	@FXML
+	public void trust() {
+		settings.trustedHosts.addAll(hostnames);
+		Platform.runLater(() -> {
+			window.setScene(authFlowScene.get());
+		});
+	}
+
+	@FXML
+	public void deny() {
+		result.cancel(true);
+		Platform.runLater(() -> {
+			window.setScene(untrustedHostScene.get());
+		});
+	}
+
+	private void renderHostnames() {
+		hostnamesFlow.getChildren().clear();
+		for (var hostname : hostnames) {
+			hostnamesFlow.getChildren().add(new Text(hostname + System.lineSeparator()));
+		}
+		var messageKey = hostnames.size() > 1 ? ASK_PLURAL_KEY : ASK_SINGULAR_KEY;
+		messageLabel.set(resourceBundle.getString(messageKey));
+	}
+
+	private boolean isConsistentHubConfig() {
+		var canonicalHubAuthority = getAuthority(canonicalHubUri);
+		var canonicalAuthAuthority = getAuthority(canonicalAuthUri);
+
+		// apiBaseURL.host == deviceUrl.host == authSuccessUrl.host == authErrorUrl.host
+		return (hubConfig.apiBaseUrl == null || getAuthority(hubConfig.apiBaseUrl).equals(canonicalHubAuthority)) //
+				&& (hubConfig.devicesResourceUrl == null || getAuthority(hubConfig.devicesResourceUrl).equals(canonicalHubAuthority)) //
+				&& getAuthority(hubConfig.authSuccessUrl).equals(canonicalHubAuthority) //
+				&& getAuthority(hubConfig.authErrorUrl).equals(canonicalHubAuthority) //
+				// authUrl.host == tokenUrl.host:
+				&& getAuthority(hubConfig.tokenEndpoint).equals(canonicalAuthAuthority);
+	}
+
+	private boolean isAllCryptomatorCloud() {
+		return canonicalHubUri.getHost().endsWith(TRUSTED_CRYPTOMATOR_CLOUD_DOMAIN) && canonicalAuthUri.getHost().endsWith(TRUSTED_CRYPTOMATOR_CLOUD_DOMAIN);
+	}
+
+	private boolean isAnyHttpHost() {
+		return "http".equalsIgnoreCase(canonicalHubUri.getScheme()) || "http".equalsIgnoreCase(canonicalAuthUri.getScheme());
+	}
+
+	private boolean isAllLocalhost() {
+		return "localhost".equalsIgnoreCase(canonicalHubUri.getHost()) && "localhost".equalsIgnoreCase(canonicalAuthUri.getHost());
+	}
+
+	@VisibleForTesting
+	boolean containsAllowedHosts(Set<String> allowedHubHosts) {
+		return allowedHubHosts.contains(getAuthority(canonicalHubUri)) && allowedHubHosts.contains(getAuthority(canonicalAuthUri));
+	}
+
+	public static String getAuthority(String string) {
+		return getAuthority(URI.create(string));
+	}
+
+	public static String getAuthority(URI uri) {
+		if (uri.getPort() == -1) {
+			return "%s://%s".formatted(uri.getScheme(), uri.getHost());
+		} else {
+			return "%s://%s:%s".formatted(uri.getScheme(), uri.getHost(), uri.getPort());
+		}
+	}
+
+	//--- JavaFX property getter & setter
+	public StringProperty messageLabelProperty() {
+		return messageLabel;
+	}
+
+	public String getMessageLabel() {
+		return messageLabel.get();
+	}
+
+}
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingModule.java
@@ -98,6 +98,13 @@ public abstract class HubKeyLoadingModule {
 		return fxmlLoaders.createScene(FxmlFile.HUB_NO_KEYCHAIN);
 	}

+	@Provides
+	@FxmlScene(FxmlFile.HUB_CHECK_HOST_TRUST)
+	@KeyLoadingScoped
+	static Scene provideHubCheckHostTrustScene(@KeyLoading FxmlLoaderFactory fxmlLoaders) {
+		return fxmlLoaders.createScene(FxmlFile.HUB_CHECK_HOST_TRUST);
+	}
+
 	@Provides
 	@FxmlScene(FxmlFile.HUB_AUTH_FLOW)
 	@KeyLoadingScoped
@@ -168,6 +175,13 @@ public abstract class HubKeyLoadingModule {
 		return fxmlLoaders.createScene(FxmlFile.HUB_UNAUTHORIZED_DEVICE);
 	}

+	@Provides
+	@FxmlScene(FxmlFile.HUB_UNTRUSTED_HOST)
+	@KeyLoadingScoped
+	static Scene provideHubUntrustedHostScene(@KeyLoading FxmlLoaderFactory fxmlLoaders) {
+		return fxmlLoaders.createScene(FxmlFile.HUB_UNTRUSTED_HOST);
+	}
+
 	@Provides
 	@FxmlScene(FxmlFile.HUB_REQUIRE_ACCOUNT_INIT)
 	@KeyLoadingScoped
@@ -180,6 +194,11 @@ public abstract class HubKeyLoadingModule {
 	@FxControllerKey(NoKeychainController.class)
 	abstract FxController bindNoKeychainController(NoKeychainController controller);

+	@Binds
+	@IntoMap
+	@FxControllerKey(CheckHostTrustController.class)
+	abstract FxController bindCheckHostAuthenticityController(CheckHostTrustController controller);
+
 	@Binds
 	@IntoMap
 	@FxControllerKey(AuthFlowController.class)
@@ -225,6 +244,11 @@ public abstract class HubKeyLoadingModule {
 	@FxControllerKey(UnauthorizedDeviceController.class)
 	abstract FxController bindUnauthorizedDeviceController(UnauthorizedDeviceController controller);

+	@Binds
+	@IntoMap
+	@FxControllerKey(UntrustedHostController.class)
+	abstract FxController bindUnauthorizedHostController(UntrustedHostController controller);
+
 	@Binds
 	@IntoMap
 	@FxControllerKey(RequireAccountInitController.class)
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/HubKeyLoadingStrategy.java
@@ -36,19 +36,19 @@ public class HubKeyLoadingStrategy implements KeyLoadingStrategy, FilesystemOwne
 	private final Stage window;
 	private final KeychainManager keychainManager;
 	private final AtomicReference<String> fsOwnerId;
-	private final Lazy<Scene> authFlowScene;
+	private final Lazy<Scene> checkHostTrustScene;
 	private final Lazy<Scene> noKeychainScene;
 	private final CompletableFuture<ReceivedKey> result;
 	private final DeviceKey deviceKey;

 	@Inject
-	public HubKeyLoadingStrategy(@KeyLoading Stage window, @FxmlScene(FxmlFile.HUB_AUTH_FLOW) Lazy<Scene> authFlowScene, @FxmlScene(FxmlFile.HUB_NO_KEYCHAIN) Lazy<Scene> noKeychainScene, CompletableFuture<ReceivedKey> result, DeviceKey deviceKey, KeychainManager keychainManager, @Named("windowTitle") String windowTitle, @Named("filesystemOwnerId") AtomicReference<String> fsOwnerId) {
+	public HubKeyLoadingStrategy(@KeyLoading Stage window, @FxmlScene(FxmlFile.HUB_CHECK_HOST_TRUST) Lazy<Scene> checkHostTrustScene, @FxmlScene(FxmlFile.HUB_NO_KEYCHAIN) Lazy<Scene> noKeychainScene, CompletableFuture<ReceivedKey> result, DeviceKey deviceKey, KeychainManager keychainManager, @Named("windowTitle") String windowTitle, @Named("filesystemOwnerId") AtomicReference<String> fsOwnerId) {
 		this.window = window;
 		this.keychainManager = keychainManager;
 		this.fsOwnerId = fsOwnerId;
 		window.setTitle(windowTitle);
 		window.setOnCloseRequest(_ -> result.cancel(true));
-		this.authFlowScene = authFlowScene;
+		this.checkHostTrustScene = checkHostTrustScene;
 		this.noKeychainScene = noKeychainScene;
 		this.result = result;
 		this.deviceKey = deviceKey;
@@ -62,7 +62,7 @@ public class HubKeyLoadingStrategy implements KeyLoadingStrategy, FilesystemOwne
 				throw new NoKeychainAccessProviderException();
 			}
 			var keypair = deviceKey.get();
-			showWindow(authFlowScene);
+			showWindow(checkHostTrustScene);
 			var jwe = result.get();
 			return jwe.decryptMasterkey(keypair.getPrivate());
 		} catch (NoKeychainAccessProviderException e) {
--- a/src/main/java/org/cryptomator/ui/keyloading/hub/UntrustedHostController.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/hub/UntrustedHostController.java
@@ -0,0 +1,34 @@
+package org.cryptomator.ui.keyloading.hub;
+
+import org.cryptomator.ui.common.FxController;
+import org.cryptomator.ui.keyloading.KeyLoading;
+import org.cryptomator.ui.keyloading.KeyLoadingScoped;
+
+import javax.inject.Inject;
+import javafx.fxml.FXML;
+import javafx.stage.Stage;
+import javafx.stage.WindowEvent;
+import java.util.concurrent.CompletableFuture;
+
+@KeyLoadingScoped
+public class UntrustedHostController implements FxController {
+
+	private final Stage window;
+	private final CompletableFuture<ReceivedKey> result;
+
+	@Inject
+	public UntrustedHostController(@KeyLoading Stage window, CompletableFuture<ReceivedKey> result) {
+		this.window = window;
+		this.result = result;
+		this.window.addEventHandler(WindowEvent.WINDOW_HIDING, this::windowClosed);
+	}
+
+	@FXML
+	public void close() {
+		window.close();
+	}
+
+	private void windowClosed(WindowEvent windowEvent) {
+		result.cancel(true);
+	}
+}
--- a/src/main/java/org/cryptomator/ui/keyloading/masterkeyfile/MasterkeyFileLoadingStrategy.java
+++ b/src/main/java/org/cryptomator/ui/keyloading/masterkeyfile/MasterkeyFileLoadingStrategy.java
@@ -1,6 +1,7 @@
 package org.cryptomator.ui.keyloading.masterkeyfile;

 import com.google.common.base.Preconditions;
+import org.cryptomator.common.Constants;
 import org.cryptomator.common.Passphrase;
 import org.cryptomator.common.keychain.KeychainManager;
 import org.cryptomator.common.vaults.Vault;
@@ -63,16 +64,21 @@ public class MasterkeyFileLoadingStrategy implements KeyLoadingStrategy {
 	public Masterkey loadKey(URI keyId) throws MasterkeyLoadingFailedException {
 		window.setTitle(resourceBundle.getString("unlock.title").formatted(vault.getDisplayName()));
 		Preconditions.checkArgument(SCHEME.equalsIgnoreCase(keyId.getScheme()), "Only supports keys with scheme " + SCHEME);
+		if (!Constants.MASTERKEY_FILENAME.equals(keyId.getSchemeSpecificPart())) {
+			LOG.warn("unsupported masterkey path found in vault.cryptomator: {}", keyId.getSchemeSpecificPart());
+		}
 		try {
-			Path filePath = vault.getPath().resolve(keyId.getSchemeSpecificPart());
+			// determine masterkey file path:
+			Path filePath = vault.getPath().resolve(Constants.MASTERKEY_FILENAME);
 			if (!Files.exists(filePath)) {
 				filePath = askUserForMasterkeyFilePath();
 			}
+			// unlock:
 			if (passphrase == null) {
 				askForPassphrase();
 			}
 			var masterkey = masterkeyFileAccess.load(filePath, passphrase);
-			//backup
+			// backup on successful unlock:
 			if (filePath.startsWith(vault.getPath())) {
 				try {
 					BackupHelper.attemptBackup(filePath);
--- a/src/main/java/org/cryptomator/ui/mainwindow/VaultDetailController.java
+++ b/src/main/java/org/cryptomator/ui/mainwindow/VaultDetailController.java
@@ -2,14 +2,17 @@ package org.cryptomator.ui.mainwindow;

 import org.cryptomator.common.vaults.Vault;
 import org.cryptomator.common.vaults.VaultState;
+import org.cryptomator.integrations.revealpath.RevealFailedException;
+import org.cryptomator.integrations.revealpath.RevealPathService;
 import org.cryptomator.ui.common.Animations;
 import org.cryptomator.ui.common.AutoAnimator;
 import org.cryptomator.ui.common.FxController;
 import org.cryptomator.ui.controls.FontAwesome5Icon;
 import org.cryptomator.ui.controls.FontAwesome5IconView;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;

 import javax.inject.Inject;
-import javafx.application.Application;
 import javafx.beans.binding.BooleanBinding;
 import javafx.beans.property.ObjectProperty;
 import javafx.beans.property.ReadOnlyObjectProperty;
@@ -19,10 +22,12 @@ import javafx.fxml.FXML;
@MainWindowScoped
 public class VaultDetailController implements FxController {

+	private static final Logger LOG = LoggerFactory.getLogger(VaultDetailController.class);
+
 	private final ReadOnlyObjectProperty<Vault> vault;
-	private final Application application;
 	private final ObservableValue<FontAwesome5Icon> glyph;
 	private final BooleanBinding anyVaultSelected;
+	private final RevealPathService revealPathService;

 	private AutoAnimator spinAnimation;

@@ -31,11 +36,11 @@ public class VaultDetailController implements FxController {


 	@Inject
-	VaultDetailController(ObjectProperty<Vault> vault, Application application) {
+	VaultDetailController(ObjectProperty<Vault> vault, RevealPathService revealPathService) {
 		this.vault = vault;
-		this.application = application;
 		this.glyph = vault.flatMap(Vault::stateProperty).map(this::getGlyphForVaultState);
 		this.anyVaultSelected = vault.isNotNull();
+		this.revealPathService = revealPathService;
 	}

 	public void initialize() {
@@ -61,7 +66,11 @@ public class VaultDetailController implements FxController {

 	@FXML
 	public void revealStorageLocation() {
-		application.getHostServices().showDocument(vault.get().getPath().toUri().toString());
+		try {
+			revealPathService.reveal(vault.get().getPath());
+		} catch (RevealFailedException e) {
+			LOG.warn("Failed to reveal vault storage location", e);
+		}
 	}

 	/* Observable Properties */
--- a/src/main/java/org/cryptomator/ui/mainwindow/VaultDetailUnlockedController.java
+++ b/src/main/java/org/cryptomator/ui/mainwindow/VaultDetailUnlockedController.java
@@ -1,9 +1,8 @@
 package org.cryptomator.ui.mainwindow;

+import com.github.benmanes.caffeine.cache.Caffeine;
+import com.github.benmanes.caffeine.cache.LoadingCache;
 import com.google.common.base.Preconditions;
-import com.google.common.cache.CacheBuilder;
-import com.google.common.cache.CacheLoader;
-import com.google.common.cache.LoadingCache;
 import com.tobiasdiez.easybind.EasyBind;
 import org.apache.commons.lang3.SystemUtils;
 import org.cryptomator.common.Nullable;
@@ -21,7 +20,6 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

 import javax.inject.Inject;
-import javafx.application.Platform;
 import javafx.beans.property.BooleanProperty;
 import javafx.beans.property.ObjectProperty;
 import javafx.beans.property.ReadOnlyObjectProperty;
@@ -31,7 +29,6 @@ import javafx.fxml.FXML;
 import javafx.scene.control.Button;
 import javafx.scene.input.Clipboard;
 import javafx.scene.input.ClipboardContent;
-import javafx.scene.input.DataFormat;
 import javafx.scene.input.DragEvent;
 import javafx.scene.input.TransferMode;
 import javafx.stage.FileChooser;
@@ -40,12 +37,8 @@ import java.io.File;
 import java.io.IOException;
 import java.nio.file.Path;
 import java.util.List;
-import java.util.Map;
 import java.util.Objects;
-import java.util.Optional;
 import java.util.ResourceBundle;
-import java.util.concurrent.CompletableFuture;
-import java.util.concurrent.TimeUnit;
 import java.util.function.Consumer;
 import java.util.function.Function;

@@ -60,10 +53,11 @@ public class VaultDetailUnlockedController implements FxController {
 	private final VaultService vaultService;
 	private final WrongFileAlertComponent.Builder wrongFileAlert;
 	private final Stage mainWindow;
-	private final Optional<RevealPathService> revealPathService;
+	private final RevealPathService revealPathService;
 	private final DecryptNameComponent.Factory decryptNameWindowFactory;
 	private final ResourceBundle resourceBundle;
 	private final LoadingCache<Vault, VaultStatisticsComponent> vaultStats;
+	private final LoadingCache<Vault, DecryptNameComponent> decryptNameWindows;
 	private final VaultStatisticsComponent.Builder vaultStatsBuilder;
 	private final ObservableValue<Boolean> accessibleViaPath;
 	private final ObservableValue<Boolean> accessibleViaUri;
@@ -84,7 +78,7 @@ public class VaultDetailUnlockedController implements FxController {
 										 VaultStatisticsComponent.Builder vaultStatsBuilder, //
 										 WrongFileAlertComponent.Builder wrongFileAlert, //
 										 @MainWindow Stage mainWindow, //
-										 Optional<RevealPathService> revealPathService, //
+										 RevealPathService revealPathService, //
 										 DecryptNameComponent.Factory decryptNameWindowFactory, //
 										 ResourceBundle resourceBundle) {
 		this.vault = vault;
@@ -95,7 +89,8 @@ public class VaultDetailUnlockedController implements FxController {
 		this.revealPathService = revealPathService;
 		this.decryptNameWindowFactory = decryptNameWindowFactory;
 		this.resourceBundle = resourceBundle;
-		this.vaultStats = CacheBuilder.newBuilder().weakValues().build(CacheLoader.from(this::buildVaultStats));
+		this.vaultStats = Caffeine.newBuilder().weakValues().build(this::buildVaultStats);
+		this.decryptNameWindows = Caffeine.newBuilder().weakValues().build(this::buildDecryptNameWindow);
 		this.vaultStatsBuilder = vaultStatsBuilder;
 		var mp = vault.flatMap(Vault::mountPointProperty);
 		this.accessibleViaPath = mp.map(m -> m instanceof Mountpoint.WithPath).orElse(false);
@@ -111,7 +106,7 @@ public class VaultDetailUnlockedController implements FxController {

 	public void initialize() {
 		revealEncryptedDropZone.setOnDragOver(e -> handleDragOver(e, draggingOverLocateEncrypted));
-		revealEncryptedDropZone.setOnDragDropped(e -> handleDragDropped(e, this::getCiphertextPath, this::revealOrCopyPaths));
+		revealEncryptedDropZone.setOnDragDropped(e -> handleDragDropped(e, this::getCiphertextPath, this::revealPaths));
 		revealEncryptedDropZone.setOnDragExited(_ -> draggingOverLocateEncrypted.setValue(false));

 		decryptNameDropZone.setOnDragOver(e -> handleDragOver(e, draggingOverDecryptName));
@@ -156,7 +151,7 @@ public class VaultDetailUnlockedController implements FxController {
 		if (cleartextFile != null) {
 			var ciphertextPath = getCiphertextPath(cleartextFile.toPath());
 			if (ciphertextPath != null) {
-				revealOrCopyPaths(List.of(ciphertextPath));
+				revealPaths(List.of(ciphertextPath));
 			}
 		}
 	}
@@ -167,7 +162,7 @@ public class VaultDetailUnlockedController implements FxController {
 	}

 	private void showDecryptNameWindow(List<Path> pathsToDecrypt) {
-		decryptNameWindowFactory.create(vault.get(), mainWindow, pathsToDecrypt).showDecryptFileNameWindow();
+		decryptNameWindows.get(vault.get()).showDecryptFileNameWindow(pathsToDecrypt);
 	}

 	private boolean startsWithVaultAccessPoint(Path path) {
@@ -188,38 +183,26 @@ public class VaultDetailUnlockedController implements FxController {
 		}
 	}

-	private void revealOrCopyPaths(List<Path> paths) {
-		revealPathService.ifPresentOrElse(svc -> revealPaths(svc, paths), () -> {
-			LOG.warn("No service provider to reveal files found.");
-			copyPathsToClipboard(paths);
-		});
-	}
-
-	private void revealPaths(RevealPathService service, List<Path> paths) {
+	private void revealPaths(List<Path> paths) {
 		paths.forEach(path -> {
 			try {
 				LOG.debug("Revealing {}", path);
-				service.reveal(path);
+				revealPathService.reveal(path);
 			} catch (RevealFailedException e) {
+				//TODO: show popup in ui
 				LOG.error("Revealing ciphertext file failed.", e);
 			}
 		});
 	}

-	private void copyPathsToClipboard(List<Path> paths) {
-		StringBuilder clipboardString = new StringBuilder();
-		paths.forEach(p -> clipboardString.append(p.toString()).append("\n"));
-		Clipboard.getSystemClipboard().setContent(Map.of(DataFormat.PLAIN_TEXT, clipboardString.toString()));
-		ciphertextPathsCopied.setValue(true);
-		CompletableFuture.delayedExecutor(2, TimeUnit.SECONDS, Platform::runLater).execute(() -> {
-			ciphertextPathsCopied.set(false);
-		});
-	}
-
 	private VaultStatisticsComponent buildVaultStats(Vault vault) {
 		return vaultStatsBuilder.vault(vault).build();
 	}

+	private DecryptNameComponent buildDecryptNameWindow(Vault vault) {
+		return decryptNameWindowFactory.create(vault, mainWindow);
+	}
+
 	@FXML
 	public void revealAccessLocation() {
 		vaultService.reveal(vault.get());
@@ -239,7 +222,7 @@ public class VaultDetailUnlockedController implements FxController {

 	@FXML
 	public void showVaultStatistics() {
-		vaultStats.getUnchecked(vault.get()).showVaultStatisticsWindow();
+		vaultStats.get(vault.get()).showVaultStatisticsWindow();
 	}

 	/* Getter/Setter */
--- a/src/main/java/org/cryptomator/ui/preferences/GeneralPreferencesController.java
+++ b/src/main/java/org/cryptomator/ui/preferences/GeneralPreferencesController.java
@@ -10,16 +10,18 @@ import org.cryptomator.integrations.common.NamedServiceProvider;
 import org.cryptomator.integrations.keychain.KeychainAccessException;
 import org.cryptomator.integrations.keychain.KeychainAccessProvider;
 import org.cryptomator.integrations.quickaccess.QuickAccessService;
+import org.cryptomator.integrations.revealpath.RevealFailedException;
+import org.cryptomator.integrations.revealpath.RevealPathService;
 import org.cryptomator.ui.common.FxController;
 import org.cryptomator.ui.fxapp.FxApplicationWindows;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

 import javax.inject.Inject;
-import javafx.application.Application;
 import javafx.beans.Observable;
 import javafx.beans.binding.Bindings;
 import javafx.fxml.FXML;
+import javafx.scene.control.Button;
 import javafx.scene.control.CheckBox;
 import javafx.scene.control.ChoiceBox;
 import javafx.scene.control.ToggleGroup;
@@ -41,7 +43,7 @@ public class GeneralPreferencesController implements FxController {
 	private final Settings settings;
 	private final Optional<AutoStartProvider> autoStartProvider;
 	private final List<QuickAccessService> quickAccessServices;
-	private final Application application;
+	private final RevealPathService revealPathService;
 	private final Environment environment;
 	private final List<KeychainAccessProvider> keychainAccessProviders;
 	private final KeychainManager keychain;
@@ -55,14 +57,21 @@ public class GeneralPreferencesController implements FxController {
 	public CheckBox autoCloseVaultsCheckbox;
 	public CheckBox debugModeCheckbox;
 	public CheckBox autoStartCheckbox;
+	public Button resetTrustedHostsButton;
 	public ToggleGroup nodeOrientation;

 	private CompletionStage<Void> keychainMigrations = CompletableFuture.completedFuture(null);

 	@Inject
-	GeneralPreferencesController(@PreferencesWindow Stage window, Settings settings, Optional<AutoStartProvider> autoStartProvider, //
-								 List<KeychainAccessProvider> keychainAccessProviders, KeychainManager keychain, Application application, //
-								 Environment environment, FxApplicationWindows appWindows, ExecutorService backgroundExecutor) {
+	GeneralPreferencesController(@PreferencesWindow Stage window, //
+								 Settings settings, //
+								 Optional<AutoStartProvider> autoStartProvider, //
+								 List<KeychainAccessProvider> keychainAccessProviders, //
+								 KeychainManager keychain, //
+								 RevealPathService revealPathService, //
+								 Environment environment, //
+								 FxApplicationWindows appWindows, //
+								 ExecutorService backgroundExecutor) {
 		this.window = window;
 		this.settings = settings;
 		this.autoStartProvider = autoStartProvider;
@@ -70,7 +79,7 @@ public class GeneralPreferencesController implements FxController {
 		this.keychain = keychain;
 		this.backgroundExecutor = backgroundExecutor;
 		this.quickAccessServices = QuickAccessService.get().toList();
-		this.application = application;
+		this.revealPathService = revealPathService;
 		this.environment = environment;
 		this.appWindows = appWindows;
 	}
@@ -98,6 +107,9 @@ public class GeneralPreferencesController implements FxController {
 		quickAccessServiceChoiceBox.setConverter(new NamedServiceConverter<>());
 		Bindings.bindBidirectional(settings.quickAccessService, quickAccessServiceChoiceBox.valueProperty(), quickAccessSettingsConverter);
 		quickAccessServiceChoiceBox.disableProperty().bind(useQuickAccessCheckbox.selectedProperty().not());
+		if (resetTrustedHostsButton != null) {
+			resetTrustedHostsButton.disableProperty().bind(Bindings.isEmpty(settings.trustedHosts));
+		}
 	}

 	private void migrateKeychainEntries(Observable observable, KeychainAccessProvider oldProvider, KeychainAccessProvider newProvider) {
@@ -124,6 +136,10 @@ public class GeneralPreferencesController implements FxController {
 		return autoStartProvider.isPresent();
 	}

+	public boolean isHubTrustOnFirstUseEnabled() {
+		return environment.hubTrustOnFirstUse();
+	}
+
 	@FXML
 	public void toggleAutoStart() {
 		autoStartProvider.ifPresent(autoStart -> {
@@ -146,9 +162,18 @@ public class GeneralPreferencesController implements FxController {
 		return !quickAccessServices.isEmpty();
 	}

+	@FXML
+	public void resetTrustedHosts() {
+		settings.trustedHosts.clear();
+	}
+
 	@FXML
 	public void showLogfileDirectory() {
-		environment.getLogDir().ifPresent(logDirPath -> application.getHostServices().showDocument(logDirPath.toUri().toString()));
+		try {
+			revealPathService.reveal(environment.getLogDir().orElseThrow());
+		} catch (RevealFailedException e) {
+			LOG.warn("Failed to reveal log files directory.", e);
+		}
 	}

 	/* Helper classes */
@@ -196,4 +221,5 @@ public class GeneralPreferencesController implements FxController {
 			}
 		}
 	}
+
 }
--- a/src/main/java/org/cryptomator/ui/preferences/UpdatesPreferencesController.java
+++ b/src/main/java/org/cryptomator/ui/preferences/UpdatesPreferencesController.java
@@ -3,18 +3,19 @@ package org.cryptomator.ui.preferences;
 import org.cryptomator.common.Environment;
 import org.cryptomator.common.settings.Settings;
 import org.cryptomator.common.vaults.Vault;
+import org.cryptomator.integrations.revealpath.RevealFailedException;
+import org.cryptomator.integrations.revealpath.RevealPathService;
 import org.cryptomator.integrations.update.UpdateStep;
 import org.cryptomator.ui.common.FxController;
 import org.cryptomator.ui.common.VaultService;
-import org.cryptomator.updater.UpdateChecker;
 import org.cryptomator.updater.FallbackUpdateInfo;
+import org.cryptomator.updater.UpdateChecker;
 import org.cryptomator.updater.UpdateService;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

 import javax.inject.Inject;
 import javafx.animation.PauseTransition;
-import javafx.application.Application;
 import javafx.application.Platform;
 import javafx.beans.binding.Bindings;
 import javafx.beans.binding.BooleanBinding;
@@ -49,7 +50,7 @@ public class UpdatesPreferencesController implements FxController {
 	private static final Logger LOG = LoggerFactory.getLogger(UpdatesPreferencesController.class);
 	private static final DateTimeFormatter FORMATTER = DateTimeFormatter.ofLocalizedDateTime(FormatStyle.MEDIUM).withLocale(Locale.getDefault());

-	private final Application application;
+	private final RevealPathService revealPathService;
 	private final Environment environment;
 	private final ResourceBundle resourceBundle;
 	private final Settings settings;
@@ -72,8 +73,8 @@ public class UpdatesPreferencesController implements FxController {
 	public CheckBox checkForUpdatesCheckbox;

 	@Inject
-	UpdatesPreferencesController(Application application, Environment environment, ResourceBundle resourceBundle, Settings settings, UpdateChecker updateChecker, ObservableList<Vault> vaults, VaultService vaultService) {
-		this.application = application;
+	UpdatesPreferencesController(RevealPathService revealPathService, Environment environment, ResourceBundle resourceBundle, Settings settings, UpdateChecker updateChecker, ObservableList<Vault> vaults, VaultService vaultService) {
+		this.revealPathService = revealPathService;
 		this.environment = environment;
 		this.resourceBundle = resourceBundle;
 		this.settings = settings;
@@ -106,9 +107,14 @@ public class UpdatesPreferencesController implements FxController {
 		updateService.setOnFailed(this::updateFailed);
 	}

+
 	@FXML
 	public void showLogfileDirectory() {
-		environment.getLogDir().ifPresent(logDirPath -> application.getHostServices().showDocument(logDirPath.toUri().toString()));
+		try {
+			revealPathService.reveal(environment.getLogDir().orElseThrow());
+		} catch (RevealFailedException e) {
+			LOG.warn("Failed to reveal log files directory.", e);
+		}
 	}

 	@FXML
@@ -254,7 +260,7 @@ public class UpdatesPreferencesController implements FxController {

 	public boolean isProhibitUpdateWhileUnlocked() {
 		// If the result of the last update check was from the fallback mechanism, we don't need to show the warning
-		return !unlockedVaults.isEmpty() && !FallbackUpdateInfo.class.isInstance(updateChecker.getUpdate());
+		return !unlockedVaults.isEmpty() && updateChecker.isUpdateAvailable() && !FallbackUpdateInfo.class.isInstance(updateChecker.getUpdate());
 	}

 	public BooleanBinding prohibitUpdateWhileUnlockedProperty() {
--- a/src/main/java/org/cryptomator/ui/sharevault/ShareVaultController.java
+++ b/src/main/java/org/cryptomator/ui/sharevault/ShareVaultController.java
@@ -18,7 +18,10 @@ import java.net.URISyntaxException;
 public class ShareVaultController implements FxController {

 	private static final String SCHEME_PREFIX = "hub+";
-	private static final String VISIT_HUB_URL = "https://cryptomator.org/hub/";
+	private static final String VISIT_HUB_URL = "https://cryptomator.org/hub/" //
+			+ "?utm_source=cryptomator-desktop" //
+			+ "&utm_medium=app" //
+			+ "&utm_campaign=share-vault";
 	private static final String BEST_PRACTICES_URL = "https://docs.cryptomator.org/security/best-practices/#sharing-of-vaults";

 	private final Stage window;
--- a/src/main/resources/fxml/hub_check_host_trust.fxml
+++ b/src/main/resources/fxml/hub_check_host_trust.fxml
@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<?import org.cryptomator.ui.controls.FontAwesome5IconView?>
+<?import javafx.geometry.Insets?>
+<?import javafx.scene.control.Button?>
+<?import javafx.scene.control.ButtonBar?>
+<?import javafx.scene.control.Label?>
+<?import javafx.scene.Group?>
+<?import javafx.scene.layout.HBox?>
+<?import javafx.scene.layout.Region?>
+<?import javafx.scene.layout.StackPane?>
+<?import javafx.scene.layout.VBox?>
+<?import javafx.scene.shape.Circle?>
+<?import javafx.scene.text.TextFlow?>
+<HBox xmlns:fx="http://javafx.com/fxml"
+	  xmlns="http://javafx.com/javafx"
+	  fx:controller="org.cryptomator.ui.keyloading.hub.CheckHostTrustController"
+	  minWidth="400"
+	  maxWidth="400"
+	  minHeight="145"
+	  spacing="12"
+	  alignment="TOP_LEFT"
+	  accessibleRole="DIALOG">
+	<padding>
+		<Insets topRightBottomLeft="12"/>
+	</padding>
+	<children>
+		<Group>
+			<StackPane>
+				<padding>
+					<Insets topRightBottomLeft="6"/>
+				</padding>
+				<Circle styleClass="glyph-icon-primary" radius="24"/>
+				<FontAwesome5IconView styleClass="glyph-icon-white" glyph="QUESTION" glyphSize="24"/>
+			</StackPane>
+		</Group>
+		<VBox HBox.hgrow="ALWAYS">
+			<Label styleClass="label-large" text="${controller.messageLabel}" wrapText="true" textAlignment="LEFT">
+				<padding>
+					<Insets bottom="6" top="6"/>
+				</padding>
+			</Label>
+			<TextFlow fx:id="hostnamesFlow" styleClass="text-flow" minHeight="60"/>
+			<Region VBox.vgrow="ALWAYS" minHeight="18"/>
+			<ButtonBar buttonMinWidth="120" buttonOrder="+CX">
+				<buttons>
+					<Button text="%hub.checkHostTrust.denyBtn" ButtonBar.buttonData="CANCEL_CLOSE" cancelButton="true" onAction="#deny"/>
+					<Button text="%hub.checkHostTrust.trustBtn" ButtonBar.buttonData="NEXT_FORWARD" defaultButton="true" onAction="#trust"/>
+				</buttons>
+			</ButtonBar>
+		</VBox>
+	</children>
+</HBox>
--- a/src/main/resources/fxml/hub_untrusted_host.fxml
+++ b/src/main/resources/fxml/hub_untrusted_host.fxml
@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<?import org.cryptomator.ui.controls.FontAwesome5IconView?>
+<?import javafx.geometry.Insets?>
+<?import javafx.scene.Group?>
+<?import javafx.scene.control.Button?>
+<?import javafx.scene.control.ButtonBar?>
+<?import javafx.scene.control.Label?>
+<?import javafx.scene.layout.HBox?>
+<?import javafx.scene.layout.Region?>
+<?import javafx.scene.layout.StackPane?>
+<?import javafx.scene.layout.VBox?>
+<?import javafx.scene.shape.Circle?>
+<HBox xmlns:fx="http://javafx.com/fxml"
+	  xmlns="http://javafx.com/javafx"
+	  fx:controller="org.cryptomator.ui.keyloading.hub.UntrustedHostController"
+	  minWidth="400"
+	  maxWidth="400"
+	  minHeight="145"
+	  spacing="12"
+	  alignment="TOP_LEFT"
+	  accessibleRole="DIALOG">
+	<padding>
+		<Insets topRightBottomLeft="12"/>
+	</padding>
+	<children>
+		<Group>
+			<StackPane>
+				<padding>
+					<Insets topRightBottomLeft="6"/>
+				</padding>
+				<Circle styleClass="glyph-icon-primary" radius="24"/>
+				<FontAwesome5IconView styleClass="glyph-icon-white" glyph="EXCLAMATION" glyphSize="24"/>
+			</StackPane>
+		</Group>
+		<VBox HBox.hgrow="ALWAYS">
+			<Label styleClass="label-large" text="%hub.untrustedHost.message" wrapText="true" textAlignment="LEFT">
+				<padding>
+					<Insets bottom="6" top="6"/>
+				</padding>
+			</Label>
+			<Label text="%hub.untrustedHost.description" wrapText="true"/>
+			<Region VBox.vgrow="ALWAYS" minHeight="18"/>
+			<ButtonBar buttonMinWidth="120" buttonOrder="+C">
+				<buttons>
+					<Button text="%generic.button.close" ButtonBar.buttonData="CANCEL_CLOSE" defaultButton="true" onAction="#close"/>
+				</buttons>
+			</ButtonBar>
+		</VBox>
+	</children>
+</HBox>
+
--- a/src/main/resources/fxml/notification.fxml
+++ b/src/main/resources/fxml/notification.fxml
@@ -15,7 +15,7 @@
 <BorderPane xmlns="http://javafx.com/javafx"
 			xmlns:fx="http://javafx.com/fxml"
 			fx:controller="org.cryptomator.ui.notification.NotificationController"
-			prefHeight="200.0" prefWidth="400.0" maxHeight="200.0" maxWidth="400.0"
+			prefHeight="224.0" prefWidth="400.0" maxHeight="224.0" maxWidth="400.0"
 			styleClass="notification-window"
 			accessibleRole="DIALOG">
 	<padding>
@@ -65,7 +65,7 @@
 			<Label text="${controller.message}" styleClass="label-large" wrapText="true"/>
 			<Label  text="${controller.fileName}" styleClass="label" textOverrun="CENTER_ELLIPSIS" visible="${!controller.fileName.empty}" managed="${!controller.fileName.empty}"/>
 			<Region minHeight="6"/>
-			<ScrollPane minViewportWidth="370" minViewportHeight="50">
+			<ScrollPane minViewportWidth="370" minViewportHeight="70">
 				<Label text="${controller.description}" styleClass="label" wrapText="true" maxWidth="370"/>
 			</ScrollPane>
 			<Region VBox.vgrow="ALWAYS"/>
--- a/src/main/resources/fxml/preferences_about.fxml
+++ b/src/main/resources/fxml/preferences_about.fxml
@@ -22,7 +22,7 @@
 			</ImageView>
 			<VBox spacing="3" HBox.hgrow="ALWAYS" alignment="CENTER_LEFT">
 				<FormattedLabel styleClass="label-extra-large" format="Cryptomator %s" arg1="${controller.fullApplicationVersion}"/>
-				<Label text="© 2016 – 2025 Skymatic GmbH"/>
+				<Label text="© 2016 – 2026 Skymatic GmbH"/>
 			</VBox>
 		</HBox>

--- a/src/main/resources/fxml/preferences_general.fxml
+++ b/src/main/resources/fxml/preferences_general.fxml
@@ -1,6 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>

 <?import javafx.geometry.Insets?>
+<?import javafx.scene.control.Button?>
 <?import javafx.scene.control.CheckBox?>
 <?import javafx.scene.control.ChoiceBox?>
 <?import javafx.scene.control.Hyperlink?>
@@ -34,6 +35,8 @@
 			<CheckBox fx:id="useQuickAccessCheckbox" text="%preferences.general.quickAccessService"/>
 			<ChoiceBox fx:id="quickAccessServiceChoiceBox" accessibleText="%preferences.general.quickAccessService"/>
 		</HBox>
+
+		<Button fx:id="resetTrustedHostsButton" text="%preferences.general.resetTrustedHosts" visible="${controller.hubTrustOnFirstUseEnabled}" managed="${controller.hubTrustOnFirstUseEnabled}" onAction="#resetTrustedHosts"/>
 		<Region VBox.vgrow="ALWAYS"/>

 		<HBox spacing="12" alignment="CENTER_LEFT">
--- a/src/main/resources/fxml/recoverykey_validate.fxml
+++ b/src/main/resources/fxml/recoverykey_validate.fxml
@@ -17,22 +17,22 @@

 		<TextArea wrapText="true" prefRowCount="4" fx:id="textarea" textFormatter="${controller.recoveryKeyTextFormatter}" onKeyPressed="#onKeyPressed"/>
 		<VBox>
-			<Label text="Just some Filler" visible="false" managed="${textarea.text.empty}" graphicTextGap="6">
+			<Label text="%recoveryKey.recover.wrongKey" visible="false" managed="${textarea.text.empty}" graphicTextGap="6" wrapText="true" >
 				<graphic>
 					<FontAwesome5IconView glyph="ANCHOR"/>
 				</graphic>
 			</Label>
-			<Label text="%recoveryKey.recover.correctKey" graphicTextGap="6" visible="${(!textarea.text.empty) &amp;&amp; controller.recoveryKeyCorrect}" managed="${(!textarea.text.empty) &amp;&amp; controller.recoveryKeyCorrect}">
+			<Label text="%recoveryKey.recover.correctKey" graphicTextGap="6" wrapText="true" visible="${(!textarea.text.empty) &amp;&amp; controller.recoveryKeyCorrect}" managed="${(!textarea.text.empty) &amp;&amp; controller.recoveryKeyCorrect}">
 				<graphic>
 					<FontAwesome5IconView glyph="CHECK"/>
 				</graphic>
 			</Label>
-			<Label text="%recoveryKey.recover.wrongKey" graphicTextGap="6"  visible="${(!textarea.text.empty) &amp;&amp; controller.recoveryKeyWrong}" managed="${(!textarea.text.empty) &amp;&amp; controller.recoveryKeyWrong}">
+			<Label text="%recoveryKey.recover.wrongKey" graphicTextGap="6" wrapText="true" visible="${(!textarea.text.empty) &amp;&amp; controller.recoveryKeyWrong}" managed="${(!textarea.text.empty) &amp;&amp; controller.recoveryKeyWrong}">
 				<graphic>
 					<FontAwesome5IconView glyph="TIMES" styleClass="glyph-icon-red"/>
 				</graphic>
 			</Label>
-			<Label text="%recoveryKey.recover.invalidKey" graphicTextGap="6"  visible="${(!textarea.text.empty) &amp;&amp; controller.recoveryKeyInvalid}" managed="${(!textarea.text.empty) &amp;&amp; controller.recoveryKeyInvalid}">
+			<Label text="%recoveryKey.recover.invalidKey" graphicTextGap="6" wrapText="true" visible="${(!textarea.text.empty) &amp;&amp; controller.recoveryKeyInvalid}" managed="${(!textarea.text.empty) &amp;&amp; controller.recoveryKeyInvalid}">
 				<graphic>
 					<FontAwesome5IconView glyph="TIMES" styleClass="glyph-icon-red"/>
 				</graphic>
--- a/src/main/resources/fxml/vault_options_mount.fxml
+++ b/src/main/resources/fxml/vault_options_mount.fxml
@@ -9,90 +9,94 @@
 <?import javafx.scene.control.Hyperlink?>
 <?import javafx.scene.control.Label?>
 <?import javafx.scene.control.RadioButton?>
+<?import javafx.scene.control.ScrollPane?>
 <?import javafx.scene.control.TextField?>
 <?import javafx.scene.control.ToggleGroup?>
 <?import javafx.scene.control.Tooltip?>
 <?import javafx.scene.layout.HBox?>
 <?import javafx.scene.layout.VBox?>
-<VBox xmlns:fx="http://javafx.com/fxml"
-	  xmlns="http://javafx.com/javafx"
-	  fx:controller="org.cryptomator.ui.vaultoptions.MountOptionsController"
-	  spacing="6">
-	<fx:define>
-		<ToggleGroup fx:id="mountPointToggleGroup"/>
-	</fx:define>
-	<padding>
-		<Insets topRightBottomLeft="12"/>
-	</padding>
-	<children>
-		<HBox spacing="12" alignment="CENTER_LEFT">
-			<Label text="%vaultOptions.mount.volume.type" labelFor="$vaultVolumeTypeChoiceBox"/>
-			<ChoiceBox fx:id="vaultVolumeTypeChoiceBox"/>
-			<Hyperlink contentDisplay="GRAPHIC_ONLY" onAction="#openVolumePreferences" visible="${controller.defaultMountServiceSelected}" managed="${controller.defaultMountServiceSelected}" accessibleText="%vaultOptions.mount.info">
-				<graphic>
-					<FontAwesome5IconView glyph="COGS" styleClass="glyph-icon-muted"/>
-				</graphic>
-				<tooltip>
-					<Tooltip text="%vaultOptions.mount.info" showDelay="100ms"/>
-				</tooltip>
-			</Hyperlink>
-			<Hyperlink contentDisplay="GRAPHIC_ONLY" onAction="#openDocs" visible="${!controller.defaultMountServiceSelected}" managed="${!controller.defaultMountServiceSelected}" accessibleText="%preferences.volume.docsTooltip">
-				<graphic>
-					<FontAwesome5IconView glyph="QUESTION_CIRCLE" styleClass="glyph-icon-muted"/>
-				</graphic>
-				<tooltip>
-					<Tooltip text="%preferences.volume.docsTooltip" showDelay="100ms"/>
-				</tooltip>
-			</Hyperlink>
-		</HBox>
-
-		<Label styleClass="label-red" text="%vaultOptions.mount.volumeType.restartRequired" visible="${controller.selectedMountServiceRequiresRestart}" managed="${controller.selectedMountServiceRequiresRestart}"/>
-
-		<HBox spacing="12" alignment="CENTER_LEFT" visible="${controller.loopbackPortChangeable}" managed="${controller.loopbackPortChangeable}">
-			<Label text="%vaultOptions.mount.volume.tcp.port" labelFor="$vaultLoopbackPortField"/>
-			<NumericTextField fx:id="vaultLoopbackPortField"/>
-			<Button text="%generic.button.apply" fx:id="vaultLoopbackPortApplyButton" onAction="#doChangeLoopbackPort"/>
-		</HBox>
-
-		<CheckBox fx:id="readOnlyCheckbox" text="%vaultOptions.mount.readonly" visible="${controller.readOnlyOptionAllowed}" managed="${controller.readOnlyOptionAllowed}"/>
-
-		<VBox visible="${controller.mountFlagsSupported}" managed="${controller.mountFlagsSupported}">
-			<CheckBox fx:id="customMountFlagsCheckbox" text="%vaultOptions.mount.customMountFlags" onAction="#toggleUseCustomMountFlags"/>
-			<TextField fx:id="mountFlagsField" HBox.hgrow="ALWAYS" maxWidth="Infinity" accessibleText="%vaultOptions.mount.customMountFlags">
-				<VBox.margin>
-					<Insets left="24"/>
-				</VBox.margin>
-			</TextField>
-		</VBox>
-
-		<Label text="%vaultOptions.mount.mountPoint">
-			<VBox.margin>
-				<Insets top="9"/>
-			</VBox.margin>
-		</Label>
-
-		<RadioButton toggleGroup="${mountPointToggleGroup}" fx:id="mountPointAutoBtn" text="%vaultOptions.mount.mountPoint.auto"/>
-
-		<HBox spacing="6" visible="${controller.mountpointDriveLetterSupported}" managed="${controller.mountpointDriveLetterSupported}">
-			<RadioButton toggleGroup="${mountPointToggleGroup}" fx:id="mountPointDriveLetterBtn" text="%vaultOptions.mount.mountPoint.driveLetter"/>
-			<ChoiceBox fx:id="driveLetterSelection" disable="${!mountPointDriveLetterBtn.selected}" accessibleText="%vaultOptions.mount.mountPoint.driveLetter"/>
-		</HBox>
-
-		<VBox spacing="6" visible="${controller.mountpointDirSupported}" managed="${controller.mountpointDirSupported}">
-			<HBox spacing="6" alignment="CENTER_LEFT">
-				<RadioButton toggleGroup="${mountPointToggleGroup}" fx:id="mountPointDirBtn" text="%vaultOptions.mount.mountPoint.custom"/>
-				<Button text="%vaultOptions.mount.mountPoint.directoryPickerButton" onAction="#chooseCustomMountPoint" contentDisplay="LEFT" disable="${!mountPointDirBtn.selected}">
+<ScrollPane xmlns:fx="http://javafx.com/fxml"
+			xmlns="http://javafx.com/javafx"
+			fx:controller="org.cryptomator.ui.vaultoptions.MountOptionsController"
+			fitToWidth="true"
+			hbarPolicy="NEVER">
+	<VBox spacing="6">
+		<fx:define>
+			<ToggleGroup fx:id="mountPointToggleGroup"/>
+		</fx:define>
+		<padding>
+			<Insets topRightBottomLeft="12"/>
+		</padding>
+		<children>
+			<HBox spacing="12" alignment="CENTER_LEFT">
+				<Label text="%vaultOptions.mount.volume.type" labelFor="$vaultVolumeTypeChoiceBox"/>
+				<ChoiceBox fx:id="vaultVolumeTypeChoiceBox"/>
+				<Hyperlink contentDisplay="GRAPHIC_ONLY" onAction="#openVolumePreferences" visible="${controller.defaultMountServiceSelected}" managed="${controller.defaultMountServiceSelected}" accessibleText="%vaultOptions.mount.info">
 					<graphic>
-						<FontAwesome5IconView glyph="FOLDER_OPEN" glyphSize="15"/>
+						<FontAwesome5IconView glyph="COGS" styleClass="glyph-icon-muted"/>
 					</graphic>
-				</Button>
+					<tooltip>
+						<Tooltip text="%vaultOptions.mount.info" showDelay="100ms"/>
+					</tooltip>
+				</Hyperlink>
+				<Hyperlink contentDisplay="GRAPHIC_ONLY" onAction="#openDocs" visible="${!controller.defaultMountServiceSelected}" managed="${!controller.defaultMountServiceSelected}" accessibleText="%preferences.volume.docsTooltip">
+					<graphic>
+						<FontAwesome5IconView glyph="QUESTION_CIRCLE" styleClass="glyph-icon-muted"/>
+					</graphic>
+					<tooltip>
+						<Tooltip text="%preferences.volume.docsTooltip" showDelay="100ms"/>
+					</tooltip>
+				</Hyperlink>
 			</HBox>
-			<TextField fx:id="directoryPathField" text="${controller.directoryPath}" visible="${mountPointDirBtn.selected}" managed="${mountPointDirBtn.managed}" maxWidth="Infinity" editable="false" accessibleText="%vaultOptions.mount.mountPoint.custom">
-				<VBox.margin>
-					<Insets left="24"/>
-				</VBox.margin>
-			</TextField>
-		</VBox>
-	</children>

-</VBox>
+			<Label styleClass="label-red" text="%vaultOptions.mount.volumeType.restartRequired" visible="${controller.selectedMountServiceRequiresRestart}" managed="${controller.selectedMountServiceRequiresRestart}"/>
+
+			<HBox spacing="12" alignment="CENTER_LEFT" visible="${controller.loopbackPortChangeable}" managed="${controller.loopbackPortChangeable}">
+				<Label text="%vaultOptions.mount.volume.tcp.port" labelFor="$vaultLoopbackPortField"/>
+				<NumericTextField fx:id="vaultLoopbackPortField"/>
+				<Button text="%generic.button.apply" fx:id="vaultLoopbackPortApplyButton" onAction="#doChangeLoopbackPort"/>
+			</HBox>
+
+			<CheckBox fx:id="readOnlyCheckbox" text="%vaultOptions.mount.readonly" visible="${controller.readOnlyOptionAllowed}" managed="${controller.readOnlyOptionAllowed}"/>
+
+			<VBox visible="${controller.mountFlagsSupported}" managed="${controller.mountFlagsSupported}">
+				<CheckBox fx:id="customMountFlagsCheckbox" text="%vaultOptions.mount.customMountFlags" onAction="#toggleUseCustomMountFlags"/>
+				<TextField fx:id="mountFlagsField" HBox.hgrow="ALWAYS" maxWidth="Infinity" accessibleText="%vaultOptions.mount.customMountFlags">
+					<VBox.margin>
+						<Insets left="24"/>
+					</VBox.margin>
+				</TextField>
+			</VBox>
+
+			<Label text="%vaultOptions.mount.mountPoint">
+				<VBox.margin>
+					<Insets top="9"/>
+				</VBox.margin>
+			</Label>
+
+			<RadioButton toggleGroup="${mountPointToggleGroup}" fx:id="mountPointAutoBtn" text="%vaultOptions.mount.mountPoint.auto"/>
+
+			<HBox spacing="6" visible="${controller.mountpointDriveLetterSupported}" managed="${controller.mountpointDriveLetterSupported}">
+				<RadioButton toggleGroup="${mountPointToggleGroup}" fx:id="mountPointDriveLetterBtn" text="%vaultOptions.mount.mountPoint.driveLetter"/>
+				<ChoiceBox fx:id="driveLetterSelection" disable="${!mountPointDriveLetterBtn.selected}" accessibleText="%vaultOptions.mount.mountPoint.driveLetter"/>
+			</HBox>
+
+			<VBox spacing="6" visible="${controller.mountpointDirSupported}" managed="${controller.mountpointDirSupported}">
+				<HBox spacing="6" alignment="CENTER_LEFT">
+					<RadioButton toggleGroup="${mountPointToggleGroup}" fx:id="mountPointDirBtn" text="%vaultOptions.mount.mountPoint.custom"/>
+					<Button text="%vaultOptions.mount.mountPoint.directoryPickerButton" onAction="#chooseCustomMountPoint" contentDisplay="LEFT" disable="${!mountPointDirBtn.selected}">
+						<graphic>
+							<FontAwesome5IconView glyph="FOLDER_OPEN" glyphSize="15"/>
+						</graphic>
+					</Button>
+				</HBox>
+				<TextField fx:id="directoryPathField" text="${controller.directoryPath}" visible="${mountPointDirBtn.selected}" managed="${mountPointDirBtn.managed}" maxWidth="Infinity" editable="false" accessibleText="%vaultOptions.mount.mountPoint.custom">
+					<VBox.margin>
+						<Insets left="24"/>
+					</VBox.margin>
+				</TextField>
+			</VBox>
+		</children>
+
+	</VBox>
+</ScrollPane>
--- a/src/main/resources/i18n/strings.properties
+++ b/src/main/resources/i18n/strings.properties
@@ -162,6 +162,12 @@ unlock.error.title=Unlock "%s" failed
 hub.noKeychain.message=Unable to access device key
 hub.noKeychain.description=In order to unlock Hub vaults, a device key is required, which is secured using a keychain. To proceed, enable “%s” and select a keychain in the preferences.
 hub.noKeychain.openBtn=Open Preferences
+### Check Host Authenticity
+hub.checkHostTrust.message.check=Checking Configuration…
+hub.checkHostTrust.message.ask=Trust this host?
+hub.checkHostTrust.message.ask.plural=Trust these hosts?
+hub.checkHostTrust.trustBtn=Trust
+hub.checkHostTrust.denyBtn=Deny
 ### Waiting
 hub.auth.message=Waiting for authentication…
 hub.auth.description=You should automatically be redirected to the login page.
@@ -193,6 +199,9 @@ hub.archived.description=This vault has been archived and is no longer accessibl
 ### Unauthorized
 hub.unauthorized.message=Access denied
 hub.unauthorized.description=You are not authorized to open this vault. Contact the vault's owner to request access.
+### Untrusted Host
+hub.untrustedHost.message=Host not trusted
+hub.untrustedHost.description=Connection to Hub was blocked for your security. If you believe the Hub host is safe, contact your Hub administrator or try again.
 ### Requires Account Initialization
 hub.requireAccountInit.message=Action required
 hub.requireAccountInit.description.0=To proceed, please complete the steps required in your
@@ -306,6 +315,7 @@ preferences.general.debugDirectory=Reveal log files
 preferences.general.autoStart=Launch Cryptomator on system start
 preferences.general.keychainBackend=Store passwords with
 preferences.general.quickAccessService=Add unlocked vaults to the quick access area
+preferences.general.resetTrustedHosts=Reset trusted hosts
 ## Interface
 preferences.interface=Interface
 preferences.interface.theme=Look & Feel
@@ -696,33 +706,25 @@ eventView.cell.actionsButton.tooltip=Event actions
 eventView.entry.vaultLocked.description=Unlock "%s" for details
 eventView.entry.conflictResolved.message=Resolved conflict
 eventView.entry.conflictResolved.showDecrypted=Show decrypted file
-eventView.entry.conflictResolved.copyDecrypted=Copy decrypted path
 eventView.entry.conflict.message=Conflict resolution failed
 eventView.entry.conflict.showDecrypted=Show decrypted, original file
-eventView.entry.conflict.copyDecrypted=Copy decrypted, original path
 eventView.entry.conflict.showEncrypted=Show conflicting, encrypted file
-eventView.entry.conflict.copyEncrypted=Copy conflicting, encrypted path
 eventView.entry.decryptionFailed.message=Decryption failed
 eventView.entry.decryptionFailed.showEncrypted=Show encrypted file
-eventView.entry.decryptionFailed.copyEncrypted=Copy encrypted path
 eventView.entry.brokenDirFile.message=Broken directory link
 eventView.entry.brokenDirFile.showEncrypted=Show broken, encrypted link
-eventView.entry.brokenDirFile.copyEncrypted=Copy path of broken link
 eventView.entry.brokenFileNode.message=Broken filesystem node
 eventView.entry.brokenFileNode.showEncrypted=Show broken, encrypted node
-eventView.entry.brokenFileNode.copyEncrypted=Copy path of broken, encrypted node
 eventView.entry.brokenFileNode.copyDecrypted=Copy decrypted path
-eventView.entry.inUse.message=Locked File
+eventView.entry.inUse.message=File in use
 eventView.entry.inUse.showDecrypted=Show decrypted file
-eventView.entry.inUse.copyDecrypted=Copy decrypted path
 eventView.entry.inUse.showEncrypted=Show encrypted file
-eventView.entry.inUse.copyEncrypted=Copy encrypted path
 eventView.entry.inUse.copyUserAndDevice=Copy locking user and device name
-eventView.entry.inUse.ignoreLock=Ignore Lock
+eventView.entry.inUse.ignoreLock=Ignore use status


 # Notifications
 ## FileIsInUse Notification
-notification.inUse.message=File is locked by another device
-notification.inUse.description=The file is opened by %s on device %s. Ask the user to close the file and sync again. Otherwise, you can ignore the lock and open it anyway.
-notification.inUse.action=Ignore Lock
+notification.inUse.message=File is in use on another device
+notification.inUse.description=The file is open by %s on %s. Ask them to close the file and let synchronization finish. You can ignore the status to open it now, but this may cause conflicts or overwrite newer changes.
+notification.inUse.action=Ignore Use Status
--- a/src/main/resources/i18n/strings_af.properties
+++ b/src/main/resources/i18n/strings_af.properties
@@ -3,6 +3,8 @@
 # Generics
 ## Button

+## Vault state
+
 # Error

 # Defaults
@@ -36,6 +38,7 @@
 ### Register Device Legacy
 ### Registration Success
 ### Registration Failed
+### Archived
 ### Unauthorized
 ### Requires Account Initialization
 ### License Exceeded
@@ -81,7 +84,7 @@

 # Main Window
 ## Vault List
-##Notificaition
+##Notification
 ## Vault Detail
 ### Welcome
 ### Locked
@@ -148,3 +151,7 @@

 # Event View
 ## event list entries
+
+
+# Notifications
+## FileIsInUse Notification
--- a/src/main/resources/i18n/strings_ar.properties
+++ b/src/main/resources/i18n/strings_ar.properties
@@ -12,10 +12,14 @@ generic.button.close=إغلاق
 generic.button.copy=نسخ
 generic.button.copied=تم النسخ!
 generic.button.done=تم
+generic.button.previous=السابق
 generic.button.next=التالي
 generic.button.print=طباعة
 generic.button.remove=حذف

+## Vault state
+vault.state.error=خطأ
+
 # Error
 error.message=حدث خطأ ما
 error.description=لم يتوقع Cryptomator حدوث ذلك. يمكنك البحث عن الحلول الموجودة لهذا الخطأ. وإذا لم يتم الإبلاغ عنه بعد، لا تتردد في فعل ذلك.
@@ -175,6 +179,7 @@ hub.registerSuccess.legacy.description=للدخول إلى الخزينة، يح
 hub.registerFailed.message=فشل تسجيل الجهاز
 hub.registerFailed.description.generic=حدث خطأ في عملية تسجيل الاسم. لمزيد من التفاصيل، راجع سجل التطبيق.
 hub.registerFailed.description.deviceAlreadyExists=هذا الجهاز مسجل لمستخدم مختلف بالفعل. حاول تغيير حساب المستخدم أو استخدام جهاز مختلف.
+### Archived
 ### Unauthorized
 hub.unauthorized.message=تم رفض الوصول
 hub.unauthorized.description=غير مسموح لك بفتح هذا المستودع. اتصل بمالك المستودع لطلب الوصول.
@@ -386,6 +391,7 @@ stats.access.total=مجموع الوصول: %d

 # Main Window
 ## Vault List
+main.vaultlist=المخازن
 main.vaultlist.emptyList.onboardingInstruction=انقر هنا لإضافة خزنة
 main.vaultlist.contextMenu.remove=حذف…
 main.vaultlist.contextMenu.lock=قفل
@@ -394,8 +400,8 @@ main.vaultlist.contextMenu.unlockNow=افتح الان
 main.vaultlist.contextMenu.vaultoptions=إظهار خيارات المخزن
 main.vaultlist.contextMenu.reveal=اظهار القرص
 main.vaultlist.contextMenu.share=مشاركة…
-main.vaultlist.showEventsButton.tooltip=عرض الإشعارات
-##Notificaition
+main.vaultlist.addVaultButton.tooltip=أضِف مخزنًا
+##Notification
 main.notification.updateAvailable=هناك تحديث متاح.
 main.notification.support=دعم Cryptomator.
 ## Vault Detail
@@ -624,19 +630,19 @@ eventView.clearListButton.tooltip=تفريغ القائمة
 eventView.entry.vaultLocked.description=فتح "%s" للحصول على التفاصيل
 eventView.entry.conflictResolved.message=تم حل التضارب
 eventView.entry.conflictResolved.showDecrypted=إظهار الملف غير المشفر
-eventView.entry.conflictResolved.copyDecrypted=نسخ المسار غير المشفر
 eventView.entry.conflict.message=فشل حل التضارب
 eventView.entry.conflict.showDecrypted=إظهار الملَف غير المشفر الأصلي
-eventView.entry.conflict.copyDecrypted=نسخ المسار غير المشفر والأصلي
 eventView.entry.conflict.showEncrypted=إظهار ملف متضارب ومشفر
-eventView.entry.conflict.copyEncrypted=نسخ مسار التشفير المتعارض
 eventView.entry.decryptionFailed.message=فشل فك التشفير
 eventView.entry.decryptionFailed.showEncrypted=عرض ملَف المشفر
-eventView.entry.decryptionFailed.copyEncrypted=نسخ مسار المشفر
 eventView.entry.brokenDirFile.message=رابط الدليل المكسور
 eventView.entry.brokenDirFile.showEncrypted=إظهار الرابط المكسور، المشفر
-eventView.entry.brokenDirFile.copyEncrypted=نسخ مسار الرابط المكسور
 eventView.entry.brokenFileNode.message=عقدة ملفات النظام التافلة
 eventView.entry.brokenFileNode.showEncrypted=عرض العقدة المشفّرة التافلة
-eventView.entry.brokenFileNode.copyEncrypted=نسخ مسار العقدة المشفّرة التافلة
 eventView.entry.brokenFileNode.copyDecrypted=نسخ المسار غير المشفر
+eventView.entry.inUse.showDecrypted=إظهار الملف غير المشفر
+eventView.entry.inUse.showEncrypted=عرض ملَف المشفر
+
+
+# Notifications
+## FileIsInUse Notification
--- a/src/main/resources/i18n/strings_ba.properties
+++ b/src/main/resources/i18n/strings_ba.properties
@@ -12,10 +12,14 @@ generic.button.close=Яп
 generic.button.copy=Күсермәһен ал
 generic.button.copied=Күсермә алынды!
 generic.button.done=Тамам
+generic.button.previous=Алдағы
 generic.button.next=Киләһе
 generic.button.print=Баҫтыр
 generic.button.remove=Алып ташлау

+## Vault state
+vault.state.error=Хата
+
 # Error
 error.message=Хата килеп сыҡты
 error.description=Cryptomator өсөн көтөлмәгән хәл. Был хатаның булған төҙәтеү варианттарын ҡарай алаһығыҙ. Әлегә тиклем белдерелмәгән булһа, был хаҡта хәбәр итә алаһығыҙ.
@@ -163,6 +167,7 @@ hub.register.registerBtn=Теркәл
 ### Registration Success
 hub.registerSuccess.unlockBtn=Биген ас
 ### Registration Failed
+### Archived
 ### Unauthorized
 hub.unauthorized.message=Инеү кире ҡағылды
 ### Requires Account Initialization
@@ -357,6 +362,7 @@ stats.access.total=Барлыҡ инеү: %d

 # Main Window
 ## Vault List
+main.vaultlist=Һаҡлағыстар
 main.vaultlist.emptyList.onboardingInstruction=Һаҡлағыс өҫтәү өсөн бында баҫығыҙ
 main.vaultlist.contextMenu.remove=Алып ташлау…
 main.vaultlist.contextMenu.lock=Биклә
@@ -364,7 +370,8 @@ main.vaultlist.contextMenu.unlock=Бикте асыу…
 main.vaultlist.contextMenu.unlockNow=Хәҙер бикте ас
 main.vaultlist.contextMenu.vaultoptions=Һаҡлағыс варианттарын күрһәт
 main.vaultlist.contextMenu.reveal=Дискты күрһәт
-##Notificaition
+main.vaultlist.addVaultButton.tooltip=Һаҡлағыс өҫтәү
+##Notification
 ## Vault Detail
 ### Welcome
 main.vaultDetail.welcomeOnboarding=Файлдарығыҙҙы һаҡлау өсөн Cryptomator-ҙы һайлағанығыҙ өсөн рәхмәт. Әгәр һеҙгә ярҙам кәрәк булһа, башлау буйынса белешмәләребеҙҙе ҡарағыҙ:
@@ -545,3 +552,7 @@ dokanySupportEnd.preferencesBtn=Көйләүҙәрҙе ас

 # Event View
 ## event list entries
+
+
+# Notifications
+## FileIsInUse Notification
--- a/src/main/resources/i18n/strings_be.properties
+++ b/src/main/resources/i18n/strings_be.properties
@@ -12,10 +12,13 @@ generic.button.close=Зачыніць
 generic.button.copy=Капіяваць
 generic.button.copied=Скапіявана!
 generic.button.done=Файна
+generic.button.previous=Папярэдні
 generic.button.next=Далей
 generic.button.print=Друкаваць
 generic.button.remove=Выдаліць

+## Vault state
+
 # Error
 error.message=Адбылася памылка
 error.description=Cryptomator не чакаў такога павароту. Ты можаш пашукаць рашэнні гэтай праблемы. Калі пра гэтую хібу яшчэ ніхто не паведаміў, калі ласка, зрабі ты гэта.
@@ -156,6 +159,7 @@ hub.register.nameLabel=Назва прылады
 ### Registration Success
 hub.registerSuccess.unlockBtn=Адамкнуць
 ### Registration Failed
+### Archived
 ### Unauthorized
 hub.unauthorized.message=Адмова ў доступе
 ### Requires Account Initialization
@@ -351,7 +355,8 @@ main.vaultlist.contextMenu.unlock=Адамкнуць…
 main.vaultlist.contextMenu.unlockNow=Разамкнуць зараз
 main.vaultlist.contextMenu.vaultoptions=Паказаць параметры скарбніцы
 main.vaultlist.contextMenu.reveal=Паказаць дыск
-##Notificaition
+main.vaultlist.addVaultButton.tooltip=Дадаць скарбніцу
+##Notification
 ## Vault Detail
 ### Welcome
 main.vaultDetail.welcomeOnboarding=Дзякуй, што ты абраў Cryptomator для абароны тваіх файлаў. Калі табе патрэбна дапамога, калі ласка, паглядзі нашы інструкцыі:
@@ -524,3 +529,7 @@ dokanySupportEnd.preferencesBtn=Адчыніць налады

 # Event View
 ## event list entries
+
+
+# Notifications
+## FileIsInUse Notification
--- a/src/main/resources/i18n/strings_bg.properties
+++ b/src/main/resources/i18n/strings_bg.properties
@@ -12,10 +12,19 @@ generic.button.close=Затваряне
 generic.button.copy=Копиране
 generic.button.copied=Копирано!
 generic.button.done=Готово
+generic.button.previous=Назад
 generic.button.next=Напред
 generic.button.print=Отпечатване
 generic.button.remove=Премахване

+## Vault state
+vault.state.locked=Заключено
+vault.state.unlocked=Отключено
+vault.state.missing=Липсващ
+vault.state.migrationNeeded=Необходима е миграция
+vault.state.processing=Обработване
+vault.state.error=Грешка
+
 # Error
 error.message=Възникна грешка
 error.description=Това е неочаквано за Криптоматор. Можете да потърсите съществуващи ревения за тази грешка. Или ако все още не е докладвана се чувствайте свободни да го направите.
@@ -95,6 +104,7 @@ addvault.new.readme.accessLocation.4=При желание можете да п
 ## Existing
 addvaultwizard.existing.title=Добавяне на съществуващо хранилище
 addvaultwizard.existing.instruction=Изберете файла „vault.cryptomator“ от съществуващото хранилище, но ако има само файл „masterkey.cryptomator“, изберете него.
+addvaultwizard.existing.restore=Възстановяване…
 addvaultwizard.existing.chooseBtn=Избиране…
 addvaultwizard.existing.filePickerTitle=Избор на файл на хранилището
 addvaultwizard.existing.filePickerMimeDesc=Хранилище на Криптоматор
@@ -142,6 +152,7 @@ unlock.error.customPath.description.hideawayNotDir=Временният, скр
 unlock.error.customPath.description.couldNotBeCleaned=Хранилището не може да бъде монтирано на „%s“. Опитайте отново или изберете друг път.
 unlock.error.customPath.description.notEmptyDir=Потребителският път на монтиране „%s“ не е празна папка. Изберете празна папка и опитайте отново.
 unlock.error.customPath.description.generic=Избрали сте потребителски път за монтиране на това хранилище, но при използването му възникна следната грешка: %2$s
+unlock.error.restartRequired.message=Хранилището не може да бъде отключено
 unlock.error.title=Неуспешно отключване на „%s“
 ## Hub
 hub.noKeychain.message=Няма достъп до ключа на устройството
@@ -163,6 +174,7 @@ hub.register.registerBtn=Регистриране
 ### Registration Success
 hub.registerSuccess.unlockBtn=Отключване
 ### Registration Failed
+### Archived
 ### Unauthorized
 hub.unauthorized.message=Отказан достъп
 ### Requires Account Initialization
@@ -365,7 +377,9 @@ main.vaultlist.contextMenu.unlock=Отключване…
 main.vaultlist.contextMenu.unlockNow=Отключване сега
 main.vaultlist.contextMenu.vaultoptions=Настройки на хранилището
 main.vaultlist.contextMenu.reveal=Разкриване на диска
-##Notificaition
+main.vaultlist.contextMenu.share=Споделяне…
+main.vaultlist.addVaultButton.tooltip=Добавяне на хранилище
+##Notification
 ## Vault Detail
 ### Welcome
 main.vaultDetail.welcomeOnboarding=Благодарим ви, че избрахте Криптоматор, за да предпазвате файловете си. Ако имате нужда от съдействие прочетете ръководствата за започване на работа с приложението:
@@ -546,3 +560,7 @@ dokanySupportEnd.preferencesBtn=Към настройките

 # Event View
 ## event list entries
+
+
+# Notifications
+## FileIsInUse Notification
--- a/src/main/resources/i18n/strings_bn.properties
+++ b/src/main/resources/i18n/strings_bn.properties
@@ -11,10 +11,14 @@ generic.button.close=বন্ধ করুন
 generic.button.copy=কপি
 generic.button.copied=কপি হয়েছে!
 generic.button.done=সম্পন্ন হয়েছে
+generic.button.previous=পিছনে
 generic.button.next=পরবর্তী
 generic.button.print=প্রিন্ট
 generic.button.remove=বাতিল

+## Vault state
+vault.state.error=ত্রুটি দেখা দিয়েছে
+
 # Error
 error.message=ত্রুটি %s
 error.description=ওহো! ক্রিপ্টোমেটর এটা যে হবে তা আশা করেনি. আপনি এই ত্রুটির সমাধানটি খুঁজে দেখুন. ত্রুটিটি সম্পর্কে যদি বিবরণ না পান, আপনি সেটি রিপোর্ট করতে পারেন.
@@ -95,6 +99,7 @@ unlock.unlockBtn=আনলক করুন
 ### Registration Success
 hub.registerSuccess.unlockBtn=আনলক করুন
 ### Registration Failed
+### Archived
 ### Unauthorized
 ### Requires Account Initialization
 ### License Exceeded
@@ -142,7 +147,8 @@ lock.forced.retryBtn=পুনরায় চেষ্টা করুন
 # Main Window
 ## Vault List
 main.vaultlist.contextMenu.lock=লক করুন
-##Notificaition
+main.vaultlist.addVaultButton.tooltip=ভোল্ট যুক্ত করুন
+##Notification
 ## Vault Detail
 ### Welcome
 ### Locked
@@ -212,3 +218,7 @@ vaultOptions.mount.mountPoint.directoryPickerButton=নির্বাচন ক

 # Event View
 ## event list entries
+
+
+# Notifications
+## FileIsInUse Notification
--- a/src/main/resources/i18n/strings_bs.properties
+++ b/src/main/resources/i18n/strings_bs.properties
@@ -15,6 +15,8 @@ generic.button.next=Sljedeće
 generic.button.print=Ispis
 generic.button.remove=Ukloni

+## Vault state
+
 # Error
 error.message=Došlo je do greške

@@ -109,6 +111,7 @@ unlock.success.revealBtn=Otkrij pogon
 ### Registration Success
 hub.registerSuccess.unlockBtn=Otključaj
 ### Registration Failed
+### Archived
 ### Unauthorized
 ### Requires Account Initialization
 ### License Exceeded
@@ -209,6 +212,7 @@ stats.write.accessCount=Ukupno upisano: %d

 # Main Window
 ## Vault List
+main.vaultlist=Sef
 main.vaultlist.emptyList.onboardingInstruction=Kliknite ovdje da dodate sef
 main.vaultlist.contextMenu.remove=Ukloni…
 main.vaultlist.contextMenu.lock=Zaključaj
@@ -216,7 +220,8 @@ main.vaultlist.contextMenu.unlock=Otključaj…
 main.vaultlist.contextMenu.unlockNow=Otključaj sada
 main.vaultlist.contextMenu.vaultoptions=Pokaži opcije sefa
 main.vaultlist.contextMenu.reveal=Otkrij pogon
-##Notificaition
+main.vaultlist.addVaultButton.tooltip=Dodaj sef
+##Notification
 ## Vault Detail
 ### Welcome
 main.vaultDetail.welcomeOnboarding=Hvala što ste izabrali Cryptomator za zaštitu podataka. Ako vam je potrebna pomoć, pogledajte naše vodiče za početak:
@@ -348,3 +353,7 @@ quit.lockAndQuitBtn=Zaključaj i zatvori

 # Event View
 ## event list entries
+
+
+# Notifications
+## FileIsInUse Notification
--- a/src/main/resources/i18n/strings_ca.properties
+++ b/src/main/resources/i18n/strings_ca.properties
@@ -12,10 +12,15 @@ generic.button.close=Tanca
 generic.button.copy=Copia
 generic.button.copied=Copiat!
 generic.button.done=Fet
+generic.button.previous=Anterior
 generic.button.next=Següent
 generic.button.print=Imprimeix
 generic.button.remove=Elimina

+## Vault state
+vault.state.locked=Bloquejada
+vault.state.error=Error
+
 # Error
 error.message=S'ha produït un error
 error.description=Ui! Cryptomator no esperava que passés això. Podeu cercar alguna de les solucions existents per a aquest error. Si no ha estat reportat encara, sentiu-vos lliure de fer-ho vós mateix.
@@ -175,6 +180,7 @@ hub.registerSuccess.legacy.description=Per a accedir a la caixa forta, el vostre
 hub.registerFailed.message=El registre del dispositiu ha fallat
 hub.registerFailed.description.generic=S'ha produït un error en el procés de registre. Per a obtindre'n més detalls vegeu els registres de l'aplicació.
 hub.registerFailed.description.deviceAlreadyExists=El dispositiu ja ha estat registrat per un altre usuari. Mireu de canviar el compte d'usuari o feu servir un dispositiu diferent.
+### Archived
 ### Unauthorized
 hub.unauthorized.message=Accés denegat
 hub.unauthorized.description=No estàs autoritzat a obrir aquesta caixa forta. Contacta amb el seu propietari per obtenir accés.
@@ -386,6 +392,7 @@ stats.access.total=Total d'accessos: %d

 # Main Window
 ## Vault List
+main.vaultlist=Caixes fortes
 main.vaultlist.emptyList.onboardingInstruction=Feu clic aquí per afegir una caixa forta
 main.vaultlist.contextMenu.remove=Elimina…
 main.vaultlist.contextMenu.lock=Bloqueja
@@ -394,12 +401,14 @@ main.vaultlist.contextMenu.unlockNow=Desbloqueja ara
 main.vaultlist.contextMenu.vaultoptions=Opcions de la caixa forta
 main.vaultlist.contextMenu.reveal=Mostra la unitat
 main.vaultlist.contextMenu.share=Compateix…
-##Notificaition
+main.vaultlist.addVaultButton.tooltip=Afegir una caixa forta
+##Notification
 main.notification.updateAvailable=Hi ha una actualització disponible.
 main.notification.support=Doneu suport a Cryptomator.
 ## Vault Detail
 ### Welcome
 main.vaultDetail.welcomeOnboarding=Gràcies per escollir Cryptomator per protegir els vostres fitxers. Si vos cal ajuda, llegiu les nostres guies per donar els Primers passos:
+main.vaultDetail.storageLocation=Ubicació de la caixa forta
 ### Locked
 main.vaultDetail.lockedStatus=BLOQUEJADA
 main.vaultDetail.unlockBtn=Desbloca…
@@ -599,3 +608,7 @@ shareVault.hub.openHub=Obre Cryptomator Hub

 # Event View
 ## event list entries
+
+
+# Notifications
+## FileIsInUse Notification
--- a/src/main/resources/i18n/strings_cs.properties
+++ b/src/main/resources/i18n/strings_cs.properties
@@ -12,10 +12,14 @@ generic.button.close=Zavřít
 generic.button.copy=Kopírovat
 generic.button.copied=Zkopírováno!
 generic.button.done=Hotovo
+generic.button.previous=Předchozí
 generic.button.next=Další
 generic.button.print=Tisk
 generic.button.remove=Odstranit

+## Vault state
+vault.state.error=Chyba
+
 # Error
 error.message=Chyba %s
 error.description=Jejda! Tohle Cryptomator nečekal. Můžete najít již existující řešení pro tuto chybu. Nebo pokud ještě nebyla nahlášena, neváhejte tak učinit.
@@ -171,6 +175,7 @@ hub.registerSuccess.legacy.description=Pro přístup k trezoru musí být vaše
 hub.registerFailed.message=Registrace zařízení se nezdařila
 hub.registerFailed.description.generic=Došlo k chybě v registračním procesu. Pro více detailů se podívejte do logu aplikace.
 hub.registerFailed.description.deviceAlreadyExists=Toto zařízení je již registrováno pro jiného uživatele. Zkuste změnit uživatelský účet nebo použijte jiné zařízení.
+### Archived
 ### Unauthorized
 hub.unauthorized.message=Přístup odepřen
 ### Requires Account Initialization
@@ -357,6 +362,7 @@ stats.access.total=Přístup celkem: %d

 # Main Window
 ## Vault List
+main.vaultlist=Trezory
 main.vaultlist.emptyList.onboardingInstruction=Klikněte zde pro přidání nového trezoru
 main.vaultlist.contextMenu.remove=Odstranit…
 main.vaultlist.contextMenu.lock=Zamknout
@@ -365,7 +371,8 @@ main.vaultlist.contextMenu.unlockNow=Odemknout nyní
 main.vaultlist.contextMenu.vaultoptions=Zobrazit možnosti trezoru
 main.vaultlist.contextMenu.reveal=Zobrazit jednotku
 main.vaultlist.contextMenu.share=Sdílet…
-##Notificaition
+main.vaultlist.addVaultButton.tooltip=Přidat trezor
+##Notification
 ## Vault Detail
 ### Welcome
 main.vaultDetail.welcomeOnboarding=Děkujeme, že jste si vybrali Cryptomator pro ochranu vašich souborů. Pokud potřebujete pomoc, podívejte se na naše návody:
@@ -562,3 +569,7 @@ shareVault.hub.openHub=Otevřít Cryptomator Hub

 # Event View
 ## event list entries
+
+
+# Notifications
+## FileIsInUse Notification
--- a/src/main/resources/i18n/strings_da.properties
+++ b/src/main/resources/i18n/strings_da.properties
@@ -12,10 +12,19 @@ generic.button.close=Luk
 generic.button.copy=Kopiér
 generic.button.copied=Kopieret!
 generic.button.done=Færdig
+generic.button.previous=Tidligere
 generic.button.next=Næste
 generic.button.print=Print
 generic.button.remove=Fjern

+## Vault state
+vault.state.locked=Låst
+vault.state.unlocked=Låst op
+vault.state.missing=Mangler
+vault.state.migrationNeeded=Migration påkrævet
+vault.state.processing=Bearbejder
+vault.state.error=Fejl
+
 # Error
 error.message=Der opstod en fejl
 error.description=Cryptomator forventede ikke at dette skete. Du kan gennemse eksisterende løsninger for denne fejl - eller hvis denne fejl ikke er blevet rapporteret før, er du meget velkommen til at rapportere den.
@@ -77,7 +86,7 @@ addvaultwizard.new.generateRecoveryKeyChoice=Du kan ikke tilgå dine data uden d
 addvaultwizard.new.generateRecoveryKeyChoice.yes=Ja tak - for en sikkerheds skyld
 addvaultwizard.new.generateRecoveryKeyChoice.no=Nej tak. Jeg mister ikke min adgangskode
 ### Information
-addvault.new.readme.storageLocation.fileName=VIGTIGT.rtf
+addvault.new.readme.storageLocation.fileName=IMPORTANT.rtf
 addvault.new.readme.storageLocation.1=⚠️  BOKS-FILER  ⚠️
 addvault.new.readme.storageLocation.2=Det er her er lokationen for din boks' data.
 addvault.new.readme.storageLocation.3=SØRG FOR ALDRIG AT
@@ -88,14 +97,14 @@ addvault.new.readme.storageLocation.7=1. Tilføj denne boks til Cryptomator.
 addvault.new.readme.storageLocation.8=2. Lås boksen op i Cryptomator.
 addvault.new.readme.storageLocation.9=3. Åbn placeringen ved at klikke på knappen "Vis boks".
 addvault.new.readme.storageLocation.10=Hvis du har brug for hjælp, så kig i dokumentationen: %s
-addvault.new.readme.accessLocation.fileName=VELKOMMEN.rtf
+addvault.new.readme.accessLocation.fileName=WELCOME.rtf
 addvault.new.readme.accessLocation.1=🔐️  KRYPTERET DREV  🔐️
 addvault.new.readme.accessLocation.2=Det er her indholdet af din boks tilgås.
 addvault.new.readme.accessLocation.3=Filer du tilføjer til dette drev vil blive krypteret af Cryptomator. Du har arbejde med filerne ligesom enhver anden fil/mappe. Dette er blot en dekrypteret visning af indholdet. Dine filer er stadig krypterede på din harddisk hele tiden.
 addvault.new.readme.accessLocation.4=Fjern denne fil hvis du har lyst.
 ## Existing
 addvaultwizard.existing.title=Tilføj Eksisterende Boks
-addvaultwizard.existing.instruction=Vælgt filen "vault.cryptomator" i mappen med dine boks-filer. Hvis der kun findes en fil med navnet "masterkey.cryptomator", skal du vælge den i stedet.
+addvaultwizard.existing.instruction=Vælg filen "vault.cryptomator" i mappen med dine boks-filer. Hvis der kun findes en fil med navnet "masterkey.cryptomator", skal du vælge den i stedet.
 addvaultwizard.existing.restore=Gendan…
 addvaultwizard.existing.chooseBtn=Vælg…
 addvaultwizard.existing.filePickerTitle=Vælg boks-fil
@@ -161,9 +170,9 @@ hub.receive.message=Behandler svar…
 hub.receive.description=Cryptomator modtager og behandler svaret fra hubben. Vent venligst.
 ### Register Device
 hub.register.message=Ny Enhed
-hub.register.description=Det er første gang Hub tilgås fra denne enhed. Registrer den venligst ved at anvende din Account Key.
+hub.register.description=Det er første gang Hub tilgås fra denne enhed. Registrer den venligst ved at anvende din kontonøgle.
 hub.register.nameLabel=Enheds-navn
-hub.register.invalidAccountKeyLabel=Ugyldig Account Key
+hub.register.invalidAccountKeyLabel=Ugyldig kontonøgle
 hub.register.registerBtn=Registrer
 ### Register Device Legacy
 hub.register.legacy.occupiedMsg=Navnet er allerede i brug
@@ -177,6 +186,9 @@ hub.registerSuccess.legacy.description=For at få adgang til boksen, skal din en
 hub.registerFailed.message=Enheds registrering mislykkedes
 hub.registerFailed.description.generic=Der opstod en fejl i registreringsprocessen. Kig i applikations-loggen for flere detaljer.
 hub.registerFailed.description.deviceAlreadyExists=Denne enhed er allerede registreret af en anden bruger. Prøv at ændre brugerkontoen eller brug en anden enhed.
+### Archived
+hub.archived.message=Boksen er arkiveret
+hub.archived.description=Denne boks er blevet arkiveret og er ikke længere tilgængelig. Kontakt venligst boksens ejer.
 ### Unauthorized
 hub.unauthorized.message=Adgang nægtet
 hub.unauthorized.description=Du har ikke tilladelse til at åbne denne boks. Kontant ejeren af boksen for at anmode om adgang.
@@ -232,7 +244,7 @@ migration.impossible.moreInfo=Boksen kan stadig åbnes med en ældre version. Fo
 ## Start
 health.title=Sundhedstjek af "%s"
 health.intro.header=Sundhedstjek
-health.intro.text=Sundhedstjek afvikler en række procedurer for at opdage og muligvis løse problemer, i den interne struktur i bin boks. Vær opmærksom på:
+health.intro.text=Sundhedstjek afvikler en række procedurer for at opdage og muligvis løse problemer, i den interne struktur i din boks. Vær opmærksom på:
 health.intro.remarkSync=Sørg for, at alle enheder er synkroniseret fuldstændig, dette løser de fleste problemer.
 health.intro.remarkFix=Ikke alle problemer kan løses.
 health.intro.remarkBackup=Hvis data er beskadiget, kan kun en sikkerhedskopi hjælpe.
@@ -257,6 +269,8 @@ health.check.detail.checkFinishedAndFound=Kontrolproceduren er kørt færdig. Ge
 health.check.detail.checkFailed=Kontrolproceduren blev afbrudt af en fejl.
 health.check.detail.checkCancelled=Kontrolproceduren blev annulleret.
 health.check.detail.listFilters.label=Filter
+health.check.detail.filterSeverity=Filtrér efter sværhedsgrad
+health.check.detail.filterFixState=Filtrér efter fix status
 health.check.detail.fixAllSpecificBtn=Løs alle af type
 health.check.exportBtn=Eksportér rapport
 ## Result view
@@ -311,7 +325,7 @@ preferences.volume.type=Standard Drev Type
 preferences.volume.type.automatic=Automatisk
 preferences.volume.docsTooltip=Åbn dokumentationen for at lære mere om de forskellige typer drev.
 preferences.volume.fuseRestartRequired=For at anvende ændringerne skal Cryptomator genstartes.
-preferences.volume.tcp.port=Standard TCP- Port
+preferences.volume.tcp.port=Standard TCP-Port
 preferences.volume.supportedFeatures=Den valgte type drev understøtter følgende funktioner:
 preferences.volume.feature.mountAuto=Automatisk valg af monteringspunkt
 preferences.volume.feature.mountToDir=Brugerdefineret mappe som monteringspunkt
@@ -329,8 +343,13 @@ preferences.updates.lastUpdateCheck.never=aldrig
 preferences.updates.lastUpdateCheck.recently=for nylig
 preferences.updates.lastUpdateCheck.daysAgo=%s dage siden
 preferences.updates.lastUpdateCheck.hoursAgo=%s timer siden
+preferences.updates.prohibitedDueToUnlockedVaults.1=Venligst
+preferences.updates.prohibitedDueToUnlockedVaults.2=lås dine bokse
+preferences.updates.prohibitedDueToUnlockedVaults.3=for at installere opdateringen.
 preferences.updates.checkFailed=Søgning efter opdateringer fejlede. Tjek din internetforbindelse eller forsøg igen senere.
+preferences.updates.updateFailed=Opdatering mislykkedes. Installér venligst opdateringen manuelt.
 preferences.updates.upToDate=Cryptomator er opdateret.
+preferences.updates.visitDownloadPage=Besøg Downloadside

 ## Contribution
 preferences.contribute=Støt os
@@ -341,6 +360,7 @@ preferences.contribute.promptText=Indsæt koden for supporter-certifikatet her
 preferences.contribute.thankYou=Tak fordi du støtter Cryptomators open source-udvikling!
 preferences.contribute.donate=Donér
 preferences.contribute.sponsor=Sponsor
+preferences.contribute.removeCert.tooltip=Fjern certifikat

 ### Remove License Key Dialog
 removeCert.title=Fjern certifikat
@@ -350,6 +370,7 @@ removeCert.description=Cryptomators kernefunktioner påvirkes ikke af dette. Hve

 ## About
 preferences.about=Om
+preferences.about.thirdPartyLicenses=Tredjepartslicenser

 # Vault Statistics
 stats.title=Statistik for %s
@@ -388,6 +409,8 @@ stats.access.total=Samlede adgang: %d

 # Main Window
 ## Vault List
+main.vaultlist=Bokse
+main.vaultlist.listEntry=Boks %s (%s)
 main.vaultlist.emptyList.onboardingInstruction=Klik her for at tilføje en boks
 main.vaultlist.contextMenu.remove=Fjern…
 main.vaultlist.contextMenu.lock=Lås
@@ -399,13 +422,17 @@ main.vaultlist.contextMenu.share=Del…
 main.vaultlist.addVaultBtn.menuItemNew=Opret ny boks…
 main.vaultlist.addVaultBtn.menuItemExisting=Åbn eksisterende boks…
 main.vaultlist.addVaultBtn.menuItemRecover=Genopret eksisterende boks…
+main.vaultlist.addVaultButton.tooltip=Tilføj boks
 main.vaultlist.showEventsButton.tooltip=Åbn begivenhedsvisning
-##Notificaition
+main.vaultlist.showPreferencesButton.tooltip=Vis Indstillinger
+##Notification
 main.notification.updateAvailable=Opdatering er tilgængelig.
 main.notification.support=Støt Cryptomator.
+main.notification.closeButton.tooltip=Luk infobjælke
 ## Vault Detail
 ### Welcome
 main.vaultDetail.welcomeOnboarding=Tak fordi du valgte Cryptomator til at beskytte dine filer. Hvis du har brug for hjælp, så tjek vores guider for at komme i gang:
+main.vaultDetail.storageLocation=Placering af boks
 ### Locked
 main.vaultDetail.lockedStatus=LÅST
 main.vaultDetail.unlockBtn=Lås op…
@@ -463,12 +490,13 @@ vaultOptions.general=Generelt
 vaultOptions.general.vaultName=Boks-navn
 vaultOptions.general.autoLock.lockAfterTimePart1=Lås efter inaktivitet i
 vaultOptions.general.autoLock.lockAfterTimePart2=minutter
+vaultOptions.general.autoLock.accessibleText=Lås timeout i minutter
 vaultOptions.general.unlockAfterStartup=Lås boksen op når Cryptomator starter
 vaultOptions.general.actionAfterUnlock=Efter oplåsning af boks
 vaultOptions.general.actionAfterUnlock.ignore=Gør intet
 vaultOptions.general.actionAfterUnlock.reveal=Vis drev
 vaultOptions.general.actionAfterUnlock.ask=Spørg
-vaultOptions.general.startHealthCheckBtn=Start sunhedstjek
+vaultOptions.general.startHealthCheckBtn=Start sundhedstjek

 ## Mount
 vaultOptions.mount=Montering
@@ -493,6 +521,7 @@ vaultOptions.masterkey.forgetSavedPasswordBtn=Glem gemt adgangskode
 vaultOptions.masterkey.recoveryKeyExplanation=En gendannelsesnøgle er den eneste måde du kan få adgang til din boks på, hvis du har glemt dit password.
 vaultOptions.masterkey.showRecoveryKeyBtn=Vis gendannelsesnøgle
 vaultOptions.masterkey.recoverPasswordBtn=Nulstil adgangskode
+vaultOptions.masterkey.missingMasterkeyFile=Disse tilvalg er kun tilgængelige hvis masterkeyfilen er til stede i boksmappen.
 ## Hub
 vaultOptions.hub=Gendannelse
 vaultOptions.hub.convertInfo=Du kan bruge gendannelsesnøglen til at konvertere denne Hub-boks til en adgangskode-baseret boks i en nødsituation.
@@ -518,9 +547,11 @@ recoveryKey.printout.heading=Cryptomator gendannelsesnøgle\n"%s"\n
 recoveryKey.recover.resetBtn=Nulstil
 recoveryKey.recover.recoverBtn=Gendan
 ### Recovery Key Password Reset Success
-recoveryKey.recover.resetSuccess.message=Adgangskod nulstillet
+recoveryKey.recover.resetSuccess.message=Adgangskode nulstillet
 recoveryKey.recover.resetSuccess.description=Du kan nu låse din boks op med den nye adgangskode.
 ### Recovery Key Vault Config Reset Success
+recoveryKey.recover.resetVaultConfigSuccess.message=Bokskonfiguration gendannet
+recoveryKey.recover.resetMasterkeyFileSuccess.message=Masterkey-fil genoprettet
 recoveryKey.recover.resetMasterkeyFileSuccess.description=Du kan låse din boks op med din adgangskode nu.

 # Recover Vault Config File and/or Masterkey
@@ -630,7 +661,7 @@ shareVault.hubAd.description=Den sikre måde at arbejde i hold
 shareVault.hubAd.keyManagement=Zero-knowledge nøgle håndtering
 shareVault.hubAd.authentication=Stærk autentifikation
 shareVault.hubAd.encryption=End-to-end-kryptering
-shareVault.visitHub=Besøg Kryptomator Hub
+shareVault.visitHub=Besøg Cryptomator Hub

 shareVault.hub.message=Sådan deler du en Hub boks
 shareVault.hub.description=For at dele indholdet i boksen med et andet holdmedlem skal du udføre to trin:
@@ -644,9 +675,11 @@ decryptNames.filePicker.title=Vælg krypteret fil
 decryptNames.filePicker.extensionDescription=Cryptomator krypteret fil
 decryptNames.copyTable.tooltip=Kopiér tabel
 decryptNames.clearTable.tooltip=Ryd tabel
+decryptNames.column.encrypted=Krypteret
+decryptNames.column.decrypted=Dekrypteret
 decryptNames.copyHint=Kopiér celleindhold med %s
 decryptNames.dropZone.message=Slip filer eller klik for at vælge
-decryptNames.dropZone.error.vaultInternalFiles=Boks interne filer med intet dekrypterbart navn valgt
+decryptNames.dropZone.error.vaultInternalFiles=Boks interne filer med intet dekryptérbart navn valgt
 decryptNames.dropZone.error.foreignFiles=Filer hører ikke til boksen "%s"
 decryptNames.dropZone.error.noDirIdBackup=Mappe af valgte filer indeholder ikke dirId.c9r fil
 decryptNames.dropZone.error.generic=Kunne ikke dekryptere filnavne
@@ -656,23 +689,31 @@ decryptNames.dropZone.error.generic=Kunne ikke dekryptere filnavne
 eventView.title=Begivenheder
 eventView.filter.allVaults=Alle
 eventView.clearListButton.tooltip=Ryd liste
+eventView.filterVaults=Filtrér efter boks
+eventView.cell.actionsButton.tooltip=Begivenhedshandlinger
 ## event list entries
 eventView.entry.vaultLocked.description=Lås "%s" op for detaljer
 eventView.entry.conflictResolved.message=Løst konflikt
 eventView.entry.conflictResolved.showDecrypted=Vis dekrypteret fil
-eventView.entry.conflictResolved.copyDecrypted=Kopiér dekrypteret sti
 eventView.entry.conflict.message=Konfliktløsning mislykkedes
 eventView.entry.conflict.showDecrypted=Vis dekrypteret, original fil
-eventView.entry.conflict.copyDecrypted=Kopier dekrypteret, original sti
 eventView.entry.conflict.showEncrypted=Vis modstridende, krypteret fil
-eventView.entry.conflict.copyEncrypted=Kopier modstridende, krypteret sti
 eventView.entry.decryptionFailed.message=Dekryptering mislykkedes
 eventView.entry.decryptionFailed.showEncrypted=Vis krypteret fil
-eventView.entry.decryptionFailed.copyEncrypted=Kopiér krypteret sti
 eventView.entry.brokenDirFile.message=Brudt mappelink
 eventView.entry.brokenDirFile.showEncrypted=Vis brudt, krypteret link
-eventView.entry.brokenDirFile.copyEncrypted=Kopiér sti til brudt link
 eventView.entry.brokenFileNode.message=Brudt filsystem-node
 eventView.entry.brokenFileNode.showEncrypted=Vis brudt, krypteret node
-eventView.entry.brokenFileNode.copyEncrypted=Kopiér sti af brudt, krypteret node
 eventView.entry.brokenFileNode.copyDecrypted=Kopiér dekrypteret sti
+eventView.entry.inUse.message=Fil i brug
+eventView.entry.inUse.showDecrypted=Vis dekrypteret fil
+eventView.entry.inUse.showEncrypted=Vis krypteret fil
+eventView.entry.inUse.copyUserAndDevice=Kopiér låsebruger og enhedsnavn
+eventView.entry.inUse.ignoreLock=Ignorér anvendelsesstatus
+
+
+# Notifications
+## FileIsInUse Notification
+notification.inUse.message=Filen er i brug på en anden enhed
+notification.inUse.description=Filen er åbnet af %s på %s. Bed dem om at lukke filen og lade synkroniseringen afslutte. Du kan ignorere status for at åbne den nu, men det kan forårsage konflikter eller overskrive nyere ændringer.
+notification.inUse.action=Ignorér anvendelsesstatus
--- a/Show More
+++ b/Show More