remove wixhelper extract step

if jdk is build with jep-493-flag, use jimage to extract wixhelper
try different version name
2026-05-16 01:31:28 +00:00 · 2025-11-13 14:58:22 +01:00 · 2025-11-13 14:30:04 +01:00 · 2025-11-13 13:41:56 +01:00 · 2025-11-13 13:29:38 +01:00
286 changed files with 3105 additions and 7855 deletions
--- a/.github/CONTRIBUTING.md
+++ b/.github/CONTRIBUTING.md
@@ -20,10 +20,6 @@

 Translations are not managed directly in this repository. Instead, we use [Crowdin](https://translate.cryptomator.org/), which automatically synchronizes translations with this repository. If you want to help us with translations, please visit our translation project on Crowdin.

-## Use of Generative AI
-
-AI tools may assist your work, but every contribution must be fully understood, reviewed, and tested by you. Only submit changes you can clearly explain and justify. Unverified or low-quality AI output that wastes our time and resources will be closed without further review.
-
 ## Code of Conduct

 Help us keep Cryptomator open and inclusive. Please read and follow our [Code of Conduct](https://github.com/cryptomator/cryptomator/blob/develop/.github/CODE_OF_CONDUCT.md).
--- a/.github/actions/win-sign-action/action.yml
+++ b/.github/actions/win-sign-action/action.yml
@@ -48,7 +48,7 @@ runs:
        echo "client-secret=${{ inputs.client-secret }}" >> "$GITHUB_OUTPUT"
      shell: bash
    - name: Sign DLLs with Azure Trusted Signing
-      uses: azure/artifact-signing-action@87c2e83e6868da99d3380aa309851b32ed9a8346 # v1.1.0
+      uses: azure/trusted-signing-action@fc390cf8ed0f14e248a542af1d838388a47c7a7c # v0.5.10
      with:
        files-folder: ${{ inputs.base-dir }}
        files-folder-filter: ${{ inputs.file-extensions }}
@@ -59,7 +59,7 @@ runs:
        azure-tenant-id: ${{ steps.set-secrets.outputs.tenant-id }}
        azure-client-id: ${{ steps.set-secrets.outputs.client-id }}
        azure-client-secret: ${{ steps.set-secrets.outputs.client-secret }}
-        signing-account-name: cryptomatorSigning
+        trusted-signing-account-name: cryptomatorSigning
        certificate-profile-name: production
        endpoint: https://weu.codesigning.azure.net/
        timestamp-rfc3161: http://timestamp.acs.microsoft.com
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -3,7 +3,10 @@ updates:
  - package-ecosystem: "maven"
    directory: "/"
    schedule:
-      interval: "monthly"
+      interval: "weekly"
+      day: "monday"
+      time: "06:00"
+      timezone: "Etc/UTC"
    ignore:
      - dependency-name: "org.cryptomator:integrations-api"
        versions: ["2.0.0-alpha1"]
@@ -11,13 +14,37 @@ updates:
        versions: ["2.0.1.MR"]
      - dependency-name: "org.openjfx:*"
        update-types: ["version-update:semver-major"]
-      # due to https://github.com/fabriciorby/maven-surefire-junit5-tree-reporter/issues/68
-      - dependency-name: "org.apache.maven.plugins:maven-surefire-plugin"
-        versions: [ "3.5.4", "3.5.5" ]
    groups:
-      maven-dependencies:
+      java-test-dependencies:
+        patterns:
+          - "org.junit.jupiter:*"
+          - "org.mockito:*"
+          - "org.hamcrest:*"
+          - "com.google.jimfs:jimfs"
+      maven-build-plugins:
+        patterns:
+          - "org.apache.maven.plugins:*"
+          - "org.jacoco:jacoco-maven-plugin"
+          - "org.owasp:dependency-check-maven"
+          - "me.fabriciorby:maven-surefire-junit5-tree-reporter"
+          - "org.codehaus.mojo:license-maven-plugin"
+      javafx:
+        patterns:
+          - "org.openjfx:*"
+      java-production-dependencies:
        patterns:
          - "*"
+        exclude-patterns:
+          - "org.openjfx:*"
+          - "org.apache.maven.plugins:*"
+          - "org.jacoco:jacoco-maven-plugin"
+          - "org.owasp:dependency-check-maven"
+          - "me.fabriciorby:maven-surefire-junit5-tree-reporter"
+          - "org.codehaus.mojo:license-maven-plugin"
+          - "org.junit.jupiter:*"
+          - "org.mockito:*"
+          - "org.hamcrest:*"
+          - "com.google.jimfs:jimfs"

  - package-ecosystem: "github-actions"
    directory: "/" # even for `.github/workflows`
--- a/.github/release-body.md.template
+++ b/.github/release-body.md.template
@@ -1,34 +0,0 @@
-<!-- HEADER -->
-> [!WARN]
-> 🚧 DO NOT EDIT 🚧
->
-> The [builds are still running](https://github.com/cryptomator/cryptomator/actions/workflows/create-release.yml).
-> This banner will be replaced after the builds are finished.
-<!-- /HEADER -->
-
-<!--REPLACE with auto-generated release notes (see below)
-### What's New 🎉
-### Bugfixes 🐛
-### Other Changes 📎
-END REPLACE-->
-
-For a comprehensive view of changes, read the [CHANGELOG](https://github.com/cryptomator/cryptomator/blob/$VERSION/CHANGELOG.md).
-
---
-
-💾 SHA-256 checksums of release artifacts:
-```
-$TARBALL
-$EXE
-$MSI
-$DMG_x64
-$DMG_arm64
-$APPIMAGE_x86_64
-$APPIMAGE_aarch64
-```
-
-> [!TIP]
-> You can verify the GPG signature of all assets using our public key: [`5811 7AFA 1F85 B3EE C154  677D 615D 449F E6E6 A235`](https://gist.github.com/cryptobot/211111cf092037490275f39d408f461a).
-
-<!-- Auto-Generated Release Notes: -->
-
--- a/.github/workflows/RELEASE.md
+++ b/.github/workflows/RELEASE.md
@@ -1,189 +0,0 @@
-# Cryptomator Release Workflow
-
-This document describes the automated release pipeline defined in [`draft-release.yml`](draft-release.yml) and [`post-publish.yml`](post-publish.yml).
-
-## Overview
-
-The release process has two phases:
-
-1. **Draft phase** (`draft-release.yml`) -- triggered by pushing a signed git tag. Compiles, tests, builds platform installers, and creates a **draft** GitHub Release.
-2. **Post-publish phase** (`post-publish.yml`) -- triggered when the draft release is manually **published**. Submits Windows installers for AV whitelisting, notifies the team for DEB build and latest-version update, and triggers downstream updates (website, docs, winget).
-
-```mermaid
---
-config:
-  htmlLabels: false
---
-flowchart TD
-    %% ── Trigger ──────────────────────────────────────────────
-    push_tag([🏷 Signed tag pushed])
-
-    %% ── Draft phase ──────────────────────────────────────────
-    push_tag --> get-version
-
-    subgraph draft["draft-release.yml"]
-        get-version["get-version
-        *parse semver from tag*"]
-
-        get-version --> create-release-draft
-        create-release-draft["create-release-draft
-        *compile & test (Linux)
-        create draft release
-        sign source tarball*"]
-
-        create-release-draft --> build-exe-and-msi
-        create-release-draft --> build-dmg-arm64
-        create-release-draft --> build-dmg-x64
-        create-release-draft --> build-appimages
-
-        build-exe-and-msi["build-exe-and-msi
-        *calls win-exe.yml
-        MSI + EXE (x64)
-        code-signed & GPG-signed*"]
-        build-dmg-arm64["build-dmg-arm64
-        *calls mac-dmg.yml
-        DMG (arm64)
-        notarized & GPG-signed*"]
-        build-dmg-x64["build-dmg-x64
-        *calls mac-dmg-x64.yml
-        DMG (x64)
-        notarized & GPG-signed*"]
-        build-appimages["build-appimages
-        *calls appimage.yml
-        AppImage (x86_64 + aarch64)
-        GPG-signed*"]
-
-        build-exe-and-msi --> update-sha256sums
-        build-dmg-arm64 --> update-sha256sums
-        build-dmg-x64 --> update-sha256sums
-        build-appimages --> update-sha256sums
-
-        update-sha256sums["update-sha256sums
-        *compute checksums
-        update release body*"]
-    end
-
-    update-sha256sums --> manual_review
-
-    %% ── Manual gate ──────────────────────────────────────────
-    manual_review{{Manual review
-    & publish}}
-
-    %% ── Post-publish phase ───────────────────────────────────
-    manual_review --> published([📢 Release published])
-    published --> post-publish
-
-    subgraph post-publish["post-publish.yml"]
-        direction TB
-
-        check-release["check-release
-        *classify release tag
-        stable, alpha, beta, rc, unknown*"]
-        notify["notify
-        *Slack notifications
-        deb build & version check*"]
-        get-asset-urls["get-asset-urls
-        *extract MSI & EXE
-        download URLs*"]
-
-        check-release --> notify-winget
-        check-release --> trigger-website
-        check-release --> trigger-docs
-
-        get-asset-urls --> allowlist-msi
-        allowlist-msi --> allowlist-exe
-
-        allowlist-msi["allowlist-msi-x64
-        *av-whitelist.yml
-        Kaspersky & Avast*"]
-        allowlist-exe["allowlist-exe-x64
-        *av-whitelist.yml
-        Kaspersky & Avast*"]
-
-        notify-winget["notify-winget
-        *Slack: ready for winget
-        stable only*"]
-        trigger-website["trigger-website-update
-        *dispatch to
-        cryptomator.github.io
-        stable only*"]
-        trigger-docs["trigger-docs-update
-        *dispatch to
-        cryptomator/docs
-        stable only, Windows*"]
-    end
-```
-
-## Phase 1: Draft Release (`draft-release.yml`)
-
-**Trigger:** push of any tag (`*`)
-
-### Jobs
-
-| Job | Runs on | Description |
-|-----|---------|-------------|
-| **get-version** | ubuntu | Parses the tag into semver components (`semVerNum`, `semVerSuffix`, `revNum`, `versionType`). The release is aborted if not an alpha, beta, rc or 'stable' release. |
-| **create-release-draft** | ubuntu | Checks out the repo, verifies the tag is **signed** and lives on a `main` or `release/*` branch. Runs `mvn verify` (with `xvfb-run`). Creates a GitHub Release **draft** using the [release body template](../release-body.md.template). Downloads and GPG-signs the source tarball. |
-| **build-exe-and-msi** | windows | Calls [`win-exe.yml`](win-exe.yml). Builds the MSI and EXE bundle installer for x64 Windows. Code-signed via Azure Trusted Signing, GPG-signed, and uploaded to the draft release. Outputs SHA-256 checksums. |
-| **build-dmg-arm64** | macos-15 | Calls [`mac-dmg.yml`](mac-dmg.yml). Builds the DMG for Apple Silicon. Code-signed, notarized with Apple, GPG-signed, and uploaded. Outputs SHA-256 checksum. |
-| **build-dmg-x64** | macos-15-large | Calls [`mac-dmg-x64.yml`](mac-dmg-x64.yml). Same as above but for Intel Macs. Uses macFUSE instead of FUSE-T. |
-| **build-appimages** | ubuntu | Calls [`appimage.yml`](appimage.yml). Builds AppImages for x86_64 and aarch64 (matrix). GPG-signed and uploaded with `.zsync` delta-update files. Outputs SHA-256 checksums. |
-| **update-sha256sums** | ubuntu | Runs after all builds complete. Computes the source tarball checksum, collects all artifact checksums, and updates the draft release body via `envsubst`. Replaces the "builds still running" banner with a success notice. |
-
-### Release Artifacts
-
-After the draft phase, the GitHub Release contains:
-
-| Artifact | Platform |
-|----------|----------|
-| `cryptomator-<ver>.tar.gz.asc` | Source (GPG signature) |
-| `Cryptomator-<ver>-x64.msi` + `.asc` | Windows |
-| `Cryptomator-<ver>-x64.exe` + `.asc` | Windows |
-| `Cryptomator-<ver>-arm64.dmg` + `.asc` | macOS (Apple Silicon) |
-| `Cryptomator-<ver>-x64.dmg` + `.asc` | macOS (Intel) |
-| `cryptomator-<ver>-x86_64.AppImage` + `.zsync` + `.asc` | Linux (x86_64) |
-| `cryptomator-<ver>-aarch64.AppImage` + `.zsync` + `.asc` | Linux (aarch64) |
-
-All artifacts are signed with GPG key [`615D449FE6E6A235`](https://gist.github.com/cryptobot/211111cf092037490275f39d408f461a).
-
-## Manual Review Gate
-
-After the draft phase completes, a maintainer reviews the draft release on GitHub. This is the point to:
-
- Verify all artifacts are present and checksums look correct.
- Edit the auto-generated release notes (What's New, Bugfixes, Other Changes).
- **Publish** the release when ready, which triggers phase 2.
-
-## Phase 2: Post-Publish (`post-publish.yml`)
-
-**Trigger:** `release: [published]`
-
-### Jobs
-
-| Job | Condition | Description |
-|-----|-----------|-------------|
-| **notify** | always | Sends Slack notifications to `#cryptomator-desktop`: ready to build `.deb` package, and reminder to update `latest-version.json` on S3. |
-| **get-asset-urls** | always | Extracts MSI and EXE download URLs from the release assets. |
-| **check-release** | always | Classifies the published release tag as `stable`, `alpha`, `beta`, `rc`, or `unknown`. Stable-only follow-up jobs depend on this output. Unlike `get-version.yml` workflow, this job does not perform semver validation. |
-| **allowlist-msi-x64** | Windows release | Calls [`av-whitelist.yml`](av-whitelist.yml). Uploads the MSI to Kaspersky and Avast for whitelisting. |
-| **allowlist-exe-x64** | Windows release | Same as above for the EXE. Runs sequentially after MSI. |
-| **notify-winget** | stable + Windows | Sends a Slack notification that the release is ready for [winget submission](winget.yml). |
-| **trigger-website-update** | stable | Dispatches `desktop-release` event to `cryptomator/cryptomator.github.io`. |
-| **trigger-docs-update** | stable + Windows | Dispatches `desktop-release` event to `cryptomator/docs`. |
-
-### Manual Follow-ups
-
-These steps are triggered by team members after Slack notifications:
-
- **Debian package** -- Run the [`debian.yml`](debian.yml) workflow to build `.deb` and optionally upload to the PPA.
- **winget** -- Run the [`winget.yml`](winget.yml) workflow to submit to the Windows Package Manager.
- **latest-version.json** -- Update the version-check file on S3 (`static.cryptomator.org/desktop/latest-version.json`).
-
-## Signing & Security
-
- **Git tag** must be SSH-signed and reside on `main` or `release/*`.
- **Windows** installers are code-signed using Azure Trusted Signing.
- **macOS** DMGs are code-signed with an Apple Developer certificate and notarized via `notarytool`.
- **All artifacts** receive a detached GPG signature (`.asc`) using key `615D449FE6E6A235`.
- **AV whitelisting** is submitted to Kaspersky and Avast after publish (Windows installers only).
- The draft release is created using `CRYPTOBOT_RELEASE_TOKEN`, not `GITHUB_TOKEN`, to ensure proper permissions and trigger downstream workflows.
--- a/.github/workflows/appimage.yml
+++ b/.github/workflows/appimage.yml
@@ -1,44 +1,13 @@
 name: Build AppImage

 on:
-  schedule:
-    - cron: '0 23 20 * *'
-  workflow_call:
-    inputs:
-      semVerNum:
-        type: string
-        description: 'The Major.Minor.Patch part of the version'
-        required: true
-      revisionNum:
-        type: string
-        description: 'The revision number'
-        required: true
-      semVerSuffix:
-        type: string
-        description: 'The suffix of the version, including dash'
-        required: true
-      upload-to-draft:
-        type: boolean
-        default: true
-    outputs:
-      sha256-appimage-x64:
-        description: "SHA256 sum of the x64 appimage"
-        value: ${{ jobs.collect-sha256sums.outputs.x64-sha256sum}}
-      sha256-appimage-aarch64:
-        description: "SHA256 sum of the aarch64 appimage"
-        value: ${{ jobs.collect-sha256sums.outputs.aarch64-sha256sum}}
+  release:
+    types: [published]
  workflow_dispatch:
    inputs:
-      semVerNum:
-        description: 'The Major.Minor.Patch part of the version'
+      version:
+        description: 'Version'
        required: false
-      revisionNum:
-        description: 'The revision number'
-        required: false
-      semVerSuffix:
-        description: 'The suffix of the version, including dash'
-        required: false
-        default: '-SNAPSHOT'
  push:
    branches-ignore:
      - 'dependabot/**'
@@ -50,34 +19,34 @@ on:

 env:
  JAVA_DIST: 'temurin'
-  JAVA_VERSION: '25.0.2+10.0.LTS'
-  VERSION_NUM: ${{ inputs.semVerNum || '99.99.99'}}
-  REVISION_NUM: ${{ inputs.revisionNum || '0' }}
-  VERSION_SUFFIX: ${{ inputs.semVerSuffix || ''}}
-
+  JAVA_VERSION: '25.0.1+8.0.LTS'

 jobs:
+  get-version:
+    uses: ./.github/workflows/get-version.yml
+    with:
+      version: ${{ inputs.version }} #okay if not defined
+
  build:
    name: Build AppImage
    runs-on: ${{ matrix.os }}
+    needs: [get-version]
    strategy:
      fail-fast: false
      matrix:
        include:
          - os: ubuntu-latest
-            arch: x86_64
-            openjfx-url: 'https://download2.gluonhq.com/openjfx/25.0.2/openjfx-25.0.2_linux-x64_bin-jmods.zip'
-            openjfx-sha: 'e0a9c29d8cf3af9b8b48848b43f87b5785bc107c53a951b19668ce05842bba1b'
-            appimagetool-sha: 'ed4ce84f0d9caff66f50bcca6ff6f35aae54ce8135408b3fa33abfc3cb384eb0'
+            appimage-suffix: x86_64
+            openjfx-url: 'https://download2.gluonhq.com/openjfx/25/openjfx-25_linux-x64_bin-jmods.zip'
+            openjfx-sha: '96e520f48610d8ffb94ca30face1f11ffe8a977ddc1c4ff80b1a9e9f048bd94e'
          - os: ubuntu-24.04-arm
-            arch: aarch64
-            openjfx-url: 'https://download2.gluonhq.com/openjfx/25.0.2/openjfx-25.0.2_linux-aarch64_bin-jmods.zip'
-            openjfx-sha: 'c3408f818693cce09e59829a8e862a82c7695fdfcd585c41cfd527f5fc3fe646'
-            appimagetool-sha: 'f0837e7448a0c1e4e650a93bb3e85802546e60654ef287576f46c71c126a9158'
+            appimage-suffix: aarch64
+            openjfx-url: 'https://download2.gluonhq.com/openjfx/25/openjfx-25_linux-aarch64_bin-jmods.zip'
+            openjfx-sha: '9ad4ca7b769ca4ee6419f1e99143dd6ff812f8be4fddb46a7d7cacbeea148af4'
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Setup Java
-        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
+        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
        with:
          distribution: ${{ env.JAVA_DIST }}
          java-version: ${{ env.JAVA_VERSION }}
@@ -86,7 +55,7 @@ jobs:
      - name: Download OpenJFX jmods
        id: download-jmods
        run: |
-          curl --silent --fail-with-body --proto "=https" -L ${{ matrix.openjfx-url }} -o openjfx-jmods.zip
+          curl -L ${{ matrix.openjfx-url }} -o openjfx-jmods.zip
          echo "${{ matrix.openjfx-sha }}  openjfx-jmods.zip" | shasum -a256 --check
          mkdir -p openjfx-jmods
          unzip -j openjfx-jmods.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d openjfx-jmods
@@ -104,7 +73,7 @@ jobs:
            exit 1
          fi
      - name: Set version
-        run : mvn versions:set -DnewVersion="${VERSION_NUM}${VERSION_SUFFIX}"
+        run : mvn versions:set -DnewVersion=${{ needs.get-version.outputs.semVerStr }}
      - name: Run maven
        run: mvn -B clean package -Plinux -DskipTests
      - name: Patch target dir
@@ -125,15 +94,13 @@ jobs:
          ${JAVA_HOME}/bin/jlink
          --verbose
          --output runtime
-          --module-path "${JMOD_PATHS}"
+          --module-path "${{ steps.jep-493-check.outputs.jmod_paths }}"
          --add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,javafx.base,javafx.graphics,javafx.controls,javafx.fxml,jdk.crypto.cryptoki,jdk.crypto.ec,jdk.unsupported,jdk.security.auth,jdk.accessibility,jdk.management.jfr,jdk.net,java.compiler
          --strip-native-commands
          --no-header-files
          --no-man-pages
          --strip-debug
          --compress zip-0
-        env:
-          JMOD_PATHS: ${{ steps.jep-493-check.outputs.jmod_paths }}
      - name: Run jpackage
        run: >
          ${JAVA_HOME}/bin/jpackage
@@ -146,26 +113,25 @@ jobs:
          --dest appdir
          --name Cryptomator
          --vendor "Skymatic GmbH"
-          --copyright "(C) 2016 - 2026 Skymatic GmbH"
-          --app-version "${VERSION_NUM}.${REVISION_NUM}"
+          --copyright "(C) 2016 - 2025 Skymatic GmbH"
+          --app-version "${{  needs.get-version.outputs.semVerNum }}.${{  needs.get-version.outputs.revNum }}"
          --java-options "--enable-preview"
          --java-options "--enable-native-access=javafx.graphics,org.cryptomator.jfuse.linux.amd64,org.cryptomator.jfuse.linux.aarch64,org.purejava.appindicator"
          --java-options "-Xss5m"
          --java-options "-Xmx256m"
-          --java-options "-Dcryptomator.appVersion=\"${VERSION_NUM}${VERSION_SUFFIX}\""
+          --java-options "-Dcryptomator.appVersion=\"${{  needs.get-version.outputs.semVerStr }}\""
          --java-options "-Dfile.encoding=\"utf-8\""
          --java-options "-Djava.net.useSystemProxies=true"
-          --java-options "-Dcryptomator.adminConfigPath=\"/etc/cryptomator/config.properties\""
          --java-options "-Dcryptomator.logDir=\"@{userhome}/.local/share/Cryptomator/logs\""
+          --java-options "-Dcryptomator.pluginDir=\"@{userhome}/.local/share/Cryptomator/plugins\""
          --java-options "-Dcryptomator.settingsPath=\"@{userhome}/.config/Cryptomator/settings.json:@{userhome}/.Cryptomator/settings.json\""
          --java-options "-Dcryptomator.p12Path=\"@{userhome}/.config/Cryptomator/key.p12\""
          --java-options "-Dcryptomator.ipcSocketPath=\"@{userhome}/.config/Cryptomator/ipc.socket\""
          --java-options "-Dcryptomator.mountPointsDir=\"@{userhome}/.local/share/Cryptomator/mnt\""
          --java-options "-Dcryptomator.showTrayIcon=true"
          --java-options "-Dcryptomator.integrationsLinux.trayIconsDir=\"@{appdir}/usr/share/icons/hicolor/symbolic/apps\""
-          --java-options "-Dcryptomator.buildNumber=\"appimage-${REVISION_NUM}\""
+          --java-options "-Dcryptomator.buildNumber=\"appimage-${{  needs.get-version.outputs.revNum }}\""
          --java-options "-Dcryptomator.networking.truststore.p12Path=\"/etc/cryptomator/certs.p12\""
-          --java-options "-Dcryptomator.hub.enableTrustOnFirstUse=true"
          --java-options "-XX:ErrorFile=/cryptomator/cryptomator_crash.log"
          --resource-dir dist/linux/resources
      - name: Patch Cryptomator.AppDir
@@ -189,8 +155,7 @@ jobs:
          ln -s bin/cryptomator.sh Cryptomator.AppDir/AppRun
      - name: Download AppImageKit
        run: |
-          curl --silent --fail-with-body --proto "=https" -L "https://github.com/AppImage/appimagetool/releases/download/1.9.1/appimagetool-${{ matrix.arch }}.AppImage" -o appimagetool.AppImage
-          echo "${{ matrix.appimagetool-sha }}  appimagetool.AppImage" | shasum -a256 --check
+          curl -L https://github.com/AppImage/appimagetool/releases/download/continuous/appimagetool-${{ matrix.appimage-suffix }}.AppImage -o appimagetool.AppImage
          chmod +x appimagetool.AppImage
          ./appimagetool.AppImage --appimage-extract
      - name: Prepare GPG-Agent for signing with key 615D449FE6E6A235
@@ -202,27 +167,26 @@ jobs:
          GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
      - name: Build AppImage
        run: >
-          ./squashfs-root/AppRun Cryptomator.AppDir cryptomator-${VERSION_NUM}${VERSION_SUFFIX}-${{ matrix.arch }}.AppImage
-          -u "gh-releases-zsync|cryptomator|cryptomator|latest|cryptomator-*-${{ matrix.arch }}.AppImage.zsync"
+          ./squashfs-root/AppRun Cryptomator.AppDir cryptomator-${{  needs.get-version.outputs.semVerStr }}-${{ matrix.appimage-suffix }}.AppImage
+          -u "gh-releases-zsync|cryptomator|cryptomator|latest|cryptomator-*-${{ matrix.appimage-suffix }}.AppImage.zsync"
          --sign --sign-key=615D449FE6E6A235
      - name: Create detached GPG signatures
        run: |
          gpg --batch --quiet --passphrase-fd 0 --pinentry-mode loopback -u 615D449FE6E6A235 --detach-sign -a cryptomator-*.AppImage
          gpg --batch --quiet --passphrase-fd 0 --pinentry-mode loopback -u 615D449FE6E6A235 --detach-sign -a cryptomator-*.AppImage.zsync
      - name: Upload artifacts
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
-          name: appimage-${{ matrix.arch }}
+          name: appimage-${{ matrix.appimage-suffix }}
          path: |
            cryptomator-*.AppImage
            cryptomator-*.AppImage.zsync
            cryptomator-*.asc
          if-no-files-found: error
      - name: Publish AppImage on GitHub Releases
-        if: inputs.upload-to-draft
-        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
+        if: startsWith(github.ref, 'refs/tags/') && github.event.action == 'published'
+        uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # v2.4.1
        with:
-          draft: true
          fail_on_unmatched_files: true
          token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
          files: |
@@ -230,24 +194,67 @@ jobs:
            cryptomator-*.zsync
            cryptomator-*.asc

-  collect-sha256sums:
-    name: Collect AppImage checksums
+  create-aur-bin-pr:
+    name: Create PR for aur-bin repo
+    needs: [build, get-version]
    runs-on: ubuntu-latest
-    needs: [build]
-    if: inputs.upload-to-draft
-    outputs:
-      x64-sha256sum: ${{ steps.sha256sum.outputs.x64-sha256sum }}
-      aarch64-sha256sum: ${{ steps.sha256sum.outputs.aarch64-sha256sum }}
+    if: github.event_name == 'release' && needs.get-version.outputs.versionType == 'stable'
    steps:
-      - name: Download AppImage artifacts
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
+      - name: Download AppImages
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
        with:
-          pattern: appimage-*
-          path: appimage-artifacts
-      - name: Compute SHA256 sums
-        id: sha256sum
+          path: downloads/
+          merge-multiple: true
+      - name: Compute sha256 hash of AppImages
+        id: checksums
        run: |
-          read -ra X64_SUM < <(sha256sum appimage-artifacts/appimage-x86_64/cryptomator-*-x86_64.AppImage)
-          read -ra AARCH64_SUM < <(sha256sum appimage-artifacts/appimage-aarch64/cryptomator-*-aarch64.AppImage)
-          echo "x64-sha256sum=${X64_SUM[0]}" >> "$GITHUB_OUTPUT"
-          echo "aarch64-sha256sum=${AARCH64_SUM[0]}" >> "$GITHUB_OUTPUT"
+          X64_SHA256=$(sha256sum downloads/cryptomator-*-x86_64.AppImage | cut -d ' ' -f1)
+          echo "x64-sha256sum=${X64_SHA256}" >> "$GITHUB_OUTPUT"
+          AARCH64_SHA256=$(sha256sum downloads/cryptomator-*-aarch64.AppImage | cut -d ' ' -f1)
+          echo "aarch64-sha256sum=${AARCH64_SHA256}" >> "$GITHUB_OUTPUT"
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          repository: 'cryptomator/aur-bin'
+          token: ${{ secrets.CRYPTOBOT_PR_TOKEN }}
+      - name: Install dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get -y install makepkg pacman-package-manager
+      - name: Checkout release branch
+        run: |
+          git checkout -b release/${{ needs.get-version.outputs.semVerStr }}
+      - name: Update build file
+        run: |
+          sed -i -e 's|^pkgver=.*$|pkgver=${{ needs.get-version.outputs.semVerStr }}|' PKGBUILD
+          sed -i -e 's|^pkgrel=.*$|pkgrel=1|' PKGBUILD
+          sed -i -e "s|^sha256sums_x86_64=.*$|sha256sums_x86_64=('${{ steps.checksums.outputs.x64-sha256sum }}'|" PKGBUILD
+          sed -i -e "s|^sha256sums_aarch64=.*$|sha256sums_aarch64=('${{ steps.checksums.outputs.aarch64-sha256sum}}'|" PKGBUILD
+          makepkg --printsrcinfo > .SRCINFO
+      - name: Commit and push
+        run: |
+          git config user.name "${{ github.actor }}"
+          git config user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com"
+          git config push.autoSetupRemote true
+          git stage .
+          git commit -m "Prepare release ${{needs.get-version.outputs.semVerStr}}"
+          git push
+      - name: Create pull request
+        id: create-pr
+        run: |
+          printf "> [!IMPORTANT]\n> Todos:\n> - [ ] Update build instructions\n> - [ ] Check for JDK update\n> - [ ] Check for JFX update" > pr_body.md
+          URL=$(gh pr create --title "Release ${{ needs.get-version.outputs.semVerStr }}" --body-file pr_body.md)
+          echo "PR_URL=$URL" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: ${{ secrets.CRYPTOBOT_PR_TOKEN }}
+      - name: Slack Notification
+        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3
+        env:
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}
+          SLACK_USERNAME: 'Cryptobot'
+          SLACK_ICON: false
+          SLACK_ICON_EMOJI: ':bot:'
+          SLACK_CHANNEL: 'cryptomator-desktop'
+          SLACK_TITLE: "AUR-bin release PR for ${{ github.event.repository.name }} ${{ github.event.release.tag_name }} created."
+          SLACK_MESSAGE: "See <${{ steps.create-pr.outputs.PR_URL }}|PR> on how to proceed."
+          SLACK_FOOTER: false
+          MSG_MINIMAL: true
--- a/.github/workflows/aur-bin.yml
+++ b/.github/workflows/aur-bin.yml
@@ -1,115 +0,0 @@
-name: PR for aur-bin repo
-
-on:
-  release:
-    types: [published]
-  workflow_dispatch:
-    inputs:
-      src-tag:
-        description: 'Source or Release tag'
-        required: false
-
-jobs:
-  get-version:
-    uses: ./.github/workflows/get-version.yml
-    with:
-      version: ${{ inputs.src-tag }}
-
-  create-aur-bin-pr:
-    name: Create PR for aur-bin repo
-    if: (github.event_name == 'workflow_dispatch') || (github.event_name == 'release' && needs.get-version.outputs.versionType == 'stable')
-    runs-on: ubuntu-latest
-    needs: [get-version]
-    container:
-      image: archlinux:base-devel
-    env:
-      SEMVER_STR: ${{ needs.get-version.outputs.semVerStr }}
-      PKGDEST: ${{ github.workspace }}/pkgdest
-      SRCDEST: ${{ github.workspace }}/srcdest
-    steps:
-      - name: Prepare pacman
-        run: |
-          pacman-key --init
-          pacman-key --populate archlinux
-          pacman -Syu --noconfirm --needed git base-devel sudo gnupg maven unzip github-cli curl pacman-contrib
-      - name: Checkout cryptomator/aur-bin
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          repository: 'cryptomator/aur-bin'
-          token: ${{ secrets.CRYPTOBOT_PR_TOKEN }}
-      - name: Create build user
-        run: |
-          useradd -m builder
-          echo 'builder ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers.d/builder
-          chown -R builder:builder "$GITHUB_WORKSPACE"
-          install -d -m 0755 -o builder -g builder "$PKGDEST" "$SRCDEST"
-      - name: Import Cryptomator release signing key
-        # try first ubuntu. on failure try openpgp keyservers
-        run: >
-          sudo -u builder gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 58117AFA1F85B3EEC154677D615D449FE6E6A235
-          || sudo -u builder gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys 58117AFA1F85B3EEC154677D615D449FE6E6A235
-      - name: Checkout release branch
-        run: |
-          git config --global safe.directory '*'
-          git checkout -b "release/${SEMVER_STR}"
-      - name: Determine pkgrel
-        id: pkgrel
-        run: |
-          CURRENT_VERSION="$(sed -nE 's/^pkgver=(.*)$/\1/p' PKGBUILD | head -n1)"
-          CURRENT_REL="$(sed -nE 's/^pkgrel=([0-9]+).*$/\1/p' PKGBUILD | head -n1)"
-
-          if [[ "$CURRENT_VERSION" == "$TARGET_VERSION" && "$CURRENT_REL" =~ ^[0-9]+$ ]]; then
-            NEXT_REL=$((CURRENT_REL + 1))
-          else
-            NEXT_REL=1
-          fi
-
-          echo "value=${NEXT_REL}" >> "$GITHUB_OUTPUT"
-          echo "dist-version=${TARGET_VERSION}-${NEXT_REL}" >> "$GITHUB_OUTPUT"
-        env:
-          TARGET_VERSION: ${{ needs.get-version.outputs.semVerStr }}
-      - name: Update build file
-        run: |
-          sed -i -e "s|^pkgver=.*$|pkgver=${PKG_VERSION}|" PKGBUILD
-          sed -i -e "s|^pkgrel=.*$|pkgrel=${PKG_RELEASE}|" PKGBUILD
-          sudo -u builder updpkgsums
-          sudo -u builder makepkg --printsrcinfo > .SRCINFO
-        env:
-          PKG_VERSION: ${{ needs.get-version.outputs.semVerNum }}
-          PKG_RELEASE: ${{ steps.pkgrel.outputs.value }}
-      - name: Build package with makepkg
-        run: >
-          sudo -u builder
-          env PKGDEST="$PKGDEST" SRCDEST="$SRCDEST"
-          makepkg --syncdeps --cleanbuild --noconfirm --log
-      - name: Commit and push
-        run: |
-          git config user.name "cryptobot"
-          git config user.email "cryptobot@users.noreply.github.com"
-          git config push.autoSetupRemote true
-          git stage PKGBUILD .SRCINFO
-          git commit -m "Prepare release ${DIST_VERSION}"
-          git push
-        env:
-          DIST_VERSION: ${{ steps.pkgrel.outputs.dist-version }}
-      - name: Create pull request
-        id: create-pr
-        run: |
-          printf "Created by $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" > pr_body.md
-          PR_URL=$(gh pr create --title "Release ${DIST_VERSION}" --body-file pr_body.md)
-          echo "url=$PR_URL" >> "$GITHUB_OUTPUT"
-        env:
-          DIST_VERSION: ${{ steps.pkgrel.outputs.dist-version }}
-          GH_TOKEN: ${{ secrets.CRYPTOBOT_PR_TOKEN }}
-      - name: Slack Notification
-        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3
-        env:
-          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_CRYPTOMATOR_DESKTOP }}
-          SLACK_USERNAME: 'Cryptobot'
-          SLACK_ICON: ''
-          SLACK_ICON_EMOJI: ':bot:'
-          SLACK_CHANNEL: 'cryptomator-desktop'
-          SLACK_TITLE: "AUR-bin release PR for ${{ github.event.repository.name }} ${{ needs.get-version.outputs.semVerStr }} created."
-          SLACK_MESSAGE: "See <${{ steps.create-pr.outputs.url }}|PR> on how to proceed."
-          SLACK_FOOTER: ''
-          MSG_MINIMAL: true
--- a/.github/workflows/aur.yml
+++ b/.github/workflows/aur.yml
@@ -0,0 +1,95 @@
+name: Create PR for AUR
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Release tag'
+        required: true
+
+jobs:
+  get-version:
+    uses: ./.github/workflows/get-version.yml
+    with:
+      version: ${{ inputs.tag }}
+  tarball:
+    name: Determines tarball url and compute checksum
+    runs-on: ubuntu-latest
+    needs: [get-version]
+    if:  github.event_name == 'workflow_dispatch' || needs.get-version.outputs.versionType == 'stable'
+    env:
+      INPUT_TAG: ${{ inputs.tag }}
+    outputs:
+      url: ${{ steps.url.outputs.url}}
+      sha256: ${{ steps.sha256.outputs.sha256}}
+    steps:
+      - name: Determine tarball url
+        id: url
+        run: |
+          URL="";
+          if [[ -n "${INPUT_TAG}"  ]]; then
+            URL="https://github.com/cryptomator/cryptomator/archive/refs/tags/${INPUT_TAG}.tar.gz"
+          else
+            URL="https://github.com/cryptomator/cryptomator/archive/refs/tags/${{ github.event.release.tag_name }}.tar.gz"
+          fi
+          echo "url=${URL}" >> "$GITHUB_OUTPUT"
+      - name: Download source tarball and compute checksum
+        id: sha256
+        run: |
+          curl --silent --fail-with-body -L -H "Accept: application/vnd.github+json" ${{ steps.url.outputs.url }} --output cryptomator.tar.gz
+          TARBALL_SHA256=$(sha256sum cryptomator.tar.gz | cut -d ' ' -f1)
+          echo "sha256=${TARBALL_SHA256}" >> "$GITHUB_OUTPUT"
+  aur:
+    name: Create PR for AUR
+    runs-on: ubuntu-latest
+    needs: [tarball, get-version]
+    env:
+      AUR_PR_URL: tbd
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          repository: 'cryptomator/aur'
+          token: ${{ secrets.CRYPTOBOT_PR_TOKEN }}
+      - name: Install dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install makepkg pacman-package-manager
+      - name: Checkout release branch
+        run: |
+          git checkout -b release/${{ needs.get-version.outputs.semVerStr }}
+      - name: Update build file
+        run: |
+          sed -i -e 's|^pkgver=.*$|pkgver=${{ needs.get-version.outputs.semVerStr }}|' PKGBUILD
+          sed -i -e 's|^pkgrel=.*$|pkgrel=1|' PKGBUILD
+          sed -i -e "s|^sha256sums=.*$|sha256sums=('${{ needs.tarball.outputs.sha256 }}'|" PKGBUILD
+          makepkg --printsrcinfo > .SRCINFO
+      - name: Commit and push
+        run: |
+          git config user.name "${{ github.actor }}"
+          git config user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com"
+          git config push.autoSetupRemote true
+          git stage .
+          git commit -m "Prepare release ${{needs.get-version.outputs.semVerStr}}"
+          git push
+      - name: Create pull request
+        run: |
+          printf "> [!IMPORTANT]\n> Todos:\n> - [ ] Update build instructions\n> - [ ] Check for JDK update\n> - [ ] Check for JFX update" > pr_body.md
+          PR_URL=$(gh pr create --title "Release ${{ needs.get-version.outputs.semVerStr }}" --body-file pr_body.md)
+          echo "AUR_PR_URL=$PR_URL" >> "$GITHUB_ENV"
+        env:
+          GH_TOKEN: ${{ secrets.CRYPTOBOT_PR_TOKEN }}
+      - name: Slack Notification
+        if: github.event_name == 'release'
+        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3
+        env:
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}
+          SLACK_USERNAME: 'Cryptobot'
+          SLACK_ICON: false
+          SLACK_ICON_EMOJI: ':bot:'
+          SLACK_CHANNEL: 'cryptomator-desktop'
+          SLACK_TITLE: "AUR release PR created for ${{ github.event.repository.name }} ${{ github.event.release.tag_name }} created."
+          SLACK_MESSAGE: "See <${{ env.AUR_PR_URL }}|PR> on how to proceed."
+          SLACK_FOOTER: false
+          MSG_MINIMAL: true
--- a/.github/workflows/av-whitelist.yml
+++ b/.github/workflows/av-whitelist.yml
@@ -7,16 +7,6 @@ on:
        description: "Url to the file to upload"
        required: true
        type: string
-      avast:
-        description: "Upload to Avast"
-        required: false
-        type: boolean
-        default: true
-      kaspersky:
-        description: "Upload to Kaspersky"
-        required: false
-        type: boolean
-        default: true
  workflow_dispatch:
    inputs:
      url:
@@ -37,7 +27,7 @@ on:
 jobs:
  download-file:
    name: Downloads the file into the VM
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
    outputs:
      fileName: ${{ steps.extractName.outputs.fileName}}
    env:
@@ -49,21 +39,21 @@ jobs:
          url="${INPUT_URL}"
          echo "fileName=${url##*/}" >> $GITHUB_OUTPUT
      - name: Download file
-        run: curl --silent --fail-with-body --proto "=https" -L "${INPUT_URL}" -o "${{steps.extractName.outputs.fileName}}"
+        run: curl --remote-name ${INPUT_URL} -L -o ${{steps.extractName.outputs.fileName}}
      - name: Upload artifact
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: ${{ steps.extractName.outputs.fileName }}
          path: ${{ steps.extractName.outputs.fileName }}
          if-no-files-found: error
  allowlist-kaspersky:
    name: Anti Virus Allowlisting Kaspersky
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
    needs: download-file
-    if: inputs.kaspersky
+    if: github.event_name == 'workflow_call' || inputs.kaspersky
    steps:
      - name: Download artifact
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
        with:
          name: ${{ needs.download-file.outputs.fileName }}
          path: upload
@@ -78,12 +68,12 @@ jobs:
          local-dir: ./upload/
  allowlist-avast:
    name: Anti Virus Allowlisting Avast
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
    needs: download-file
-    if: inputs.avast
+    if: github.event_name == 'workflow_call'  || inputs.avast
    steps:
      - name: Download artifact
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
        with:
          name: ${{ needs.download-file.outputs.fileName }}
          path: upload
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -22,14 +22,14 @@ jobs:
    name: Compile and Test
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
        with:
          distribution: ${{ env.JAVA_DIST }}
          java-version: ${{ env.JAVA_VERSION }}
          cache: 'maven'
      - name: Cache SonarCloud packages
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
        with:
          path: ~/.sonar/cache
          key: ${{ runner.os }}-sonar
@@ -47,3 +47,35 @@ jobs:
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+      - name: Draft a release
+        if: startsWith(github.ref, 'refs/tags/')
+        uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # v2.4.1
+        with:
+          draft: true
+          discussion_category_name: releases
+          token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
+          generate_release_notes: true
+          body: |-
+            :construction: Work in Progress
+            ### What's New 🎉
+            
+            ### Bugfixes 🐛
+            
+            ### Other Changes 📎
+            
+            ---
+            
+            TODO FULL CHANGELOG
+            
+            📜 List of closed issues is available [here](TODO)
+            
+            ---
+            ⏳ Please be patient, the builds are still [running](https://github.com/cryptomator/cryptomator/actions). New versions of Cryptomator can be found here in a few moments. ⏳
+            
+            <!-- Don't forget to include the
+            💾 SHA-256 checksums of release artifacts:
+            ```
+            ```
+            -->
+            
+            As usual, the GPG signatures can be checked using [our public key `5811 7AFA 1F85 B3EE C154  677D 615D 449F E6E6 A235`](https://gist.github.com/cryptobot/211111cf092037490275f39d408f461a).
--- a/.github/workflows/check-jdk-updates.yml
+++ b/.github/workflows/check-jdk-updates.yml
@@ -26,7 +26,7 @@ jobs:
        run: echo 'JDK_MAJOR_VERSION=${{ env.JDK_VERSION }}'.substring(0,2) >> "$env:GITHUB_ENV"
        shell: pwsh
      - name: Checkout latest JDK ${{ env.JDK_MAJOR_VERSION }}
-        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
+        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
        with:
          java-version: ${{ env.JDK_MAJOR_VERSION}}
          distribution: ${{ env.JDK_VENDOR }}
@@ -74,10 +74,10 @@ jobs:
        env:
          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}
          SLACK_USERNAME: 'Cryptobot'
-          SLACK_ICON: ''
+          SLACK_ICON: false
          SLACK_ICON_EMOJI: ':bot:'
          SLACK_CHANNEL: 'cryptomator-desktop'
          SLACK_TITLE: "JDK update available"
          SLACK_MESSAGE: "Cryptomator-CI JDK can be upgraded to ${{ steps.determine.outputs.LATEST_JDK_VERSION }}. Check the Nextcloud collective for instructions."
-          SLACK_FOOTER: ''
+          SLACK_FOOTER: false
          MSG_MINIMAL: true
--- a/.github/workflows/debian.yml
+++ b/.github/workflows/debian.yml
@@ -1,8 +1,6 @@
 name: Build Debian Package

 on:
-  schedule:
-    - cron: '0 22 20 * *'
  workflow_dispatch:
    inputs:
      semver:
@@ -25,12 +23,12 @@ on:

 env:
  JAVA_DIST: 'temurin'
-  JAVA_VERSION: '25.0.2+10.0.LTS'
+  JAVA_VERSION: '25.0.1+8.0.LTS'
  DEB_BUILD_DEPENDS: 'debhelper (>=10), openjdk-25-jdk (>= 25+36), libgtk-3-0 (>= 3.20.0), libxxf86vm1, libgl1'
-  OPENJFX_JMODS_AMD64: 'https://download2.gluonhq.com/openjfx/25.0.2/openjfx-25.0.2_linux-x64_bin-jmods.zip'
-  OPENJFX_JMODS_AMD64_HASH: 'e0a9c29d8cf3af9b8b48848b43f87b5785bc107c53a951b19668ce05842bba1b'
-  OPENJFX_JMODS_AARCH64: 'https://download2.gluonhq.com/openjfx/25.0.2/openjfx-25.0.2_linux-aarch64_bin-jmods.zip'
-  OPENJFX_JMODS_AARCH64_HASH: 'c3408f818693cce09e59829a8e862a82c7695fdfcd585c41cfd527f5fc3fe646'
+  OPENJFX_JMODS_AMD64: 'https://download2.gluonhq.com/openjfx/25/openjfx-25_linux-x64_bin-jmods.zip'
+  OPENJFX_JMODS_AMD64_HASH: '96e520f48610d8ffb94ca30face1f11ffe8a977ddc1c4ff80b1a9e9f048bd94e'
+  OPENJFX_JMODS_AARCH64: 'https://download2.gluonhq.com/openjfx/25/openjfx-25_linux-aarch64_bin-jmods.zip'
+  OPENJFX_JMODS_AARCH64_HASH: '9ad4ca7b769ca4ee6419f1e99143dd6ff812f8be4fddb46a7d7cacbeea148af4'

 jobs:
  get-version:
@@ -45,7 +43,7 @@ jobs:
    env:
      INPUT_PPAVER: ${{ inputs.ppaver }}
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - id: deb-version
        name: Determine deb-version
        run: |
@@ -62,7 +60,7 @@ jobs:
        env:
          DEB_BUILD_DEPENDS: ${{ env.DEB_BUILD_DEPENDS }}
      - name: Setup Java
-        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
+        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
        with:
          distribution: ${{ env.JAVA_DIST }}
          java-version: ${{ env.JAVA_VERSION }}
@@ -73,11 +71,11 @@ jobs:
      - name: Download OpenJFX jmods
        id: download-jmods
        run: |
-          curl --silent --fail-with-body --proto "=https" -L ${{ env.OPENJFX_JMODS_AMD64 }} -o openjfx-amd64.zip
+          curl -L ${{ env.OPENJFX_JMODS_AMD64 }} -o openjfx-amd64.zip
          echo "${{ env.OPENJFX_JMODS_AMD64_HASH }}  openjfx-amd64.zip" | shasum -a256 --check
          mkdir -p jmods/amd64
          unzip -j openjfx-amd64.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d jmods/amd64
-          curl --silent --fail-with-body --proto "=https" -L ${{ env.OPENJFX_JMODS_AARCH64 }} -o openjfx-aarch64.zip
+          curl -L ${{ env.OPENJFX_JMODS_AARCH64 }} -o openjfx-aarch64.zip
          echo "${{ env.OPENJFX_JMODS_AARCH64_HASH }}  openjfx-aarch64.zip" | shasum -a256 --check
          mkdir -p jmods/aarch64
          unzip -j openjfx-aarch64.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d jmods/aarch64
@@ -145,7 +143,7 @@ jobs:
        run: |
          gpg --batch --quiet --passphrase-fd 0 --pinentry-mode loopback -u 615D449FE6E6A235 --detach-sign -a cryptomator_*_amd64.deb
      - name: Upload artifacts
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: linux-deb-package
          path: |
--- a/.github/workflows/dependency-check.yml
+++ b/.github/workflows/dependency-check.yml
@@ -7,7 +7,7 @@ on:

 jobs:
  check-dependencies:
-    uses: skymatic/workflows/.github/workflows/run-dependency-check.yml@957d3c2c08c56855fdac41e5afb9a7aca8c30dd9 # v3.0.3
+    uses: skymatic/workflows/.github/workflows/run-dependency-check.yml@1074588008ae3326a2221ea451783280518f0366 # v3.0.1
    with:
      runner-os: 'ubuntu-latest'
      java-distribution: 'temurin'
@@ -16,4 +16,4 @@ jobs:
      nvd-api-key: ${{ secrets.NVD_API_KEY }}
      ossindex-username: ${{ secrets.OSSINDEX_USERNAME }}
      ossindex-token: ${{ secrets.OSSINDEX_API_TOKEN }}
-      slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_CRYPTOMATOR_DESKTOP }}
+      slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}
--- a/.github/workflows/dl-stats.yml
+++ b/.github/workflows/dl-stats.yml
@@ -53,7 +53,7 @@ jobs:
          INTERVAL: 900
          JSON_DATA: ${{ steps.get-stats.outputs.result }}
      - name: Upload Results
-        uses: fjogeleit/http-request-action@551353b829c3646756b2ec2b3694f819d7957495 # v2.0.0
+        uses: fjogeleit/http-request-action@1297c6fc63a79b147d1676540a3fd9d2e37817c5 # v1.16.5
        with:
          url: 'https://graphite-us-central1.grafana.net/metrics'
          method: 'POST'
--- a/.github/workflows/draft-release.yml
+++ b/.github/workflows/draft-release.yml
@@ -1,157 +0,0 @@
-name: Draft a Cryptomator Release
-
-on:
-  push:
-    tags:
-        - '*'
-
-env:
-  JAVA_DIST: 'temurin'
-  JAVA_VERSION: '25.0.2+10.0.LTS'
-
-defaults:
-  run:
-    shell: bash
-
-jobs:
-  get-version:
-    uses: ./.github/workflows/get-version.yml
-    with:
-      version:  ''
-
-  create-release-draft:
-    name: Compile and Test
-    runs-on: ubuntu-latest
-    needs: get-version
-    if: needs.get-version.outputs.versionType != 'unknown'
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          fetch-depth: 0
-      - name: Check the git tag is signed
-        run: git cat-file -p "${GITHUB_REF_NAME}" | grep "BEGIN SSH SIGNATURE"
-      - name: Check the git tag is on release or main branch
-        run: git branch -r --contains "${GITHUB_REF_NAME}" | grep -E '^\s*origin/(main|release/.*)\s*$'
-      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
-        with:
-          distribution: ${{ env.JAVA_DIST }}
-          java-version: ${{ env.JAVA_VERSION }}
-          cache: 'maven'
-      - name: Build and Test
-        run: xvfb-run mvn -B verify -Plinux
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
-      - name: Draft a release
-        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
-        with:
-          draft: true
-          discussion_category_name: releases
-          token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
-          generate_release_notes: true
-          body_path: .github/release-body.md.template
-      - name: Download source tarball
-        run: |
-          curl --silent --fail-with-body --proto "=https" -L -H "Accept: application/vnd.github+json" https://github.com/cryptomator/cryptomator/archive/${{ github.ref }}.tar.gz --output cryptomator-${{ github.ref_name }}.tar.gz
-      - name: Sign source tarball with key 615D449FE6E6A235
-        run: |
-          echo "${GPG_PRIVATE_KEY}" | gpg --batch --quiet --import
-          echo "${GPG_PASSPHRASE}" | gpg --batch --quiet --passphrase-fd 0 --pinentry-mode loopback -u 615D449FE6E6A235 --detach-sign -a cryptomator-*.tar.gz
-        env:
-          GPG_PRIVATE_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }}
-          GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
-      - name: Publish asc on GitHub Releases
-        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
-        with:
-          draft: true
-          fail_on_unmatched_files: true
-          token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
-          files: |
-            cryptomator-*.tar.gz.asc
-
-  build-exe-and-msi:
-    needs: [get-version, create-release-draft]
-    uses: ./.github/workflows/win-exe.yml
-    with:
-      semVerNum: ${{needs.get-version.outputs.semVerNum}}
-      revisionNum: ${{needs.get-version.outputs.revNum}}
-      semVerSuffix: ${{needs.get-version.outputs.semVerSuffix}}
-    secrets: inherit
-
-  build-dmg-arm64:
-    needs: [get-version, create-release-draft]
-    uses: ./.github/workflows/mac-dmg.yml
-    with:
-      semVerNum: ${{needs.get-version.outputs.semVerNum}}
-      revisionNum: ${{needs.get-version.outputs.revNum}}
-      semVerSuffix: ${{needs.get-version.outputs.semVerSuffix}}
-    secrets: inherit
-
-  build-dmg-x64:
-    needs: [get-version, create-release-draft]
-    uses: ./.github/workflows/mac-dmg-x64.yml
-    with:
-      semVerNum: ${{needs.get-version.outputs.semVerNum}}
-      revisionNum: ${{needs.get-version.outputs.revNum}}
-      semVerSuffix: ${{needs.get-version.outputs.semVerSuffix}}
-    secrets: inherit
-
-  build-appimages:
-    needs: [get-version, create-release-draft]
-    uses: ./.github/workflows/appimage.yml
-    with:
-      semVerNum: ${{needs.get-version.outputs.semVerNum}}
-      revisionNum: ${{needs.get-version.outputs.revNum}}
-      semVerSuffix: ${{needs.get-version.outputs.semVerSuffix}}
-    secrets: inherit
-
-  update-sha256sums:
-    runs-on: ubuntu-latest
-    needs: [get-version, build-exe-and-msi, build-dmg-arm64, build-dmg-x64, build-appimages]
-    env:
-      TAG: ${{ github.ref_name }}
-      SEMVER: ${{ needs.get-version.outputs.semVerStr }}
-      GH_TOKEN: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: Compute source tarball SHA256
-        id: src-sha256
-        run: |
-          curl --silent --fail-with-body --proto "=https" -L \
-            -H "Accept: application/vnd.github+json" \
-            "https://github.com/cryptomator/cryptomator/archive/refs/tags/${TAG}.tar.gz" \
-            --output "cryptomator-${SEMVER}.tar.gz"
-          read -ra CMD_OUTPUT < <(sha256sum "cryptomator-${SEMVER}.tar.gz")
-          echo "value=${CMD_OUTPUT[0]}" >> $GITHUB_OUTPUT
-      - name: Update release body with checksums
-        run: |
-          CURRENT_BODY=$(gh release view "${TAG}" --json body --jq .body)
-          RELEASE_BODY=$(printf '%s\n' "${CURRENT_BODY}" | sed '/<!-- HEADER -->/,/<!-- \/HEADER -->/c\
-          <!-- HEADER -->\
-          > [!NOTE]\
-          > Release artifacts finished building successfully.\
-          >\
-          > SHA-256 checksums have been updated below.\
-          <!-- /HEADER -->')
-
-          export TARBALL="${SRC_SHA}  cryptomator-${SEMVER}.tar.gz"
-          export MSI="${MSI_SHA}  Cryptomator-${SEMVER}-x64.msi"
-          export EXE="${EXE_SHA}  Cryptomator-${SEMVER}-x64.exe"
-          export DMG_arm64="${DMG_ARM64_SHA}  Cryptomator-${SEMVER}-arm64.dmg"
-          export DMG_x64="${DMG_X64_SHA}  Cryptomator-${SEMVER}-x64.dmg"
-          export APPIMAGE_x86_64="${APPIMAGE_X64_SHA}  cryptomator-${SEMVER}-x86_64.AppImage"
-          export APPIMAGE_aarch64="${APPIMAGE_AARCH64_SHA}  cryptomator-${SEMVER}-aarch64.AppImage"
-
-          envsubst '$VERSION $TARBALL $EXE $MSI $DMG_x64 $DMG_arm64 $APPIMAGE_x86_64 $APPIMAGE_aarch64' \
-            <<< "${RELEASE_BODY}" \
-            > release-body.md
-
-          gh release edit "${TAG}" --draft --notes-file release-body.md
-        env:
-          VERSION: ${{ needs.get-version.outputs.semVerStr }}
-          SRC_SHA: ${{ steps.src-sha256.outputs.value }}
-          MSI_SHA: ${{ needs.build-exe-and-msi.outputs.sha256-msi }}
-          EXE_SHA: ${{ needs.build-exe-and-msi.outputs.sha256-exe }}
-          DMG_ARM64_SHA: ${{ needs.build-dmg-arm64.outputs.sha256-dmg }}
-          DMG_X64_SHA: ${{ needs.build-dmg-x64.outputs.sha256-dmg }}
-          APPIMAGE_X64_SHA: ${{ needs.build-appimages.outputs.sha256-appimage-x64 }}
-          APPIMAGE_AARCH64_SHA: ${{ needs.build-appimages.outputs.sha256-appimage-aarch64 }}
--- a/.github/workflows/flathub.yml
+++ b/.github/workflows/flathub.yml
@@ -0,0 +1,85 @@
+name: Create PR for flathub
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Release tag'
+        required: true
+
+jobs:
+  get-version:
+    uses: ./.github/workflows/get-version.yml
+    with:
+      version: ${{ inputs.tag }}
+  tarball:
+    name: Determines tarball url and compute checksum
+    runs-on: ubuntu-latest
+    needs: [get-version]
+    if:  github.event_name == 'workflow_dispatch' || needs.get-version.outputs.versionType == 'stable'
+    outputs:
+      url: ${{ steps.url.outputs.url}}
+      sha512: ${{ steps.sha512.outputs.sha512}}
+    steps:
+      - name: Determine tarball url
+        id: url
+        run: |
+          URL="https://github.com/cryptomator/cryptomator/archive/refs/tags/${TAG}.tar.gz"
+          echo "url=${URL}" >> "$GITHUB_OUTPUT"
+        env:
+          TAG: ${{ inputs.tag || github.event.release.tag_name}}
+      - name: Download source tarball and compute checksum
+        id: sha512
+        run: |
+          curl --silent --fail-with-body -L -H "Accept: application/vnd.github+json" ${{ steps.url.outputs.url }} --output cryptomator.tar.gz
+          TARBALL_SHA512=$(sha512sum cryptomator.tar.gz | cut -d ' ' -f1)
+          echo "sha512=${TARBALL_SHA512}" >> "$GITHUB_OUTPUT"
+  flathub:
+    name: Create PR for flathub
+    runs-on: ubuntu-latest
+    needs: [tarball, get-version]
+    env:
+      FLATHUB_PR_URL: tbd
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          repository: 'flathub/org.cryptomator.Cryptomator'
+          token: ${{ secrets.CRYPTOBOT_PR_TOKEN }}
+      - name: Checkout release branch
+        run: |
+          git checkout -b release/${{ needs.get-version.outputs.semVerStr }}
+      - name: Update build file
+        run: |
+          sed -i -e 's/VERSION: [0-9]\+\.[0-9]\+\.[0-9]\+.*/VERSION: ${{ needs.get-version.outputs.semVerStr }}/g' org.cryptomator.Cryptomator.yaml
+          sed -i -e 's/sha512: [0-9A-Za-z_\+-]\{128\} #CRYPTOMATOR/sha512: ${{ needs.tarball.outputs.sha512 }} #CRYPTOMATOR/g' org.cryptomator.Cryptomator.yaml
+          sed -i -e 's;url: https://github.com/cryptomator/cryptomator/archive/refs/tags/[^[:blank:]]\+;url: ${{ needs.tarball.outputs.url }};g' org.cryptomator.Cryptomator.yaml
+      - name: Commit and push
+        run: |
+          git config user.name "${{ github.actor }}"
+          git config user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com"
+          git config push.autoSetupRemote true
+          git stage .
+          git commit -m "Prepare release ${{needs.get-version.outputs.semVerStr}}"
+          git push
+      - name: Create pull request
+        run: |
+          printf "> [!IMPORTANT]\n> Todos:\n> - [ ] Update maven dependencies\n> - [ ] Check for JDK update\n> - [ ] Check for JFX update" > pr_body.md
+          PR_URL=$(gh pr create --title "Release ${{ needs.get-version.outputs.semVerStr }}" --body-file pr_body.md)
+          echo "FLATHUB_PR_URL=$PR_URL" >> "$GITHUB_ENV"
+        env:
+          GH_TOKEN: ${{ secrets.CRYPTOBOT_PR_TOKEN }}
+      - name: Slack Notification
+        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3
+        if: github.event_name == 'release'
+        env:
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}
+          SLACK_USERNAME: 'Cryptobot'
+          SLACK_ICON: false
+          SLACK_ICON_EMOJI: ':bot:'
+          SLACK_CHANNEL: 'cryptomator-desktop'
+          SLACK_TITLE: "Flathub release PR created for ${{ github.event.repository.name }} ${{ github.event.release.tag_name }} created."
+          SLACK_MESSAGE: "See <${{ env.FLATHUB_PR_URL }}|PR> on how to proceed.>."
+          SLACK_FOOTER: false
+          MSG_MINIMAL: true
--- a/.github/workflows/get-version.yml
+++ b/.github/workflows/get-version.yml
@@ -14,9 +14,6 @@ on:
      semVerNum:
        description: "The numerical part of the version string"
        value: ${{ jobs.determine-version.outputs.semVerNum}}
-      semVerSuffix:
-        description: "The suffix of the version string"
-        value: ${{ jobs.determine-version.outputs.semVerSuffix}}
      revNum:
        description: "The revision number"
        value: ${{ jobs.determine-version.outputs.revNum}}
@@ -35,15 +32,14 @@ jobs:
    outputs:
      semVerNum: ${{ steps.versions.outputs.semVerNum }}
      semVerStr: ${{ steps.versions.outputs.semVerStr }}
-      semVerSuffix: ${{ steps.versions.outputs.semVerSuffix }}
      revNum: ${{ steps.versions.outputs.revNum }}
      type: ${{ steps.versions.outputs.type}}
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
      - name: Setup Java
-        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
+        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
        with:
          distribution: ${{ env.JAVA_DIST }}
          java-version: ${{ env.JAVA_VERSION }}
@@ -58,30 +54,25 @@ jobs:
          else
            SEM_VER_STR=`mvn help:evaluate -Dexpression=project.version -q -DforceStdout`
          fi
-
-          SEM_VER_NUM=$(echo ${SEM_VER_STR} | sed -E 's/([0-9]+\.[0-9]+\.[0-9]+).*/\1/')
-          SEM_VER_SUFFIX="${SEM_VER_STR#"$SEM_VER_NUM"}"
+          SEM_VER_NUM=`echo ${SEM_VER_STR} | sed -E 's/([0-9]+\.[0-9]+\.[0-9]+).*/\1/'`
          REVCOUNT=`git rev-list --count HEAD`
-
          TYPE="unknown"
-          if [[ -z $SEM_VER_SUFFIX  ]]; then
+          if [[ $SEM_VER_STR =~ [0-9]+\.[0-9]+\.[0-9]+$ ]]; then
            TYPE="stable"
-          elif [[ $SEM_VER_SUFFIX =~ -alpha[1-9]+$ ]]; then
+          elif [[ $SEM_VER_STR =~ [0-9]+\.[0-9]+\.[0-9]+-alpha[1-9]+$ ]]; then
            TYPE="alpha"
-          elif [[ $SEM_VER_SUFFIX =~ -beta[1-9]+$ ]]; then
+          elif [[ $SEM_VER_STR =~ [0-9]+\.[0-9]+\.[0-9]+-beta[1-9]+$ ]]; then
            TYPE="beta"
-          elif [[ $SEM_VER_SUFFIX =~ -rc[1-9]+$ ]]; then
+          elif [[ $SEM_VER_STR =~ [0-9]+\.[0-9]+\.[0-9]+-rc[1-9]$ ]]; then
            TYPE="rc"
          fi
-
          echo "semVerStr=${SEM_VER_STR}" >> $GITHUB_OUTPUT
          echo "semVerNum=${SEM_VER_NUM}" >> $GITHUB_OUTPUT
-          echo "semVerSuffix=${SEM_VER_SUFFIX}" >> $GITHUB_OUTPUT
          echo "revNum=${REVCOUNT}" >> $GITHUB_OUTPUT
          echo "type=${TYPE}" >> $GITHUB_OUTPUT
        env:
          VERSION_STRING: ${{ inputs.version }}
      - name: Validate Version
-        uses: skymatic/semver-validation-action@7c80b6b03a18b42884761daa9862ff5683ec8c8a # v4.0.0
+        uses: skymatic/semver-validation-action@7a6ae1c9e121540d11c9c7e4e667c83d583aa153 # v3.0.0
        with:
          version: ${{ steps.versions.outputs.semVerStr }}
--- a/.github/workflows/linux-flatpak.yml
+++ b/.github/workflows/linux-flatpak.yml
@@ -1,264 +0,0 @@
-name: Build flatpak
-
-on:
-  release:
-    types: [published]
-  workflow_dispatch:
-    inputs:
-      src-tag:
-        description: 'Source or Release tag'
-        required: false
-      create-pr:
-        description: 'Create Flathub PR'
-        required: false
-        type: boolean
-        default: false
-  push:
-    branches-ignore:
-      - 'dependabot/**'
-    paths:
-      - '.github/workflows/get-version.yml'
-      - '.github/workflows/linux-flatpak.yml'
-      - 'dist/linux/flatpak/**'
-      - 'dist/linux/common/**'
-      - 'dist/linux/resources/**'
-
-jobs:
-  get-version:
-    uses: ./.github/workflows/get-version.yml
-    with:
-      version: ${{ inputs.src-tag }}
-
-  build-flatpak:
-    name: "Build flatpak"
-    needs: [get-version]
-    container:
-      image: ghcr.io/flathub-infra/flatpak-github-actions:freedesktop-25.08
-      options: --privileged
-    strategy:
-      fail-fast: false
-      matrix:
-        variant:
-          - arch: x86_64
-            runner: ubuntu-24.04
-          - arch: aarch64
-            runner: ubuntu-24.04-arm
-    runs-on: ${{ matrix.variant.runner }}
-    permissions:
-      contents: read
-    env:
-      SRC_GIT_SHA: ${{ inputs.src-tag || github.sha}}
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          repository: flathub/org.cryptomator.Cryptomator
-          submodules: true
-      - name: Checkout build script
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          path: build-scripts
-      - name: Checkout app source
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          path: cryptomator
-          ref: ${{ env.SRC_GIT_SHA }}
-          fetch-depth: 0
-      - name: Prepare build files
-        # using envsubst instead of yq to keep linebreaks
-        run: |
-          cp -r -f build-scripts/dist/linux/flatpak/* .
-          envsubst '$FLATPAK_VERSION $FLATPAK_REVISION $CRYPTOMATOR_SOURCE' < org.cryptomator.Cryptomator.TEMPLATE.yaml > org.cryptomator.Cryptomator.yaml
-        env:
-          FLATPAK_VERSION: ${{ needs.get-version.outputs.semVerNum }}
-          FLATPAK_REVISION: 1
-          CRYPTOMATOR_SOURCE: |-
-            type: git
-                    path: cryptomator
-                    commit: ${{ env.SRC_GIT_SHA }}
-      - name: Copy build script for upload
-        run: cp org.cryptomator.Cryptomator.yaml org.cryptomator.Cryptomator.${{matrix.variant.arch}}.yaml
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-        with:
-          archive: false
-          if-no-files-found: error
-          path: |
-            org.cryptomator.Cryptomator.${{matrix.variant.arch}}.yaml
-      - uses: flatpak/flatpak-github-actions/flatpak-builder@401fe28a8384095fc1531b9d320b292f0ee45adb # SNAPSHOT due to using keep-build-dirs
-        with:
-          bundle: cryptomator.flatpak
-          manifest-path: org.cryptomator.Cryptomator.yaml
-          cache-key: flatpak-builder-${{ env.SRC_GIT_SHA }}
-          arch: ${{ matrix.variant.arch }}
-          keep-build-dirs: true
-      - name: Collect maven dependencies
-        working-directory: .flatpak-builder/build/cryptomator-1/.m2/repository/
-        run: |
-          find * -type f \( -iname '*.jar' -o -iname '*.pom' \) | sort -V > /tmp/maven-dependency-files.txt
-          grep -v '^org/openjfx/javafx-' /tmp/maven-dependency-files.txt > maven-dependency-files-common.txt
-          grep '^org/openjfx/javafx-' /tmp/maven-dependency-files.txt > maven-dependency-files-javafx.txt
-      - name: Update arch independent maven dependencies
-        run: |
-          (
-            cd .flatpak-builder/build/cryptomator-1/.m2/repository/
-
-            while IFS= read -r dependencyPath; do
-              dependencyName=$(dirname "$dependencyPath")
-              dependencySha=$(sha256sum "$dependencyPath" | cut -c 1-64)
-              cat <<EOF
-          - type: file
-            dest: .m2/repository/${dependencyName}
-            url: https://repo.maven.apache.org/maven2/${dependencyPath}
-            sha256: ${dependencySha}
-          EOF
-            done < maven-dependency-files-common.txt
-          ) > maven-dependencies.yaml
-      - name: Update arch specific maven dependencies
-        run: |
-          (
-            cd .flatpak-builder/build/cryptomator-1/.m2/repository/
-
-            while IFS= read -r dependencyPath; do
-              dependencyName=$(dirname "$dependencyPath")
-              dependencySha=$(sha256sum "$dependencyPath" | cut -c 1-64)
-              cat <<EOF
-          - type: file
-            dest: .m2/repository/${dependencyName}
-            url: https://repo.maven.apache.org/maven2/${dependencyPath}
-            sha256: ${dependencySha}
-            only-arches: [${{ matrix.variant.arch }}]
-          EOF
-            done < maven-dependency-files-javafx.txt
-          ) > javafx-maven-dependencies-${{ matrix.variant.arch }}.yaml
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-        with:
-          name: maven-sources-${{ matrix.variant.arch }}
-          if-no-files-found: error
-          path: |
-            maven-dependencies.yaml
-            javafx-maven-dependencies-${{ matrix.variant.arch }}.yaml
-
-  verify-maven-sources:
-    name: Verify maven sources
-    runs-on: ubuntu-latest
-    needs: [build-flatpak]
-    permissions:
-      contents: none
-    steps:
-      - name: Download updated maven aarch64 dependencies
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
-        with:
-          name: maven-sources-aarch64
-          path: mvn-src-aarch64
-      - name: Download updated maven x86_64 dependencies
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
-        with:
-          name: maven-sources-x86_64
-          path: mvn-src-x64
-      - name: Verify arch independent maven dependencies
-        run: cmp --silent mvn-src-aarch64/maven-dependencies.yaml mvn-src-x64/maven-dependencies.yaml
-
-  create-pr:
-    name: Create PR for flathub
-    runs-on: ubuntu-latest
-    needs: [get-version, verify-maven-sources]
-    if: (github.event_name == 'workflow_dispatch' && inputs.create-pr ) || (github.event_name == 'release' && needs.get-version.outputs.versionType == 'stable')
-    permissions:
-      contents: write
-    env:
-      TARBALL_URL: 'https://github.com/cryptomator/cryptomator/archive/refs/tags/${{ github.event.release.tag_name || inputs.src-tag }}.tar.gz'
-    steps:
-      - name: Check that input "src-tag" is actually a tag
-        if: github.event_name == 'workflow_dispatch'
-        run: |
-          if [ -z "$SRC_TAG" ]; then
-            echo '::error::Input "src-tag" must be set to create a Flathub PR'
-            exit 1
-          fi
-        env:
-          SRC_TAG: ${{ inputs.src-tag }}
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          repository: flathub/org.cryptomator.Cryptomator
-          submodules: true #TODO: Update submodule!
-          token: ${{ secrets.CRYPTOBOT_PR_TOKEN }}
-      - name: Checkout release branch
-        run: |
-          git checkout -b release/${{ needs.get-version.outputs.semVerStr }}
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          path: cryptomator
-      - name: Download source tarball and compute checksum
-        id: sha512
-        run: |
-          curl --silent --fail-with-body --proto "=https" -L -H "Accept: application/vnd.github+json" ${TARBALL_URL} --output cryptomator.tar.gz
-          TARBALL_SHA512=$(sha512sum cryptomator.tar.gz | cut -d ' ' -f1)
-          echo "value=${TARBALL_SHA512}" >> "$GITHUB_OUTPUT"
-      - name: Download updated maven aarch64 dependencies
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
-        with:
-          name: maven-sources-aarch64
-          path: mvn-src-aarch64
-      - name: Download updated maven x86_64 dependencies
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
-        with:
-          name: maven-sources-x86_64
-          path: mvn-src-x64
-      - name: Determine revision
-        id: revision
-        run: |
-          CURRENT_VERSION="$(yq '(.modules[] | select(.name == "cryptomator") | .build-options.env.VERSION)' org.cryptomator.Cryptomator.yaml)"
-          CURRENT_REVISION="$(yq '(.modules[] | select(.name == "cryptomator") | .build-options.env.REVISION_NO)' org.cryptomator.Cryptomator.yaml)"
-
-          if [[ "$CURRENT_VERSION" == "$TARGET_VERSION" && "$CURRENT_REVISION" =~ ^[0-9]+$ ]]; then
-            NEXT_REVISION=$((CURRENT_REVISION + 1))
-          else
-            NEXT_REVISION=1
-          fi
-
-          echo "value=${NEXT_REVISION}" >> "$GITHUB_OUTPUT"
-        env:
-          TARGET_VERSION: ${{ needs.get-version.outputs.semVerStr }}
-      - name: Update build files
-        run: |
-          cp -r -f cryptomator/dist/linux/flatpak/* .
-          cp -r -f mvn-src-x64/* .
-          cp -r -f mvn-src-aarch64/* .
-          envsubst '$FLATPAK_VERSION $FLATPAK_REVISION $CRYPTOMATOR_SOURCE' < org.cryptomator.Cryptomator.TEMPLATE.yaml > org.cryptomator.Cryptomator.yaml
-          yq -i 'del(.modules[] | select(.name == "cryptomator") | .build-options.build-args)' org.cryptomator.Cryptomator.yaml
-          yq -i '(.modules[] | select(.name == "cryptomator") | .sources) += ["maven-dependencies.yaml", "javafx-maven-dependencies-x86_64.yaml", "javafx-maven-dependencies-aarch64.yaml"]' org.cryptomator.Cryptomator.yaml
-        env:
-          FLATPAK_VERSION: ${{ needs.get-version.outputs.semVerNum }}
-          FLATPAK_REVISION: ${{ steps.revision.outputs.value}}
-          CRYPTOMATOR_SOURCE: |-
-            type: archive
-                    sha512: ${{steps.sha512.outputs.value}}
-                    url: ${{ env.TARBALL_URL }}
-      - name: Commit and push
-        run: |
-          git config user.name "cryptobot"
-          git config user.email "cryptobot@users.noreply.github.com"
-          git config push.autoSetupRemote true
-          git stage org.cryptomator.Cryptomator.yaml maven-dependencies.yaml javafx-maven-dependencies-aarch64.yaml javafx-maven-dependencies-x86_64.yaml
-          git commit -m "Prepare release ${{needs.get-version.outputs.semVerStr}}"
-          git push
-      - name: Create pull request
-        id: create-pr
-        run: |
-          printf "Created by $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" > pr_body.md
-          PR_URL=$(gh pr create --title "Release ${{ needs.get-version.outputs.semVerStr }}" --body-file pr_body.md)
-          echo "FLATHUB_PR_URL=$PR_URL" >> "$GITHUB_OUTPUT"
-        env:
-          GH_TOKEN: ${{ secrets.CRYPTOBOT_PR_TOKEN }}
-      - name: Slack Notification
-        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3
-        if: github.event_name == 'release'
-        env:
-          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_CRYPTOMATOR_DESKTOP }}
-          SLACK_USERNAME: 'Cryptobot'
-          SLACK_ICON: ''
-          SLACK_ICON_EMOJI: ':bot:'
-          SLACK_CHANNEL: 'cryptomator-desktop'
-          SLACK_TITLE: "Flathub release PR created for ${{ github.event.repository.name }} ${{ github.event.release.tag_name }} created."
-          SLACK_MESSAGE: "See <${{ steps.create-pr.outputs.FLATHUB_PR_URL }}|PR> on how to proceed."
-          SLACK_FOOTER: ''
-          MSG_MINIMAL: true
--- a/.github/workflows/linux-makepkg.yml
+++ b/.github/workflows/linux-makepkg.yml
@@ -1,201 +0,0 @@
-name: Build Arch package
-
-on:
-  release:
-    types: [published]
-  schedule:
-    - cron: '0 21 20 * *'
-  workflow_dispatch:
-    inputs:
-      version:
-        description: 'Version'
-        required: false
-      create-pr:
-          description: 'Create a PR for aur repo'
-          type: boolean
-          default: false
-  push:
-    branches-ignore:
-      - 'dependabot/**'
-    paths:
-      - '.github/workflows/linux-makepkg.yml'
-      - 'dist/linux/makepkg/**'
-      - 'dist/linux/common/**'
-      - 'dist/linux/resources/**'
-
-jobs:
-  get-version:
-    uses: ./.github/workflows/get-version.yml
-    with:
-      version: ${{ inputs.version }}
-
-  makepkg:
-    name: Build with makepkg
-    needs: [get-version]
-    runs-on: ubuntu-latest
-    container:
-      image: archlinux:base-devel
-    env:
-      PKGDEST: ${{ github.workspace }}/pkgdest
-      SRCDEST: ${{ github.workspace }}/srcdest
-    steps:
-      - name: Prepare pacman
-        run: |
-          pacman-key --init
-          pacman-key --populate archlinux
-          pacman -Syu --noconfirm --needed git base-devel sudo gnupg maven unzip
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          path: cryptomator
-      - name: Create build user
-        run: |
-          useradd -m builder
-          echo 'builder ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers.d/builder
-          chown -R builder:builder "$GITHUB_WORKSPACE"
-          install -d -m 0755 -o builder -g builder "$PKGDEST" "$SRCDEST"
-      - name: Prepare PKGBUILD
-        # cannot use github.workspace due to https://github.com/actions/runner/issues/2058
-        run: |
-          export SOURCES="${SOURCES_1}${GITHUB_WORKSPACE}${SOURCES_2}"
-          envsubst '$PKG_VERSION $PKG_RELEASE $SOURCES $SOURCES_SHA' < cryptomator/dist/linux/makepkg/PKGBUILD.template > PKGBUILD
-        env:
-          PKG_VERSION: ${{ needs.get-version.outputs.semVerNum }}
-          PKG_RELEASE: 1
-          SOURCES_1: '"${_src_app_dir}::git+file://'
-          SOURCES_2: '/cryptomator"'
-          SOURCES_SHA: "'SKIP'"
-      - name: Build package with makepkg
-        run: >
-          sudo -u builder
-          env PKGDEST="$PKGDEST" SRCDEST="$SRCDEST"
-          makepkg --syncdeps --cleanbuild --noconfirm --log
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-        with:
-          name: arch-package
-          if-no-files-found: error
-          path: |
-            ${{ env.PKGDEST }}/*.pkg.tar.zst
-      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-        with:
-          name: pkgbuild-file
-          if-no-files-found: error
-          path: |
-            cryptomator/dist/linux/makepkg/PKGBUILD.template
-
-  create-pr:
-    name: Create PR for aur repo
-    if:  github.event_name == 'workflow_dispatch' && inputs.create-pr || github.event_name == 'release' && needs.get-version.outputs.versionType == 'stable'
-    runs-on: ubuntu-latest
-    needs: [get-version, makepkg]
-    container:
-      image: archlinux:base-devel
-    env:
-      PKGDEST: ${{ github.workspace }}/pkgdest
-      SRCDEST: ${{ github.workspace }}/srcdest
-    steps:
-      - name: Prepare pacman
-        run: |
-          pacman-key --init
-          pacman-key --populate archlinux
-          pacman -Syu --noconfirm --needed git base-devel sudo gnupg maven unzip github-cli curl
-      - name: Download source tarball and compute checksum
-        id: sha256
-        run: |
-          URL="https://github.com/cryptomator/cryptomator/archive/refs/tags/${TAG}.tar.gz"
-          curl --silent --fail-with-body --proto "=https" -L -H "Accept: application/vnd.github+json" ${URL} --output cryptomator.tar.gz
-          TARBALL_SHA256=$(sha256sum cryptomator.tar.gz | cut -d ' ' -f1)
-          echo "value=${TARBALL_SHA256}" >> "$GITHUB_OUTPUT"
-        env:
-          TAG: ${{ needs.get-version.outputs.semVerStr || github.event.release.tag_name }}
-      - name: Checkout cryptomator/aur repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          repository: 'cryptomator/aur'
-          token: ${{ secrets.CRYPTOBOT_PR_TOKEN }}
-      - name: Create build user
-        run: |
-          useradd -m builder
-          echo 'builder ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers.d/builder
-          chown -R builder:builder "$GITHUB_WORKSPACE"
-          install -d -m 0755 -o builder -g builder "$PKGDEST" "$SRCDEST"
-      - name: Import Cryptomator release signing key
-        # try first ubuntu. on failure try openpgp keyservers
-        run: >
-          sudo -u builder gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys 58117AFA1F85B3EEC154677D615D449FE6E6A235
-          || sudo -u builder gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys 58117AFA1F85B3EEC154677D615D449FE6E6A235
-      - name: Checkout release branch
-        run: |
-          git config --global safe.directory '*'
-          git checkout -b release/${VERSION}
-        env:
-          VERSION: ${{ needs.get-version.outputs.semVerStr }}
-      - name: Determine pkgrel
-        id: pkgrel
-        run: |
-          CURRENT_VERSION="$(sed -nE 's/^pkgver=(.*)$/\1/p' PKGBUILD | head -n1)"
-          CURRENT_REL="$(sed -nE 's/^pkgrel=([0-9]+).*$/\1/p' PKGBUILD | head -n1)"
-
-          if [[ "$CURRENT_VERSION" == "$TARGET_VERSION" && "$CURRENT_REL" =~ ^[0-9]+$ ]]; then
-            NEXT_REL=$((CURRENT_REL + 1))
-          else
-            NEXT_REL=1
-          fi
-
-          echo "value=${NEXT_REL}" >> "$GITHUB_OUTPUT"
-          echo "dist-version=${TARGET_VERSION}-${NEXT_REL}" >> "$GITHUB_OUTPUT"
-        env:
-          TARGET_VERSION: ${{ needs.get-version.outputs.semVerStr }}
-      - name: Download PKGBUILD template
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
-        with:
-          name: pkgbuild-file
-      - name: Prepare PKGBUILD
-        run: |
-          envsubst '$PKG_VERSION $PKG_RELEASE $SOURCES $SOURCES_SHA' < PKGBUILD.template > PKGBUILD
-          sudo -u builder makepkg --printsrcinfo > .SRCINFO
-        env:
-          PKG_VERSION: ${{ needs.get-version.outputs.semVerNum }}
-          PKG_RELEASE: ${{ steps.pkgrel.outputs.value }}
-          SOURCES: |-
-            "cryptomator-${pkgver//_/-}.tar.gz::https://github.com/cryptomator/cryptomator/archive/refs/tags/${pkgver//_/-}.tar.gz"
-                    "cryptomator-${pkgver//_/-}.tar.gz.asc::https://github.com/cryptomator/cryptomator/releases/download/${pkgver//_/-}/cryptomator-${pkgver//_/-}.tar.gz.asc"
-          SOURCES_SHA: |-
-            '${{steps.sha256.outputs.value}}'
-                        'SKIP'
-      - name: Build package with makepkg
-        run: >
-          sudo -u builder
-          env PKGDEST="$PKGDEST" SRCDEST="$SRCDEST"
-          makepkg --syncdeps --cleanbuild --noconfirm --log
-      - name: Commit and push
-        run: |
-          git config user.name "cryptobot"
-          git config user.email "cryptobot@users.noreply.github.com"
-          git config push.autoSetupRemote true
-          git stage PKGBUILD .SRCINFO
-          git commit -m "Prepare release ${DIST_VERSION}"
-          git push
-        env:
-          DIST_VERSION: ${{ steps.pkgrel.outputs.dist-version }}
-      - name: Create pull request
-        id: create-pr
-        run: |
-          printf "Created by $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" > pr_body.md
-          PR_URL=$(gh pr create --title "Release $DIST_VERSION" --body-file pr_body.md)
-          echo "url=$PR_URL" >> "$GITHUB_OUTPUT"
-        env:
-          DIST_VERSION: ${{ steps.pkgrel.outputs.dist-version }}
-          GH_TOKEN: ${{ secrets.CRYPTOBOT_PR_TOKEN }}
-      - name: Slack Notification
-        if: github.event_name == 'release'
-        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3
-        env:
-          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_CRYPTOMATOR_DESKTOP }}
-          SLACK_USERNAME: 'Cryptobot'
-          SLACK_ICON: ''
-          SLACK_ICON_EMOJI: ':bot:'
-          SLACK_CHANNEL: 'cryptomator-desktop'
-          SLACK_TITLE: "AUR release PR created for ${{ github.event.repository.name }} ${{ steps.pkgrel.outputs.dist-version }} ."
-          SLACK_MESSAGE: "See <${{ steps.create-pr.outputs.url }}|PR> on how to proceed."
-          SLACK_FOOTER: ''
-          MSG_MINIMAL: true
--- a/.github/workflows/mac-dmg-x64.yml
+++ b/.github/workflows/mac-dmg-x64.yml
@@ -9,45 +9,13 @@ name: Build macOS .dmg for x64
 #######################################

 on:
-  schedule:
-    - cron: '0 20 20 * *'
-  workflow_call:
-    inputs:
-      semVerNum:
-        type: string
-        description: 'The Major.Minor.Patch part of the version'
-        required: true
-      revisionNum:
-        type: string
-        description: 'The revision number'
-        required: true
-      semVerSuffix:
-        type: string
-        description: 'The suffix of the version, including dash'
-        required: true
-      notarize:
-        description: 'Notarize'
-        default: true
-        type: boolean
-      upload-to-draft:
-        type: boolean
-        default: true
-    outputs:
-      sha256-dmg:
-        description: "SHA256 sum of the x64 dmg"
-        value: ${{ jobs.build.outputs.sha256sum}}
+  release:
+    types: [published]
  workflow_dispatch:
    inputs:
-      semVerNum:
-        description: 'The Major.Minor.Patch part of the version'
+      version:
+        description: 'Version'
        required: false
-      revisionNum:
-        description: 'The revision number'
-        required: false
-      semVerSuffix:
-        description: 'The suffix of the version, including dash'
-        required: false
-        default: '-SNAPSHOT'
      notarize:
        description: 'Notarize'
        required: true
@@ -56,18 +24,18 @@ on:

 env:
  JAVA_DIST: 'temurin'
-  JAVA_VERSION: '25.0.2+10.0.LTS'
-  VERSION_NUM: ${{ inputs.semVerNum || '99.99.99'}}
-  REVISION_NUM: ${{ inputs.revisionNum || '0' }}
-  VERSION_SUFFIX: ${{ inputs.semVerSuffix || ''}}
-
+  JAVA_VERSION: '25.0.1+8.0.LTS'

 jobs:
-  build:
+  get-version:
+    uses: ./.github/workflows/get-version.yml
+    with:
+      version: ${{ inputs.version }}
+
+  build-arm:
    name: Build Cryptomator.app for ${{ matrix.output-suffix }}
    runs-on: ${{ matrix.os }}
-    outputs:
-      sha256sum: ${{ steps.sha256sum.outputs.value }}
+    needs: [get-version]
    strategy:
      fail-fast: false
      matrix:
@@ -76,12 +44,12 @@ jobs:
          architecture: x64
          output-suffix: x64
          fuse-lib: macFUSE
-          openjfx-url: 'https://download2.gluonhq.com/openjfx/25.0.2/openjfx-25.0.2_osx-x64_bin-jmods.zip'
-          openjfx-sha: '0b4d8463f03901b7425d94628e4116b7078abb8dd540fbec415266fac20bda5c'
+          openjfx-url: 'https://download2.gluonhq.com/openjfx/25/openjfx-25_osx-x64_bin-jmods.zip'
+          openjfx-sha: '0eba73fb28a24c845175d16fa2f8c081c936ce6de1be9b79eb6119fa32e53d52'
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Setup Java
-        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
+        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
        with:
          distribution: ${{ env.JAVA_DIST }}
          java-version: ${{ env.JAVA_VERSION }}
@@ -91,7 +59,7 @@ jobs:
      - name: Download OpenJFX jmods
        id: download-jmods
        run: |
-          curl --silent --fail-with-body --proto "=https" -L ${{ matrix.openjfx-url }} -o openjfx-jmods.zip
+          curl -L ${{ matrix.openjfx-url }} -o openjfx-jmods.zip
          echo "${{ matrix.openjfx-sha }} *openjfx-jmods.zip" | shasum -a256 --check
          mkdir -p openjfx-jmods/
          unzip -jo openjfx-jmods.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d openjfx-jmods
@@ -109,7 +77,7 @@ jobs:
            exit 1
          fi
      - name: Set version
-        run : mvn versions:set -DnewVersion="${VERSION_NUM}${VERSION_SUFFIX}"
+        run : mvn versions:set -DnewVersion=${{ needs.get-version.outputs.semVerStr }}
      - name: Run maven
        run: mvn -B clean package -Pmac -DskipTests
      - name: Patch target dir
@@ -149,8 +117,8 @@ jobs:
          --dest appdir
          --name Cryptomator
          --vendor "Skymatic GmbH"
-          --copyright "(C) 2016 - 2026 Skymatic GmbH"
-          --app-version "${VERSION_NUM}"
+          --copyright "(C) 2016 - 2025 Skymatic GmbH"
+          --app-version "${{ needs.get-version.outputs.semVerNum }}"
          --java-options "--enable-preview"
          --java-options "--enable-native-access=javafx.graphics,org.cryptomator.jfuse.mac"
          --java-options "-Xss5m"
@@ -159,30 +127,43 @@ jobs:
          --java-options "-Djava.net.useSystemProxies=true"
          --java-options "-Dapple.awt.enableTemplateImages=true"
          --java-options "-Dsun.java2d.metal=true"
-          --java-options "-Dcryptomator.appVersion=\"${VERSION_NUM}${VERSION_SUFFIX}\""
-          --java-options "-Dcryptomator.adminConfigPath=\"/Library/Application Support/Cryptomator/config.properties\""
+          --java-options "-Dcryptomator.appVersion=\"${{ needs.get-version.outputs.semVerStr }}\""
          --java-options "-Dcryptomator.logDir=\"@{userhome}/Library/Logs/Cryptomator\""
+          --java-options "-Dcryptomator.pluginDir=\"@{userhome}/Library/Application Support/Cryptomator/Plugins\""
          --java-options "-Dcryptomator.settingsPath=\"@{userhome}/Library/Application Support/Cryptomator/settings.json\""
          --java-options "-Dcryptomator.p12Path=\"@{userhome}/Library/Application Support/Cryptomator/key.p12\""
          --java-options "-Dcryptomator.ipcSocketPath=\"@{userhome}/Library/Application Support/Cryptomator/ipc.socket\""
          --java-options "-Dcryptomator.integrationsMac.keychainServiceName=\"Cryptomator\""
          --java-options "-Dcryptomator.mountPointsDir=\"@{userhome}/Library/Application Support/Cryptomator/mnt\""
          --java-options "-Dcryptomator.showTrayIcon=true"
-          --java-options "-Dcryptomator.updateMechanism=org.cryptomator.macos.update.DmgUpdateMechanism"
-          --java-options "-Dcryptomator.buildNumber=\"dmg-${REVISION_NUM}\""
-          --java-options "-Dcryptomator.hub.enableTrustOnFirstUse=true"
+          --java-options "-Dcryptomator.buildNumber=\"dmg-${{ needs.get-version.outputs.revNum }}\""
          --mac-package-identifier org.cryptomator
          --resource-dir dist/mac/resources
      - name: Patch Cryptomator.app
        run: |
          mv appdir/Cryptomator.app Cryptomator.app
          mv dist/mac/resources/Cryptomator-Vault.icns Cryptomator.app/Contents/Resources/
-          cp dist/mac/resources/Assets.car Cryptomator.app/Contents/Resources/
-          sed -i '' "s|###BUNDLE_SHORT_VERSION_STRING###|${VERSION_NUM}|g" Cryptomator.app/Contents/Info.plist
-          sed -i '' "s|###BUNDLE_VERSION###|${REVISION_NUM}|g" Cryptomator.app/Contents/Info.plist
+          sed -i '' "s|###BUNDLE_SHORT_VERSION_STRING###|${VERSION_NO}|g" Cryptomator.app/Contents/Info.plist
+          sed -i '' "s|###BUNDLE_VERSION###|${REVISION_NO}|g" Cryptomator.app/Contents/Info.plist
          echo -n "$PROVISIONING_PROFILE_BASE64" | base64 --decode --output Cryptomator.app/Contents/embedded.provisionprofile
        env:
+          VERSION_NO: ${{ needs.get-version.outputs.semVerNum }}
+          REVISION_NO: ${{ needs.get-version.outputs.revNum }}
          PROVISIONING_PROFILE_BASE64: ${{ secrets.MACOS_PROVISIONING_PROFILE_BASE64 }}
+      - name: Build and install DockTilePlugin
+        env:
+          DERIVED_DATA_PATH: dist/mac/DockTilePlugin/build
+        run: |
+          xcodebuild -project dist/mac/DockTilePlugin/DockTilePlugin.xcodeproj \
+                     -scheme DockTilePlugin \
+                     -configuration Release \
+                     -destination "platform=macOS,arch=x86_64" \
+                     -derivedDataPath ${DERIVED_DATA_PATH} \
+                     -quiet \
+                     clean build
+          mkdir -p Cryptomator.app/Contents/PlugIns
+          cp -R ${DERIVED_DATA_PATH}/Build/Products/Release/Cryptomator.docktileplugin Cryptomator.app/Contents/PlugIns/
+          rm -rf ${DERIVED_DATA_PATH}
      - name: Generate license for dmg
        run: >
          mvn -B license:add-third-party
@@ -270,14 +251,16 @@ jobs:
          --eula "dist/mac/dmg/resources/license.rtf"
          --icon ".background" 128 758
          --icon ".VolumeIcon.icns" 512 758
-          Cryptomator-${VERSION_NUM}-${{ matrix.output-suffix }}.dmg dmg
+          Cryptomator-${VERSION_NO}-${{ matrix.output-suffix }}.dmg dmg
+        env:
+          VERSION_NO: ${{ needs.get-version.outputs.semVerNum }}
      - name: Codesign .dmg
        run: |
          codesign -s ${CODESIGN_IDENTITY} --timestamp Cryptomator-*.dmg
        env:
          CODESIGN_IDENTITY: ${{ secrets.MACOS_CODESIGN_IDENTITY }}
      - name: Notarize .dmg
-        if:  inputs.notarize || github.event_name == 'schedule'
+        if: startsWith(github.ref, 'refs/tags/') || inputs.notarize
        uses: cocoalibs/xcode-notarization-action@5cf433d494b6fa26504b574c591f4dd120388846 # v1.0.3
        with:
          app-path: 'Cryptomator-*.dmg'
@@ -285,12 +268,8 @@ jobs:
          password: ${{ secrets.MACOS_NOTARIZATION_PW }}
          team-id: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}
          xcode-path: '/Applications/Xcode_16.app'
-      - id: sha256sum
-        run: |
-          read -ra CMD_OUTPUT < <(shasum -a256 Cryptomator-*.dmg)
-          echo "value=${CMD_OUTPUT[0]}" >> $GITHUB_OUTPUT
      - name: Add possible alpha/beta tags to installer name
-        run: mv Cryptomator-*.dmg "Cryptomator-${VERSION_NUM}${VERSION_SUFFIX}-${{ matrix.output-suffix }}.dmg"
+        run: mv Cryptomator-*.dmg Cryptomator-${{ needs.get-version.outputs.semVerStr }}-${{ matrix.output-suffix }}.dmg
      - name: Create detached GPG signature with key 615D449FE6E6A235
        run: |
          echo "${GPG_PRIVATE_KEY}" | gpg --batch --quiet --import
@@ -303,7 +282,7 @@ jobs:
        run: security delete-keychain $RUNNER_TEMP/codesign.keychain-db
        continue-on-error: true
      - name: Upload artifacts
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: dmg-${{ matrix.output-suffix }}
          path: |
@@ -311,10 +290,9 @@ jobs:
            Cryptomator-*.asc
          if-no-files-found: error
      - name: Publish dmg on GitHub Releases
-        if: inputs.upload-to-draft
-        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
+        if: startsWith(github.ref, 'refs/tags/') && github.event.action == 'published'
+        uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # v2.4.1
        with:
-          draft: true
          fail_on_unmatched_files: true
          token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
          files: |
--- a/.github/workflows/mac-dmg.yml
+++ b/.github/workflows/mac-dmg.yml
@@ -1,45 +1,13 @@
 name: Build macOS .dmg for arm64

 on:
-  schedule:
-    - cron: '0 20 20 * *'
-  workflow_call:
-    inputs:
-      semVerNum:
-        type: string
-        description: 'The Major.Minor.Patch part of the version'
-        required: true
-      revisionNum:
-        type: string
-        description: 'The revision number'
-        required: true
-      semVerSuffix:
-        type: string
-        description: 'The suffix of the version, including dash'
-        required: true
-      notarize:
-        description: 'Notarize'
-        default: true
-        type: boolean
-      upload-to-draft:
-        type: boolean
-        default: true
-    outputs:
-      sha256-dmg:
-        description: "SHA256 sum of the arm64 dmg"
-        value: ${{ jobs.build.outputs.sha256sum}}
+  release:
+    types: [published]
  workflow_dispatch:
    inputs:
-      semVerNum:
-        description: 'The Major.Minor.Patch part of the version'
+      version:
+        description: 'Version'
        required: false
-      revisionNum:
-        description: 'The revision number'
-        required: false
-      semVerSuffix:
-        description: 'The suffix of the version, including dash'
-        required: false
-        default: '-SNAPSHOT'
      notarize:
        description: 'Notarize'
        required: true
@@ -54,18 +22,18 @@ on:

 env:
  JAVA_DIST: 'temurin'
-  JAVA_VERSION: '25.0.2+10.0.LTS'
-  VERSION_NUM: ${{ inputs.semVerNum || '99.99.99'}}
-  REVISION_NUM: ${{ inputs.revisionNum || '0' }}
-  VERSION_SUFFIX: ${{ inputs.semVerSuffix || ''}}
-
+  JAVA_VERSION: '25.0.1+8.0.LTS'

 jobs:
+  get-version:
+    uses: ./.github/workflows/get-version.yml
+    with:
+      version: ${{ inputs.version }}
+
  build:
    name: Build Cryptomator.app for ${{ matrix.output-suffix }}
    runs-on: ${{ matrix.os }}
-    outputs:
-      sha256sum: ${{ steps.sha256sum.outputs.value }}
+    needs: [get-version]
    strategy:
      fail-fast: false
      matrix:
@@ -74,12 +42,12 @@ jobs:
          architecture: aarch64
          output-suffix: arm64
          fuse-lib: FUSE-T
-          openjfx-url: 'https://download2.gluonhq.com/openjfx/25.0.2/openjfx-25.0.2_osx-aarch64_bin-jmods.zip'
-          openjfx-sha: '4cd258001c75af7047005c5c891e2400ed11d24fbb09412324c0cbaf8b503c5a'
+          openjfx-url: 'https://download2.gluonhq.com/openjfx/25/openjfx-25_osx-aarch64_bin-jmods.zip'
+          openjfx-sha: '13f8c0513c40c95881479fbcf0465a29a60217393fb0656f5e4eab78a9442fba'
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Setup Java
-        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
+        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
        with:
          distribution: ${{ env.JAVA_DIST }}
          java-version: ${{ env.JAVA_VERSION }}
@@ -89,7 +57,7 @@ jobs:
      - name: Download OpenJFX jmods
        id: download-jmods
        run: |
-          curl --silent --fail-with-body --proto "=https" -L ${{ matrix.openjfx-url }} -o openjfx-jmods.zip
+          curl -L ${{ matrix.openjfx-url }} -o openjfx-jmods.zip
          echo "${{ matrix.openjfx-sha }} *openjfx-jmods.zip" | shasum -a256 --check
          mkdir -p openjfx-jmods/
          unzip -jo openjfx-jmods.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d openjfx-jmods
@@ -107,7 +75,7 @@ jobs:
            exit 1
          fi
      - name: Set version
-        run : mvn versions:set -DnewVersion="${VERSION_NUM}${VERSION_SUFFIX}"
+        run : mvn versions:set -DnewVersion=${{ needs.get-version.outputs.semVerStr }}
      - name: Run maven
        run: mvn -B clean package -Pmac -DskipTests
      - name: Patch target dir
@@ -147,8 +115,8 @@ jobs:
          --dest appdir
          --name Cryptomator
          --vendor "Skymatic GmbH"
-          --copyright "(C) 2016 - 2026 Skymatic GmbH"
-          --app-version "${VERSION_NUM}"
+          --copyright "(C) 2016 - 2025 Skymatic GmbH"
+          --app-version "${{ needs.get-version.outputs.semVerNum }}"
          --java-options "--enable-preview"
          --java-options "--enable-native-access=javafx.graphics,org.cryptomator.jfuse.mac"
          --java-options "-Xss5m"
@@ -157,31 +125,44 @@ jobs:
          --java-options "-Djava.net.useSystemProxies=true"
          --java-options "-Dapple.awt.enableTemplateImages=true"
          --java-options "-Dsun.java2d.metal=true"
-          --java-options "-Dcryptomator.appVersion=\"${VERSION_NUM}${VERSION_SUFFIX}\""
-          --java-options "-Dcryptomator.adminConfigPath=\"/Library/Application Support/Cryptomator/config.properties\""
+          --java-options "-Dcryptomator.appVersion=\"${{ needs.get-version.outputs.semVerStr }}\""
          --java-options "-Dcryptomator.logDir=\"@{userhome}/Library/Logs/Cryptomator\""
+          --java-options "-Dcryptomator.pluginDir=\"@{userhome}/Library/Application Support/Cryptomator/Plugins\""
          --java-options "-Dcryptomator.settingsPath=\"@{userhome}/Library/Application Support/Cryptomator/settings.json\""
          --java-options "-Dcryptomator.p12Path=\"@{userhome}/Library/Application Support/Cryptomator/key.p12\""
          --java-options "-Dcryptomator.ipcSocketPath=\"@{userhome}/Library/Application Support/Cryptomator/ipc.socket\""
          --java-options "-Dcryptomator.integrationsMac.keychainServiceName=\"Cryptomator\""
          --java-options "-Dcryptomator.mountPointsDir=\"@{userhome}/Library/Application Support/Cryptomator/mnt\""
          --java-options "-Dcryptomator.showTrayIcon=true"
-          --java-options "-Dcryptomator.updateMechanism=org.cryptomator.macos.update.DmgUpdateMechanism"
-          --java-options "-Dcryptomator.buildNumber=\"dmg-${REVISION_NUM}\""
+          --java-options "-Dcryptomator.buildNumber=\"dmg-${{ needs.get-version.outputs.revNum }}\""
          --java-options "-XX:ErrorFile=/cryptomator/cryptomator_crash.log"
-          --java-options "-Dcryptomator.hub.enableTrustOnFirstUse=true"
          --mac-package-identifier org.cryptomator
          --resource-dir dist/mac/resources
      - name: Patch Cryptomator.app
        run: |
          mv appdir/Cryptomator.app Cryptomator.app
          mv dist/mac/resources/Cryptomator-Vault.icns Cryptomator.app/Contents/Resources/
-          cp dist/mac/resources/Assets.car Cryptomator.app/Contents/Resources/
-          sed -i '' "s|###BUNDLE_SHORT_VERSION_STRING###|${VERSION_NUM}|g" Cryptomator.app/Contents/Info.plist
-          sed -i '' "s|###BUNDLE_VERSION###|${REVISION_NUM}|g" Cryptomator.app/Contents/Info.plist
+          sed -i '' "s|###BUNDLE_SHORT_VERSION_STRING###|${VERSION_NO}|g" Cryptomator.app/Contents/Info.plist
+          sed -i '' "s|###BUNDLE_VERSION###|${REVISION_NO}|g" Cryptomator.app/Contents/Info.plist
          echo -n "$PROVISIONING_PROFILE_BASE64" | base64 --decode --output Cryptomator.app/Contents/embedded.provisionprofile
        env:
+          VERSION_NO: ${{ needs.get-version.outputs.semVerNum }}
+          REVISION_NO: ${{ needs.get-version.outputs.revNum }}
          PROVISIONING_PROFILE_BASE64: ${{ secrets.MACOS_PROVISIONING_PROFILE_BASE64 }}
+      - name: Build and install DockTilePlugin
+        env:
+          DERIVED_DATA_PATH: dist/mac/DockTilePlugin/build
+        run: |
+          xcodebuild -project dist/mac/DockTilePlugin/DockTilePlugin.xcodeproj \
+                     -scheme DockTilePlugin \
+                     -configuration Release \
+                     -destination "platform=macOS,arch=arm64" \
+                     -derivedDataPath ${DERIVED_DATA_PATH} \
+                     -quiet \
+                     clean build
+          mkdir -p Cryptomator.app/Contents/PlugIns
+          cp -R ${DERIVED_DATA_PATH}/Build/Products/Release/Cryptomator.docktileplugin Cryptomator.app/Contents/PlugIns/
+          rm -rf ${DERIVED_DATA_PATH}
      - name: Generate license for dmg
        run: >
          mvn -B license:add-third-party
@@ -269,14 +250,16 @@ jobs:
          --eula "dist/mac/dmg/resources/license.rtf"
          --icon ".background" 128 758
          --icon ".VolumeIcon.icns" 512 758
-          Cryptomator-${VERSION_NUM}-${{ matrix.output-suffix }}.dmg dmg
+          Cryptomator-${VERSION_NO}-${{ matrix.output-suffix }}.dmg dmg
+        env:
+          VERSION_NO: ${{ needs.get-version.outputs.semVerNum }}
      - name: Codesign .dmg
        run: |
          codesign -s ${CODESIGN_IDENTITY} --timestamp Cryptomator-*.dmg
        env:
          CODESIGN_IDENTITY: ${{ secrets.MACOS_CODESIGN_IDENTITY }}
      - name: Notarize .dmg
-        if:  inputs.notarize || github.event_name == 'schedule'
+        if: startsWith(github.ref, 'refs/tags/') || inputs.notarize
        uses: cocoalibs/xcode-notarization-action@5cf433d494b6fa26504b574c591f4dd120388846 # v1.0.3
        with:
          app-path: 'Cryptomator-*.dmg'
@@ -284,12 +267,8 @@ jobs:
          password: ${{ secrets.MACOS_NOTARIZATION_PW }}
          team-id: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}
          xcode-path: '/Applications/Xcode_16.app'
-      - id: sha256sum
-        run: |
-          read -ra CMD_OUTPUT < <(shasum -a256 Cryptomator-*.dmg)
-          echo "value=${CMD_OUTPUT[0]}" >> $GITHUB_OUTPUT
      - name: Add possible alpha/beta tags to installer name
-        run: mv Cryptomator-*.dmg "Cryptomator-${VERSION_NUM}${VERSION_SUFFIX}-${{ matrix.output-suffix }}.dmg"
+        run: mv Cryptomator-*.dmg Cryptomator-${{ needs.get-version.outputs.semVerStr }}-${{ matrix.output-suffix }}.dmg
      - name: Create detached GPG signature with key 615D449FE6E6A235
        run: |
          echo "${GPG_PRIVATE_KEY}" | gpg --batch --quiet --import
@@ -302,7 +281,7 @@ jobs:
        run: security delete-keychain $RUNNER_TEMP/codesign.keychain-db
        continue-on-error: true
      - name: Upload artifacts
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: dmg-${{ matrix.output-suffix }}
          path: |
@@ -310,10 +289,9 @@ jobs:
            Cryptomator-*.asc
          if-no-files-found: error
      - name: Publish dmg on GitHub Releases
-        if: inputs.upload-to-draft
-        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
+        if: startsWith(github.ref, 'refs/tags/') && github.event.action == 'published'
+        uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # v2.4.1
        with:
-          draft: true
          fail_on_unmatched_files: true
          token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
          files: |
--- a/.github/workflows/no-response.yml
+++ b/.github/workflows/no-response.yml
@@ -7,12 +7,12 @@ on:

 jobs:
  no-response:
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
    permissions:
      issues: write
      pull-requests: write
    steps:
-      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
+      - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10.1.0
        with:
          days-before-stale: 14
          days-before-close: 0
--- a/.github/workflows/post-publish.yml
+++ b/.github/workflows/post-publish.yml
@@ -5,141 +5,35 @@ on:
    types: [published]

 jobs:
-  notify:
-    runs-on: ubuntu-slim
+  get-version:
+    runs-on: ubuntu-latest
    steps:
-      - name: Notify about DEB build
+      - name: Download source tarball
+        run: |
+          curl -L -H "Accept: application/vnd.github+json" https://github.com/cryptomator/cryptomator/archive/refs/tags/${{ github.event.release.tag_name }}.tar.gz --output cryptomator-${{ github.event.release.tag_name }}.tar.gz
+      - name: Sign source tarball with key 615D449FE6E6A235
+        run: |
+          echo "${GPG_PRIVATE_KEY}" | gpg --batch --quiet --import
+          echo "${GPG_PASSPHRASE}" | gpg --batch --quiet --passphrase-fd 0 --pinentry-mode loopback -u 615D449FE6E6A235 --detach-sign -a cryptomator-*.tar.gz
+        env:
+          GPG_PRIVATE_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }}
+          GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
+      - name: Publish asc on GitHub Releases
+        uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # v2.4.1
+        with:
+          fail_on_unmatched_files: true
+          token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
+          files: |
+            cryptomator-*.tar.gz.asc
+      - name: Slack Notification
        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3
        env:
-          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_CRYPTOMATOR_DESKTOP }}
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}
          SLACK_USERNAME: 'Cryptobot'
-          SLACK_ICON: ''
+          SLACK_ICON: false
          SLACK_ICON_EMOJI: ':bot:'
          SLACK_CHANNEL: 'cryptomator-desktop'
          SLACK_TITLE: "Release ${{ github.event.repository.name }} ${{ github.event.release.tag_name }} published."
          SLACK_MESSAGE: "Ready to <https://github.com/${{ github.repository }}/actions/workflows/debian.yml|build deb Package>."
-          SLACK_FOOTER: ''
-          MSG_MINIMAL: true
-      - name: Notify about latest-version update
-        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3
-        env:
-          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_CRYPTOMATOR_DESKTOP }}
-          SLACK_USERNAME: 'Cryptobot'
-          SLACK_ICON: ''
-          SLACK_ICON_EMOJI: ':bot:'
-          SLACK_CHANNEL: 'cryptomator-desktop'
-          SLACK_TITLE: "Requiring version check source update for ${{ github.event.repository.name }} ${{ github.event.release.tag_name }}."
-          SLACK_MESSAGE: 'Check S3 bucket for <https://static.cryptomator.org/desktop/latest-version.json|latest-version.json>.'
-          SLACK_FOOTER: ''
-          MSG_MINIMAL: true
-
-  get-asset-urls:
-    name: Get release asset URLs
-    runs-on: ubuntu-slim
-    outputs:
-      is-windows-release: ${{ steps.urls.outputs.urls-present }}
-      msi-url: ${{ steps.urls.outputs.msi }}
-      exe-url: ${{ steps.urls.outputs.exe }}
-    steps:
-      - name: Extract MSI and EXE download URLs
-        id: urls
-        run: |
-          MSI_URL=$(jq -r '[.[] | select(.name | endswith("-x64.msi"))][0].browser_download_url // "null"' <<< "$RELEASE_ASSETS")
-          EXE_URL=$(jq -r '[.[] | select(.name | endswith("-x64.exe"))][0].browser_download_url // "null"' <<< "$RELEASE_ASSETS")
-          if [[ "$MSI_URL" == "null" || -z "$MSI_URL" || "$EXE_URL" == "null" || -z "$EXE_URL" ]]; then
-            echo "urls-present=false" >> $GITHUB_OUTPUT
-          else
-            echo "urls-present=true" >> $GITHUB_OUTPUT
-            echo "msi=${MSI_URL}" >> $GITHUB_OUTPUT
-            echo "exe=${EXE_URL}" >> $GITHUB_OUTPUT
-          fi
-        env:
-          RELEASE_ASSETS: ${{ toJson(github.event.release.assets) }}
-
-  allowlist-msi-x64:
-    needs: [get-asset-urls]
-    if: needs.get-asset-urls.outputs.is-windows-release == 'true'
-    uses: ./.github/workflows/av-whitelist.yml
-    with:
-      url: ${{ needs.get-asset-urls.outputs.msi-url }}
-    secrets: inherit
-
-  allowlist-exe-x64:
-    needs: [get-asset-urls, allowlist-msi-x64]
-    if: needs.get-asset-urls.outputs.is-windows-release == 'true'
-    uses: ./.github/workflows/av-whitelist.yml
-    with:
-      url: ${{ needs.get-asset-urls.outputs.exe-url }}
-    secrets: inherit
-
-  check-release:
-    name: Analyzes the release for certain properties
-    runs-on: ubuntu-slim
-    outputs:
-      release-kind: ${{steps.determine-kind.outputs.value}} # Possible values are [alpha, beta, rc, stable, unknown]
-    steps:
-      - id: determine-kind
-        run: |
-          SEM_VER_NUM=$(echo ${SEM_VER_STR} | sed -E 's/([0-9]+\.[0-9]+\.[0-9]+).*/\1/')
-          SEM_VER_SUFFIX="${SEM_VER_STR#"$SEM_VER_NUM"}"
-
-          TYPE="unknown"
-          if [[ -z $SEM_VER_SUFFIX  ]]; then
-            TYPE="stable"
-          elif [[ $SEM_VER_SUFFIX =~ -alpha[1-9]+$ ]]; then
-            TYPE="alpha"
-          elif [[ $SEM_VER_SUFFIX =~ -beta[1-9]+$ ]]; then
-            TYPE="beta"
-          elif [[ $SEM_VER_SUFFIX =~ -rc[1-9]+$ ]]; then
-            TYPE="rc"
-          fi
-          echo "value=${TYPE}" >> $GITHUB_OUTPUT
-        env:
-          SEM_VER_STR: ${{ github.event.release.tag_name }}
-
-
-  notify-winget:
-    name: Notify for winget-release
-    if: needs.get-asset-urls.outputs.is-windows-release == 'true' && needs.check-release.outputs.release-kind == 'stable'
-    needs: [check-release, get-asset-urls]
-    runs-on: ubuntu-slim
-    steps:
-      - name: Slack Notification
-        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3
-        env:
-          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_CRYPTOMATOR_DESKTOP }}
-          SLACK_USERNAME: 'Cryptobot'
-          SLACK_ICON: ''
-          SLACK_ICON_EMOJI: ':bot:'
-          SLACK_CHANNEL: 'cryptomator-desktop'
-          SLACK_TITLE: "Release ${{ github.event.repository.name }} ${{ github.event.release.tag_name }} published."
-          SLACK_MESSAGE: "Ready to <https://github.com/${{ github.repository }}/actions/workflows/winget.yml|release to winget>."
-          SLACK_FOOTER: ''
-          MSG_MINIMAL: true
-
-  trigger-website-update:
-    needs: [check-release]
-    runs-on: ubuntu-slim
-    if: needs.check-release.outputs.release-kind == 'stable'
-    steps:
-      - name: Start website update workflow
-        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
-        with:
-          event-type: desktop-release
-          token: ${{ secrets.CRYPTOBOT_WORKFLOW_DISPATCH_TOKEN }}
-          repository: cryptomator/cryptomator.github.io
-          client-payload: '{ "version": "${{ github.event.release.tag_name }}", "release": ${{ toJson(github.event.release.assets) }} }'
-
-  trigger-docs-update:
-    needs: [check-release, get-asset-urls]
-    runs-on: ubuntu-slim
-    if: needs.get-asset-urls.outputs.is-windows-release == 'true' && needs.check-release.outputs.release-kind == 'stable'
-    steps:
-      - name: Start docs update workflow
-        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
-        with:
-          event-type: desktop-release
-          token: ${{ secrets.CRYPTOBOT_WORKFLOW_DISPATCH_TOKEN }}
-          repository: cryptomator/docs
-          client-payload: '{ "version": "${{ github.event.release.tag_name }}", "release": ${{ toJson(github.event.release.assets) }} }'
-
+          SLACK_FOOTER: false
+          MSG_MINIMAL: true
--- a/.github/workflows/pullrequest.yml
+++ b/.github/workflows/pullrequest.yml
@@ -16,8 +16,8 @@ jobs:
    name: Compile and Test
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
        with:
          distribution: ${{ env.JAVA_DIST }}
          java-version: ${{ env.JAVA_VERSION }}
--- a/.github/workflows/release-check.yml
+++ b/.github/workflows/release-check.yml
@@ -19,9 +19,9 @@ jobs:
    name: Validate commits pushed to release/hotfix branch to fulfill release requirements
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Setup Java
-        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
+        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
        with:
          distribution: ${{ env.JAVA_DIST }}
          java-version: ${{ env.JAVA_VERSION }}
@@ -43,14 +43,13 @@ jobs:
            exit 1
          fi
      - name: Validate release in org.cryptomator.Cryptomator.metainfo.xml file
-        if: ${{ ! (contains(github.event.head_commit.message, '[skip metadata check]') || contains(github.event.head_commit.message, '[metadata check skip]')) }}
        run: |
          if ! grep -q "<release date=\".*\" version=\"${{ steps.validate-pom-version.outputs.semVerStr }}\">" dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml; then
            echo "Release not set in dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml"
            exit 1
          fi
      - name: Cache NVD DB
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
        with:
          path: ~/.m2/repository/org/owasp/dependency-check-data/
          key: dependency-check-${{ github.run_id }}
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -7,12 +7,12 @@ on:

 jobs:
  stale:
-    runs-on: ubuntu-slim
+    runs-on: ubuntu-latest
    permissions:
      issues: write
      pull-requests: write
    steps:
-      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
+      - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10.1.0
        with:
          days-before-stale: 365
          days-before-close: 90
--- a/.github/workflows/win-exe.yml
+++ b/.github/workflows/win-exe.yml
@@ -1,48 +1,13 @@
 name: Build Windows Installer

 on:
-  schedule:
-    - cron: '0 19 20 * *'
-  workflow_call:
-    inputs:
-      semVerNum:
-        type: string
-        description: 'The Major.Minor.Patch part of the version'
-        required: true
-      revisionNum:
-        type: string
-        description: 'The revision number'
-        required: true
-      semVerSuffix:
-        type: string
-        description: 'The suffix of the version, including dash'
-        required: true
-      sign:
-        description: 'Sign binaries'
-        default: true
-        type: boolean
-      upload-to-draft:
-        type: boolean
-        default: true
-    outputs:
-      sha256-msi:
-        description: "SHA256 sum of the x64 msi"
-        value: ${{ jobs.build-msi.outputs.sha256sum}}
-      sha256-exe:
-        description: "SHA256 sum of the x64 exe"
-        value: ${{ jobs.build-exe.outputs.sha256sum}}
+  release:
+    types: [published]
  workflow_dispatch:
    inputs:
-      semVerNum:
-        description: 'The Major.Minor.Patch part of the version'
+      version:
+        description: 'Version'
        required: false
-      revisionNum:
-        description: 'The revision number'
-        required: false
-      semVerSuffix:
-        description: 'The suffix of the version, including dash'
-        required: false
-        default: '-SNAPSHOT'
      sign:
        description: 'Sign binaries'
        required: false
@@ -57,38 +22,38 @@ on:


 env:
-  VERSION_NUM: ${{ inputs.semVerNum || '99.99.99'}}
-  REVISION_NUM: ${{ inputs.revisionNum || '0' }}
-  VERSION_SUFFIX: ${{ inputs.semVerSuffix || ''}}
-  OPENJFX_JMODS_AMD64: 'https://download2.gluonhq.com/openjfx/25.0.2/openjfx-25.0.2_windows-x64_bin-jmods.zip'
-  OPENJFX_JMODS_AMD64_HASH: '33d878dfac85590c4d77c518ed413e512d34a8479d90132b230a7ddd173576b3'
+  OPENJFX_JMODS_AMD64: 'https://download2.gluonhq.com/openjfx/25/openjfx-25_windows-x64_bin-jmods.zip'
+  OPENJFX_JMODS_AMD64_HASH: 'c8eb9fd039b00e0020cf6c3db8ed7876bf3ee4d27860aa697a247b83b8296ae7'
  WINFSP_MSI: 'https://github.com/winfsp/winfsp/releases/download/v2.1/winfsp-2.1.25156.msi'
  WINFSP_MSI_HASH: '073a70e00f77423e34bed98b86e600def93393ba5822204fac57a29324db9f7a'
  WINFSP_UNINSTALLER: 'https://github.com/cryptomator/winfsp-uninstaller/releases/latest/download/winfsp-uninstaller.exe'
-  WIX_VERSION: '6.0.2'

 defaults:
  run:
    shell: bash

 jobs:
+  get-version:
+    uses: ./.github/workflows/get-version.yml
+    with:
+      version: ${{ inputs.version }}
+
  build-msi:
    name: Build .msi Installer
    runs-on: ${{ matrix.os }}
-    outputs:
-      sha256sum: ${{ steps.sha256sum.outputs.value }}
+    needs: [ get-version ]
    strategy:
      matrix:
        include:
          - arch: x64
            os: windows-latest
            java-dist: 'temurin'
-            java-version: '26.0.1+8'
+            java-version: '26-ea'
            java-package: 'jdk'
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Setup Java
-        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
+        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
        with:
          distribution: ${{ matrix.java-dist }}
          java-version: ${{ matrix.java-version }}
@@ -97,16 +62,14 @@ jobs:
          cache: 'maven'
      - name: Install wix and extensions
        run: |
-          dotnet tool install --global wix --version ${WIX_VERSION}
-          wix.exe extension add --global WixToolset.UI.wixext/${WIX_VERSION}
-          wix.exe extension add --global WixToolset.Util.wixext/${WIX_VERSION}
-        env:
-          WIX_VERSION: ${{ env.WIX_VERSION }}
+          dotnet tool install --global wix --version 6.0.0
+          wix.exe extension add WixToolset.UI.wixext/6.0.0 --global
+          wix.exe extension add WixToolset.Util.wixext/6.0.0 --global
      - name: Download and extract JavaFX jmods from Gluon
        if: matrix.arch == 'x64'
        #In the last step we move all jmods files a dir level up because jmods are placed inside a directory in the zip
        run: |
-          curl --silent --fail-with-body --proto "=https" -L "${{ env.OPENJFX_JMODS_AMD64 }}" --output openjfx-jmods.zip
+          curl --output openjfx-jmods.zip -L "${{ env.OPENJFX_JMODS_AMD64 }}"
          if(!(Get-FileHash -Path openjfx-jmods.zip -Algorithm SHA256).Hash.ToLower().equals("${{ env.OPENJFX_JMODS_AMD64_HASH }}")) {
            throw "Wrong checksum of JMOD archive downloaded from ${{ env.OPENJFX_JMODS_AMD64 }}.";
          }
@@ -128,7 +91,7 @@ jobs:
            exit 1
          fi
      - name: Set version
-        run: mvn versions:set -DnewVersion="${VERSION_NUM}${VERSION_SUFFIX}"
+        run: mvn versions:set -DnewVersion=${{ needs.get-version.outputs.semVerStr }}
      - name: Run maven
        run: mvn -B clean package -Pwin -DskipTests
      - name: Patch target dir
@@ -139,10 +102,13 @@ jobs:
        id: jep-493-check
        run: |
          JMOD_PATHS="openjfx-jmods"
+          JVM_JMODS_PRESENT="false"
          if ! $(${JAVA_HOME}/bin/jlink --help | grep -q "Linking from run-time image enabled"); then
            JMOD_PATHS="${JAVA_HOME}/jmods;${JMOD_PATHS}"
+            JVM_JMODS_PRESENT="true"
          fi
          echo "jmod_paths=${JMOD_PATHS}" >> "$GITHUB_OUTPUT"
+          echo "jvm-with-jmods=${JVM_JMODS_PRESENT}" >> "$GITHUB_OUTPUT"
      - name: Run jlink
        # Remark: no compression is applied for improved build compression later (here msi)
        run: >
@@ -168,30 +134,29 @@ jobs:
          --dest appdir
          --name Cryptomator
          --vendor "Skymatic GmbH"
-          --copyright "(C) 2016 - 2026 Skymatic GmbH"
-          --app-version "${VERSION_NUM}.${REVISION_NUM}"
+          --copyright "(C) 2016 - 2025 Skymatic GmbH"
+          --app-version "${{ needs.get-version.outputs.semVerNum }}.${{ needs.get-version.outputs.revNum }}"
          --java-options "--enable-preview"
          --java-options "--enable-native-access=javafx.graphics,org.cryptomator.jfuse.win,org.cryptomator.integrations.win"
          --java-options "-Xss5m"
          --java-options "-Xmx256m"
-          --java-options "-Dcryptomator.appVersion=\"${VERSION_NUM}${VERSION_SUFFIX}\""
+          --java-options "-Dcryptomator.appVersion=\"${{ needs.get-version.outputs.semVerStr }}\""
          --java-options "-Dfile.encoding=\"utf-8\""
          --java-options "-Djava.net.useSystemProxies=true"
-          --java-options "-Dcryptomator.adminConfigPath=\"C:/ProgramData/Cryptomator/config.properties\""
          --java-options "-Dcryptomator.logDir=\"@{localappdata}/Cryptomator\""
+          --java-options "-Dcryptomator.pluginDir=\"@{appdata}/Cryptomator/Plugins\""
          --java-options "-Dcryptomator.settingsPath=\"@{appdata}/Cryptomator/settings.json;@{userhome}/AppData/Roaming/Cryptomator/settings.json\""
          --java-options "-Dcryptomator.p12Path=\"@{appdata}/Cryptomator/key.p12;@{userhome}/AppData/Roaming/Cryptomator/key.p12\""
          --java-options "-Dcryptomator.ipcSocketPath=\"@{localappdata}/Cryptomator/ipc.socket\""
          --java-options "-Dcryptomator.mountPointsDir=\"@{userhome}/Cryptomator\""
          --java-options "-Dcryptomator.loopbackAlias=\"cryptomator-vault\""
          --java-options "-Dcryptomator.showTrayIcon=true"
-          --java-options "-Dcryptomator.buildNumber=\"msi-${REVISION_NUM}\""
+          --java-options "-Dcryptomator.buildNumber=\"msi-${{ needs.get-version.outputs.revNum }}\""
          --java-options "-Dcryptomator.integrationsWin.autoStartShellLinkName=\"Cryptomator\""
          --java-options "-Dcryptomator.integrationsWin.keychainPaths=\"@{appdata}/Cryptomator/keychain.json;@{userhome}/AppData/Roaming/Cryptomator/keychain.json\""
          --java-options "-Dcryptomator.integrationsWin.windowsHelloKeychainPaths=\"@{appdata}/Cryptomator/windowsHelloKeychain.json\""
          --java-options "-Dcryptomator.disableUpdateCheck=false"
          --java-options "-XX:ErrorFile=C:/cryptomator/cryptomator_crash.log"
-          --java-options "-Dcryptomator.hub.enableTrustOnFirstUse=true"
          --resource-dir dist/win/resources
          --icon dist/win/resources/Cryptomator.ico
          --add-launcher "Cryptomator (Debug)=dist/win/debug-launcher.properties"
@@ -220,12 +185,8 @@ jobs:
              }
              $jar.Dispose()
          }
-      - name: Get msi helper dll for code signing
-        run: |
-          ${JAVA_HOME}/bin/jpackage --type msi --win-upgrade-uuid bda45523-42b1-4cae-9354-a45475ed4775 --app-image appdir/Cryptomator --dest /tmp/ --name Test --vendor Test --copyright "None" --app-version "1.0" --temp msi-helper
-          find ./msi-helper/ -type f -name msica.dll -exec mv {} ./appdir \;
      - name: Sign DLLs with Azure Trusted Signing
-        if: inputs.sign || github.event_name == 'schedule'
+        if: inputs.sign || github.event_name == 'release'
        uses: ./.github/actions/win-sign-action
        with:
          base-dir: ${{ github.workspace }}\appdir
@@ -234,6 +195,17 @@ jobs:
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
+      - name: Sign DLLs with Actalis CodeSigner
+        if: inputs.sign || github.event_name == 'release'
+        uses: skymatic/workflows/.github/actions/win-sign-action@450e322ff2214d0be0b079b63343c894f3ef735f # no specific version
+        with:
+          base-dir: 'appdir'
+          file-extensions: 'dll,exe,ps1'
+          recursive: true
+          sign-description: 'Cryptomator'
+          sign-url: 'https://cryptomator.org'
+          username: ${{ secrets.WIN_CODESIGN_USERNAME }}
+          password: ${{ secrets.WIN_CODESIGN_PW }}
      - name: Replace DLLs inside jars with signed ones
        shell: pwsh
        run: |
@@ -259,16 +231,6 @@ jobs:
          "-Dlicense.failOnMissing=true"
          "-Dlicense.licenseMergesUrl=file:///${{ github.workspace }}/license/merges"
        shell: pwsh
-      - name: Create file association file from template
-        working-directory: dist/win
-        run: |
-          $Env:JP_WIXWIZARD_RESOURCES_PROPERTIES_FORMAT = "${Env:JP_WIXWIZARD_RESOURCES}".Replace('\', '\\');
-          Get-Content .\resources\FAvaultFile.template.properties `
-            | ForEach-Object { $ExecutionContext.InvokeCommand.ExpandString($_) } `
-            | Out-File -FilePath .\resources\FAvaultFile.properties
-        env:
-          JP_WIXWIZARD_RESOURCES: ${{ github.workspace }}/dist/win/resources/ # requires abs path, used in resources/main.wxs
-        shell: pwsh
      - name: Create MSI
        run: >
          ${JAVA_HOME}/bin/jpackage
@@ -279,21 +241,21 @@ jobs:
          --dest installer
          --name Cryptomator
          --vendor "Skymatic GmbH"
-          --copyright "(C) 2016 - 2026 Skymatic GmbH"
-          --app-version "${VERSION_NUM}.${REVISION_NUM}"
+          --copyright "(C) 2016 - 2025 Skymatic GmbH"
+          --app-version "${{ needs.get-version.outputs.semVerNum }}.${{ needs.get-version.outputs.revNum}}"
          --win-menu
          --win-dir-chooser
          --win-shortcut-prompt
-          --win-update-url "https://cryptomator.org/downloads"
+          --win-update-url "https:\\cryptomator.org\downloads"
          --win-menu-group Cryptomator
          --resource-dir dist/win/resources
          --license-file dist/win/resources/license.rtf
          --file-associations dist/win/resources/FAvaultFile.properties
        env:
-          JP_WIXWIZARD_RESOURCES: ${{ github.workspace }}/dist/win/resources/ # requires abs path, used in resources/main.wxs
-          JP_WIXHELPER_DIR: ${{ github.workspace }}\appdir\
+          JP_WIXWIZARD_RESOURCES: ${{ github.workspace }}/dist/win/resources # requires abs path, used in resources/main.wxs
+          JP_WIXHELPER_DIR: ${{ github.workspace }}\appdir
      - name: Sign MSI with Azure Trusted Signing
-        if: inputs.sign || github.event_name == 'schedule'
+        if: inputs.sign || github.event_name == 'release'
        uses: ./.github/actions/win-sign-action
        with:
          base-dir: ${{ github.workspace }}\installer
@@ -302,12 +264,8 @@ jobs:
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
-      - id: sha256sum
-        run: |
-          read -ra CMD_OUTPUT < <(sha256sum installer/Cryptomator-*.msi)
-          echo "value=${CMD_OUTPUT[0]}" >> $GITHUB_OUTPUT
      - name: Add possible alpha/beta tags and architecture to installer name
-        run: mv installer/Cryptomator-*.msi "Cryptomator-${VERSION_NUM}${VERSION_SUFFIX}-${{ matrix.arch }}.msi"
+        run: mv installer/Cryptomator-*.msi Cryptomator-${{ needs.get-version.outputs.semVerStr }}-${{ matrix.arch }}.msi
      - name: Create detached GPG signature with key 615D449FE6E6A235
        run: |
          echo "${GPG_PRIVATE_KEY}" | gpg --batch --quiet --import
@@ -316,7 +274,7 @@ jobs:
          GPG_PRIVATE_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }}
          GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
      - name: Upload artifacts
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: msi-${{ matrix.arch }}
          path: |
@@ -327,9 +285,7 @@ jobs:
  build-exe:
    name: Build .exe installer
    runs-on: ${{ matrix.os }}
-    needs: [ build-msi ]
-    outputs:
-      sha256sum: ${{ steps.sha256sum.outputs.value }}
+    needs: [ get-version, build-msi ]
    strategy:
      matrix:
        include:
@@ -340,23 +296,21 @@ jobs:
            java-version: '24.0.1+9'
            java-package: 'jdk'
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Install wix and extensions
        run: |
-          dotnet tool install --global wix --version ${WIX_VERSION}
-          wix.exe extension add --global WixToolset.BootstrapperApplications.wixext/${WIX_VERSION}
-          wix.exe extension add --global WixToolset.Util.wixext/${WIX_VERSION}
-        env:
-          WIX_VERSION: ${{ env.WIX_VERSION }}
+          dotnet tool install --global wix --version 6.0.0
+          wix.exe extension add WixToolset.BootstrapperApplications.wixext/6.0.0 --global
+          wix.exe extension add WixToolset.Util.wixext/6.0.0 --global
      - name: Download .msi
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
        with:
          name: msi-${{ matrix.arch }}
          path: dist/win/bundle/resources
      - name: Strip version info from msi file name
        run: mv dist/win/bundle/resources/Cryptomator*.msi dist/win/bundle/resources/Cryptomator.msi
      - name: Setup Java
-        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
+        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
        with:
          distribution: ${{ matrix.java-dist }}
          java-version: ${{ matrix.java-version }}
@@ -376,39 +330,38 @@ jobs:
        shell: pwsh
      - name: Download WinFsp
        run: |
-          curl --silent --fail-with-body --proto "=https" -L "$env:WINFSP_MSI" --output $env:WINFSP_PATH
-          $computedHash = (Get-FileHash -Path "$env:WINFSP_PATH" -Algorithm SHA256).Hash.ToLower()
-          if ($computedHash -ne "$env:WINFSP_MSI_HASH") {
-            throw "Checksum mismatch for ${env:WINFSP_PATH} (expected ${env:WINFSP_MSI_HASH}, got $computedHash)."
+          curl --output $env:WINFSP_PATH -L ${{ env.WINFSP_MSI }}
+          $computedHash = (Get-FileHash -Path $env:WINFSP_PATH -Algorithm SHA256).Hash.ToLower()
+          if ($computedHash -ne "${{ env.WINFSP_MSI_HASH }}") {
+            throw "Checksum mismatch for $env:WINFSP_PATH (expected ${{ env.WINFSP_MSI_HASH }}, got $computedHash)."
          }
        env:
          WINFSP_PATH: 'dist/win/bundle/resources/winfsp.msi'
        shell: pwsh
      - name: Download Legacy-WinFsp uninstaller
        run: |
-          curl --silent --fail-with-body --proto "=https" -L ${{ env.WINFSP_UNINSTALLER }} --output dist/win/bundle/resources/winfsp-uninstaller.exe
+          curl --output dist/win/bundle/resources/winfsp-uninstaller.exe -L ${{ env.WINFSP_UNINSTALLER }}
        shell: pwsh
      - name: Create Wix Burn bundle
        working-directory: dist/win
        run: >
          wix build
          -define BundleName="Cryptomator"
-          -define BundleVersion="${VERSION_NUM}.${REVISION_NUM}"
+          -define BundleVersion="${{ needs.get-version.outputs.semVerNum }}.${{ needs.get-version.outputs.revNum}}"
          -define BundleVendor="Skymatic GmbH"
-          -define BundleCopyright="(C) 2016 - 2026 Skymatic GmbH"
+          -define BundleCopyright="(C) 2016 - 2025 Skymatic GmbH"
          -define AboutUrl="https://cryptomator.org"
          -define HelpUrl="https://cryptomator.org/contact"
          -define UpdateUrl="https://cryptomator.org/downloads/"
          -ext "WixToolset.Util.wixext"
          -ext "WixToolset.BootstrapperApplications.wixext"
          ./bundle/bundleWithWinfsp.wxs
-          -out "../../installer/Cryptomator-Installer.exe"
+          -out "../../installer/unsigned/Cryptomator-Installer.exe"
      - name: Detach burn engine in preparation to sign
-        if: inputs.sign || github.event_name == 'schedule'
        run: >
-          wix burn detach installer/Cryptomator-Installer.exe -engine tmp/engine.exe
+          wix burn detach installer/unsigned/Cryptomator-Installer.exe -engine tmp/engine.exe
      - name: Sign WiX burn engine with Azure Trusted Signing
-        if: inputs.sign || github.event_name == 'schedule'
+        if: inputs.sign || github.event_name == 'release'
        uses: ./.github/actions/win-sign-action
        with:
          base-dir: ${{ github.workspace }}\tmp
@@ -418,14 +371,21 @@ jobs:
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
+      - name: Sign burn engine with Actalis CodeSigner
+        if: inputs.sign || github.event_name == 'release'
+        uses: skymatic/workflows/.github/actions/win-sign-action@450e322ff2214d0be0b079b63343c894f3ef735f # no specific version
+        with:
+          base-dir: 'tmp'
+          file-extensions: 'exe'
+          sign-description: 'Cryptomator Bundle Installer'
+          sign-url: 'https://cryptomator.org'
+          username: ${{ secrets.WIN_CODESIGN_USERNAME }}
+          password: ${{ secrets.WIN_CODESIGN_PW }}
      - name: Reattach signed burn engine to installer
-        if: inputs.sign || github.event_name == 'schedule'
-        shell: pwsh
-        run: |
-          Move-Item -Path installer/Cryptomator-Installer.exe -Destination tmp/Cryptomator-Installer.exe
-          wix burn reattach tmp/Cryptomator-Installer.exe -engine tmp/engine.exe -o installer/Cryptomator-Installer.exe
+        run: >
+          wix burn reattach installer/unsigned/Cryptomator-Installer.exe -engine tmp/engine.exe -o installer/Cryptomator-Installer.exe
      - name: Sign EXE installer with Azure Trusted Signing
-        if: inputs.sign || github.event_name == 'schedule'
+        if: inputs.sign || github.event_name == 'release'
        uses: ./.github/actions/win-sign-action
        with:
          base-dir: ${{ github.workspace }}\installer
@@ -435,12 +395,18 @@ jobs:
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
-      - id: sha256sum
-        run: |
-          read -ra CMD_OUTPUT < <(sha256sum installer/Cryptomator-*.exe)
-          echo "value=${CMD_OUTPUT[0]}" >> $GITHUB_OUTPUT
+      - name: Sign installer with Actalis CodeSigner
+        if: inputs.sign || github.event_name == 'release'
+        uses: skymatic/workflows/.github/actions/win-sign-action@450e322ff2214d0be0b079b63343c894f3ef735f # no specific version
+        with:
+          base-dir: 'installer'
+          file-extensions: 'exe'
+          sign-description: 'Cryptomator Bundle Installer'
+          sign-url: 'https://cryptomator.org'
+          username: ${{ secrets.WIN_CODESIGN_USERNAME }}
+          password: ${{ secrets.WIN_CODESIGN_PW }}
      - name: Add possible alpha/beta tags to installer name
-        run: mv installer/Cryptomator-Installer.exe "Cryptomator-${VERSION_NUM}${VERSION_SUFFIX}-${{ matrix.executable-suffix }}.exe"
+        run: mv installer/Cryptomator-Installer.exe Cryptomator-${{ needs.get-version.outputs.semVerStr }}-${{ matrix.executable-suffix }}.exe
      - name: Create detached GPG signature with key 615D449FE6E6A235
        run: |
          echo "${GPG_PRIVATE_KEY}" | gpg --batch --quiet --import
@@ -449,7 +415,7 @@ jobs:
          GPG_PRIVATE_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }}
          GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
      - name: Upload artifacts
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: exe-${{ matrix.executable-suffix }}
          path: |
@@ -459,22 +425,58 @@ jobs:

  publish:
    name: Publish installers to the github release
-    if: inputs.upload-to-draft
+    if: startsWith(github.ref, 'refs/tags/') && github.event.action == 'published'
    runs-on: ubuntu-latest
    needs: [ build-msi, build-exe ]
+    outputs:
+      download-url-msi-x64: ${{ fromJSON(steps.publish.outputs.assets)[0].browser_download_url }}
+      download-url-exe-x64: ${{ fromJSON(steps.publish.outputs.assets)[2].browser_download_url }}
    steps:
      - name: Download installers
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
        with:
          merge-multiple: true
      - name: Publish installers on GitHub Releases
        id: publish
-        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
+        uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # v2.4.1
        with:
-          draft: true
          fail_on_unmatched_files: true
          token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
+          # do not change ordering of filelist, required for correct job output
          files: |
            *x64.msi
            *x64.exe
            *.asc
+
+  allowlist-msi-x64:
+    uses: ./.github/workflows/av-whitelist.yml
+    needs: [ publish ]
+    with:
+      url: ${{ needs.publish.outputs.download-url-msi-x64 }}
+    secrets: inherit
+
+  allowlist-exe-x64:
+    uses: ./.github/workflows/av-whitelist.yml
+    needs: [ publish, allowlist-msi-x64 ]
+    with:
+      url: ${{ needs.publish.outputs.download-url-exe-x64 }}
+    secrets: inherit
+
+  notify-winget:
+    name: Notify for winget-release
+    if: needs.get-version.outputs.versionType == 'stable'
+    needs: [publish, get-version]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Slack Notification
+        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3
+        env:
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}
+          SLACK_USERNAME: 'Cryptobot'
+          SLACK_ICON: false
+          SLACK_ICON_EMOJI: ':bot:'
+          SLACK_CHANNEL: 'cryptomator-desktop'
+          SLACK_TITLE: "MSI packages of ${{ github.event.repository.name }} ${{ github.event.release.tag_name }} published."
+          SLACK_MESSAGE: "Ready to <https://github.com/${{ github.repository }}/actions/workflows/winget.yml| release them to winget>."
+          SLACK_FOOTER: false
+          MSG_MINIMAL: true
--- a/.github/workflows/winget.yml
+++ b/.github/workflows/winget.yml
@@ -18,7 +18,7 @@ jobs:
        env:
          GH_TOKEN: ${{ secrets.CRYPTOBOT_PR_TOKEN }}
      - name: Submit package
-        uses: vedantmgoyal2009/winget-releaser@7bd472be23763def6e16bd06cc8b1cdfab0e2fd5 # no_specific_version
+        uses: vedantmgoyal2009/winget-releaser@19e706d4c9121098010096f9c495a70a7518b30f # no_specific_version
        with:
          identifier: Cryptomator.Cryptomator
          version: ${{ inputs.tag }}
--- a/.idea/compiler.xml
+++ b/.idea/compiler.xml
@@ -12,15 +12,17 @@
        <sourceTestOutputDir name="target/generated-test-sources/test-annotations" />
        <outputRelativeToContentRoot value="true" />
        <option name="dagger.fastInit" value="enabled" />
+        <option name="dagger.formatGeneratedSource" value="enabled" />
        <processorPath useClasspath="false">
-          <entry name="$MAVEN_REPOSITORY$/com/google/dagger/dagger-compiler/2.59.1/dagger-compiler-2.59.1.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/google/dagger/dagger/2.59.1/dagger-2.59.1.jar" />
+          <entry name="$MAVEN_REPOSITORY$/com/google/dagger/dagger-compiler/2.57.2/dagger-compiler-2.57.2.jar" />
+          <entry name="$MAVEN_REPOSITORY$/com/google/dagger/dagger/2.57.2/dagger-2.57.2.jar" />
          <entry name="$MAVEN_REPOSITORY$/jakarta/inject/jakarta.inject-api/2.0.1/jakarta.inject-api-2.0.1.jar" />
          <entry name="$MAVEN_REPOSITORY$/org/jspecify/jspecify/1.0.0/jspecify-1.0.0.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/google/dagger/dagger-spi/2.59.1/dagger-spi-2.59.1.jar" />
+          <entry name="$MAVEN_REPOSITORY$/com/google/dagger/dagger-spi/2.57.2/dagger-spi-2.57.2.jar" />
          <entry name="$MAVEN_REPOSITORY$/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/google/devtools/ksp/symbol-processing-api/2.2.20-2.0.3/symbol-processing-api-2.2.20-2.0.3.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/google/googlejavaformat/google-java-format/1.33.0/google-java-format-1.33.0.jar" />
+          <entry name="$MAVEN_REPOSITORY$/com/google/devtools/ksp/symbol-processing-api/2.1.21-2.0.2/symbol-processing-api-2.1.21-2.0.2.jar" />
+          <entry name="$MAVEN_REPOSITORY$/com/google/googlejavaformat/google-java-format/1.5/google-java-format-1.5.jar" />
+          <entry name="$MAVEN_REPOSITORY$/com/google/errorprone/javac-shaded/9-dev-r4023-3/javac-shaded-9-dev-r4023-3.jar" />
          <entry name="$MAVEN_REPOSITORY$/com/google/guava/failureaccess/1.0.2/failureaccess-1.0.2.jar" />
          <entry name="$MAVEN_REPOSITORY$/com/google/guava/guava/33.0.0-jre/guava-33.0.0-jre.jar" />
          <entry name="$MAVEN_REPOSITORY$/com/google/guava/listenablefuture/9999.0-empty-to-avoid-conflict-with-guava/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar" />
@@ -35,33 +37,8 @@
          <entry name="$MAVEN_REPOSITORY$/javax/inject/javax.inject/1/javax.inject-1.jar" />
          <entry name="$MAVEN_REPOSITORY$/net/ltgt/gradle/incap/incap/0.2/incap-0.2.jar" />
          <entry name="$MAVEN_REPOSITORY$/org/checkerframework/checker-compat-qual/2.5.3/checker-compat-qual-2.5.3.jar" />
-          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlin/kotlin-metadata-jvm/2.2.20/kotlin-metadata-jvm-2.2.20.jar" />
-          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlin/kotlin-stdlib/2.2.20/kotlin-stdlib-2.2.20.jar" />
-          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/annotations/13.0/annotations-13.0.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/google/dagger/dagger-compiler/2.59.1/dagger-compiler-2.59.1.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/google/dagger/dagger/2.59.1/dagger-2.59.1.jar" />
-          <entry name="$MAVEN_REPOSITORY$/jakarta/inject/jakarta.inject-api/2.0.1/jakarta.inject-api-2.0.1.jar" />
-          <entry name="$MAVEN_REPOSITORY$/org/jspecify/jspecify/1.0.0/jspecify-1.0.0.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/google/dagger/dagger-spi/2.59.1/dagger-spi-2.59.1.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/google/devtools/ksp/symbol-processing-api/2.2.20-2.0.3/symbol-processing-api-2.2.20-2.0.3.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/google/googlejavaformat/google-java-format/1.33.0/google-java-format-1.33.0.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/google/guava/failureaccess/1.0.2/failureaccess-1.0.2.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/google/guava/guava/33.0.0-jre/guava-33.0.0-jre.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/google/guava/listenablefuture/9999.0-empty-to-avoid-conflict-with-guava/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar" />
-          <entry name="$MAVEN_REPOSITORY$/org/checkerframework/checker-qual/3.41.0/checker-qual-3.41.0.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/google/errorprone/error_prone_annotations/2.23.0/error_prone_annotations-2.23.0.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/google/j2objc/j2objc-annotations/2.8/j2objc-annotations-2.8.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/squareup/javapoet/1.13.0/javapoet-1.13.0.jar" />
-          <entry name="$MAVEN_REPOSITORY$/com/squareup/kotlinpoet/1.11.0/kotlinpoet-1.11.0.jar" />
-          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlin/kotlin-stdlib-jdk8/1.6.10/kotlin-stdlib-jdk8-1.6.10.jar" />
-          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlin/kotlin-stdlib-jdk7/1.6.10/kotlin-stdlib-jdk7-1.6.10.jar" />
-          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlin/kotlin-reflect/1.6.10/kotlin-reflect-1.6.10.jar" />
-          <entry name="$MAVEN_REPOSITORY$/javax/inject/javax.inject/1/javax.inject-1.jar" />
-          <entry name="$MAVEN_REPOSITORY$/net/ltgt/gradle/incap/incap/0.2/incap-0.2.jar" />
-          <entry name="$MAVEN_REPOSITORY$/org/checkerframework/checker-compat-qual/2.5.3/checker-compat-qual-2.5.3.jar" />
-          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlin/kotlin-metadata-jvm/2.2.20/kotlin-metadata-jvm-2.2.20.jar" />
-          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlin/kotlin-stdlib/2.2.20/kotlin-stdlib-2.2.20.jar" />
+          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlin/kotlin-metadata-jvm/2.1.21/kotlin-metadata-jvm-2.1.21.jar" />
+          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/kotlin/kotlin-stdlib/2.1.21/kotlin-stdlib-2.1.21.jar" />
          <entry name="$MAVEN_REPOSITORY$/org/jetbrains/annotations/13.0/annotations-13.0.jar" />
        </processorPath>
        <module name="cryptomator" />
@@ -70,7 +47,7 @@
  </component>
  <component name="JavacSettings">
    <option name="ADDITIONAL_OPTIONS_OVERRIDE">
-      <module name="cryptomator" options="-Adagger.fastInit=enabled" />
+      <module name="cryptomator" options="-Adagger.fastInit=enabled -Adagger.formatGeneratedSource=enabled" />
    </option>
  </component>
 </project>
--- a/.idea/inspectionProfiles/Project_Default.xml
+++ b/.idea/inspectionProfiles/Project_Default.xml
@@ -1,8 +1,10 @@
 <component name="InspectionProjectProfileManager">
  <profile version="1.0">
    <option name="myName" value="Project Default" />
-    <inspection_tool class="Deprecation" enabled="true" level="WARNING" enabled_by_default="true" editorAttributes="DEPRECATED_ATTRIBUTES" />
-    <inspection_tool class="MarkedForRemoval" enabled="true" level="WARNING" enabled_by_default="true" editorAttributes="MARKED_FOR_REMOVAL_ATTRIBUTES" />
-    <inspection_tool class="RedundantScheduledForRemovalAnnotation" enabled="true" level="WARNING" enabled_by_default="true" editorAttributes="MARKED_FOR_REMOVAL_ATTRIBUTES" />
+    <inspection_tool class="SpellCheckingInspection" enabled="true" level="TYPO" enabled_by_default="true">
+      <option name="processCode" value="true" />
+      <option name="processLiterals" value="true" />
+      <option name="processComments" value="true" />
+    </inspection_tool>
  </profile>
 </component>
--- a/.idea/runConfigurations/Cryptomator_Linux.xml
+++ b/.idea/runConfigurations/Cryptomator_Linux.xml
@@ -2,7 +2,7 @@
  <configuration default="false" name="Cryptomator Linux" type="Application" factoryName="Application">
    <option name="MAIN_CLASS_NAME" value="org.cryptomator.launcher.Cryptomator" />
    <module name="cryptomator" />
-    <option name="VM_PARAMETERS" value="-Dcryptomator.settingsPath=&quot;@{userhome}/.config/Cryptomator/settings.json&quot; -Dcryptomator.p12Path=&quot;@{userhome}/.config/Cryptomator/key.p12&quot; -Dcryptomator.ipcSocketPath=&quot;@{userhome}/.config/Cryptomator/ipc.socket&quot; -Dcryptomator.logDir=&quot;@{userhome}/.local/share/Cryptomator/logs&quot; -Dcryptomator.pluginDir=&quot;@{userhome}/.local/share/Cryptomator/plugins&quot; -Dcryptomator.mountPointsDir=&quot;@{userhome}/.local/share/Cryptomator/mnt&quot; -Dcryptomator.showTrayIcon=true -Dcryptomator.hub.enableTrustOnFirstUse=true -Xss20m -Xmx512m --enable-preview --enable-native-access=org.cryptomator.jfuse.linux.amd64,org.cryptomator.jfuse.linux.aarch64,org.purejava.appindicator,javafx.graphics" />
+    <option name="VM_PARAMETERS" value="-Dcryptomator.settingsPath=&quot;@{userhome}/.config/Cryptomator/settings.json&quot; -Dcryptomator.p12Path=&quot;@{userhome}/.config/Cryptomator/key.p12&quot; -Dcryptomator.ipcSocketPath=&quot;@{userhome}/.config/Cryptomator/ipc.socket&quot; -Dcryptomator.logDir=&quot;@{userhome}/.local/share/Cryptomator/logs&quot; -Dcryptomator.pluginDir=&quot;@{userhome}/.local/share/Cryptomator/plugins&quot; -Dcryptomator.mountPointsDir=&quot;@{userhome}/.local/share/Cryptomator/mnt&quot; -Dcryptomator.showTrayIcon=true -Xss20m -Xmx512m --enable-preview --enable-native-access=org.cryptomator.jfuse.linux.amd64,org.cryptomator.jfuse.linux.aarch64,org.purejava.appindicator,javafx.graphics" />
    <method v="2">
      <option name="Make" enabled="true" />
    </method>
--- a/.idea/runConfigurations/Cryptomator_Linux_Dev.xml
+++ b/.idea/runConfigurations/Cryptomator_Linux_Dev.xml
@@ -2,7 +2,7 @@
  <configuration default="false" name="Cryptomator Linux Dev" type="Application" factoryName="Application">
    <option name="MAIN_CLASS_NAME" value="org.cryptomator.launcher.Cryptomator" />
    <module name="cryptomator" />
-    <option name="VM_PARAMETERS" value="-Dcryptomator.settingsPath=&quot;@{userhome}/.config/Cryptomator-Dev/settings.json&quot; -Dcryptomator.p12Path=&quot;@{userhome}/.config/Cryptomator-Dev/key.p12&quot; -Dcryptomator.ipcSocketPath=&quot;@{userhome}/.config/Cryptomator-Dev/ipc.socket&quot; -Dcryptomator.logDir=&quot;@{userhome}/.local/share/Cryptomator-Dev/logs&quot; -Dcryptomator.pluginDir=&quot;@{userhome}/.local/share/Cryptomator-Dev/plugins&quot; -Dcryptomator.mountPointsDir=&quot;@{userhome}/.local/share/Cryptomator-Dev/mnt&quot; -Dcryptomator.showTrayIcon=true -Dcryptomator.hub.enableTrustOnFirstUse=true -Dfuse.experimental=&quot;true&quot; -Xss20m -Xmx512m --enable-preview --enable-native-access=org.cryptomator.jfuse.linux.amd64,org.cryptomator.jfuse.linux.aarch64,org.purejava.appindicator,javafx.graphics" />
+    <option name="VM_PARAMETERS" value="-Dcryptomator.settingsPath=&quot;@{userhome}/.config/Cryptomator-Dev/settings.json&quot; -Dcryptomator.p12Path=&quot;@{userhome}/.config/Cryptomator-Dev/key.p12&quot; -Dcryptomator.ipcSocketPath=&quot;@{userhome}/.config/Cryptomator-Dev/ipc.socket&quot; -Dcryptomator.logDir=&quot;@{userhome}/.local/share/Cryptomator-Dev/logs&quot; -Dcryptomator.pluginDir=&quot;@{userhome}/.local/share/Cryptomator-Dev/plugins&quot; -Dcryptomator.mountPointsDir=&quot;@{userhome}/.local/share/Cryptomator-Dev/mnt&quot; -Dcryptomator.showTrayIcon=true -Dfuse.experimental=&quot;true&quot; -Xss20m -Xmx512m --enable-preview --enable-native-access=org.cryptomator.jfuse.linux.amd64,org.cryptomator.jfuse.linux.aarch64,org.purejava.appindicator,javafx.graphics" />
    <method v="2">
      <option name="Make" enabled="true" />
    </method>
--- a/.idea/runConfigurations/Cryptomator_Windows.xml
+++ b/.idea/runConfigurations/Cryptomator_Windows.xml
@@ -2,7 +2,7 @@
  <configuration default="false" name="Cryptomator Windows" type="Application" factoryName="Application">
    <option name="MAIN_CLASS_NAME" value="org.cryptomator.launcher.Cryptomator" />
    <module name="cryptomator" />
-    <option name="VM_PARAMETERS" value="-Dcryptomator.settingsPath=&quot;@{appdata}/Cryptomator/settings.json;@{userhome}/AppData/Roaming/Cryptomator/settings.json&quot; -Dcryptomator.ipcSocketPath=&quot;@{localappdata}/Cryptomator/ipc.socket&quot; -Dcryptomator.logDir=&quot;@{localappdata}/Cryptomator&quot; -Dcryptomator.pluginDir=&quot;@{appdata}/Cryptomator/Plugins&quot; -Dcryptomator.integrationsWin.keychainPaths=&quot;@{appdata}/Cryptomator/keychain.json;@{userhome}/AppData/Roaming/Cryptomator/keychain.json&quot; -Dcryptomator.integrationsWin.windowsHelloKeychainPaths=&quot;@{appdata}/Cryptomator/windowsHelloKeychain.json;@{userhome}/AppData/Roaming/Cryptomator/windowsHelloKeychain.json&quot; -Dcryptomator.p12Path=&quot;@{appdata}/Cryptomator/key.p12;@{userhome}/AppData/Roaming/Cryptomator/key.p12&quot; -Dcryptomator.mountPointsDir=&quot;@{userhome}/Cryptomator&quot; -Dcryptomator.showTrayIcon=true -Dcryptomator.hub.enableTrustOnFirstUse=true -Xss2m -Xmx512m --enable-preview --enable-native-access=org.cryptomator.jfuse.win,org.cryptomator.integrations.win,javafx.graphics" />
+    <option name="VM_PARAMETERS" value="-Dcryptomator.settingsPath=&quot;@{appdata}/Cryptomator/settings.json;@{userhome}/AppData/Roaming/Cryptomator/settings.json&quot; -Dcryptomator.ipcSocketPath=&quot;@{localappdata}/Cryptomator/ipc.socket&quot; -Dcryptomator.logDir=&quot;@{localappdata}/Cryptomator&quot; -Dcryptomator.pluginDir=&quot;@{appdata}/Cryptomator/Plugins&quot; -Dcryptomator.integrationsWin.keychainPaths=&quot;@{appdata}/Cryptomator/keychain.json;@{userhome}/AppData/Roaming/Cryptomator/keychain.json&quot; -Dcryptomator.integrationsWin.windowsHelloKeychainPaths=&quot;@{appdata}/Cryptomator/windowsHelloKeychain.json;@{userhome}/AppData/Roaming/Cryptomator/windowsHelloKeychain.json&quot; -Dcryptomator.p12Path=&quot;@{appdata}/Cryptomator/key.p12;@{userhome}/AppData/Roaming/Cryptomator/key.p12&quot; -Dcryptomator.mountPointsDir=&quot;@{userhome}/Cryptomator&quot; -Dcryptomator.showTrayIcon=true -Xss2m -Xmx512m --enable-preview --enable-native-access=org.cryptomator.jfuse.win,org.cryptomator.integrations.win,javafx.graphics" />
    <method v="2">
      <option name="Make" enabled="true" />
    </method>
--- a/.idea/runConfigurations/Cryptomator_Windows_Dev.xml
+++ b/.idea/runConfigurations/Cryptomator_Windows_Dev.xml
@@ -2,7 +2,7 @@
  <configuration default="false" name="Cryptomator Windows Dev" type="Application" factoryName="Application">
    <option name="MAIN_CLASS_NAME" value="org.cryptomator.launcher.Cryptomator" />
    <module name="cryptomator" />
-    <option name="VM_PARAMETERS" value="-Dcryptomator.settingsPath=&quot;@{appdata}/Cryptomator-Dev/settings.json;@{userhome}/AppData/Roaming/Cryptomator-Dev/settings.json&quot; -Dcryptomator.ipcSocketPath=&quot;@{localappdata}/Cryptomator-Dev/ipc.socket&quot; -Dcryptomator.logDir=&quot;@{localappdata}/Cryptomator-Dev&quot; -Dcryptomator.pluginDir=&quot;@{appdata}/Cryptomator-Dev/Plugins&quot; -Dcryptomator.integrationsWin.keychainPaths=&quot;@{appdata}/Cryptomator-Dev/keychain.json;@{userhome}/AppData/Roaming/Cryptomator-Dev/keychain.json&quot; -Dcryptomator.integrationsWin.windowsHelloKeychainPaths=&quot;@{appdata}/Cryptomator-Dev/windowsHelloKeychain.json;@{userhome}/AppData/Roaming/Cryptomator-Dev/windowsHelloKeychain.json&quot; -Dcryptomator.p12Path=&quot;@{appdata}/Cryptomator-Dev/key.p12;@{userhome}/AppData/Roaming/Cryptomator-Dev/key.p12&quot; -Dcryptomator.mountPointsDir=&quot;@{userhome}/Cryptomator-Dev&quot; -Dcryptomator.showTrayIcon=true -Dcryptomator.hub.enableTrustOnFirstUse=true -Xss2m -Xmx512m --enable-preview --enable-native-access=org.cryptomator.jfuse.win,org.cryptomator.integrations.win,javafx.graphics" />
+    <option name="VM_PARAMETERS" value="-Dcryptomator.settingsPath=&quot;@{appdata}/Cryptomator-Dev/settings.json;@{userhome}/AppData/Roaming/Cryptomator-Dev/settings.json&quot; -Dcryptomator.ipcSocketPath=&quot;@{localappdata}/Cryptomator-Dev/ipc.socket&quot; -Dcryptomator.logDir=&quot;@{localappdata}/Cryptomator-Dev&quot; -Dcryptomator.pluginDir=&quot;@{appdata}/Cryptomator-Dev/Plugins&quot; -Dcryptomator.integrationsWin.keychainPaths=&quot;@{appdata}/Cryptomator-Dev/keychain.json;@{userhome}/AppData/Roaming/Cryptomator-Dev/keychain.json&quot; -Dcryptomator.integrationsWin.windowsHelloKeychainPaths=&quot;@{appdata}/Cryptomator-Dev/windowsHelloKeychain.json;@{userhome}/AppData/Roaming/Cryptomator-Dev/windowsHelloKeychain.json&quot; -Dcryptomator.p12Path=&quot;@{appdata}/Cryptomator-Dev/key.p12;@{userhome}/AppData/Roaming/Cryptomator-Dev/key.p12&quot; -Dcryptomator.mountPointsDir=&quot;@{userhome}/Cryptomator-Dev&quot; -Dcryptomator.showTrayIcon=true -Xss2m -Xmx512m --enable-preview --enable-native-access=org.cryptomator.jfuse.win,org.cryptomator.integrations.win,javafx.graphics" />
    <method v="2">
      <option name="Make" enabled="true" />
    </method>
--- a/.idea/runConfigurations/Cryptomator_macOS.xml
+++ b/.idea/runConfigurations/Cryptomator_macOS.xml
@@ -5,7 +5,7 @@
    </envs>
    <option name="MAIN_CLASS_NAME" value="org.cryptomator.launcher.Cryptomator" />
    <module name="cryptomator" />
-    <option name="VM_PARAMETERS" value="-Dapple.awt.enableTemplateImages=true -Dcryptomator.settingsPath=&quot;@{userhome}/Library/Application Support/Cryptomator/settings.json&quot; -Dcryptomator.p12Path=&quot;@{userhome}/Library/Application Support/Cryptomator/key.p12&quot; -Dcryptomator.ipcSocketPath=&quot;@{userhome}/Library/Application Support/Cryptomator/ipc.socket&quot; -Dcryptomator.logDir=&quot;@{userhome}/Library/Logs/Cryptomator&quot; -Dcryptomator.pluginDir=&quot;@{userhome}/Library/Application Support/Cryptomator/Plugins&quot; -Dcryptomator.mountPointsDir=&quot;@{userhome}/Cryptomator&quot; -Dcryptomator.showTrayIcon=true -Dcryptomator.integrationsMac.keychainServiceName=Cryptomator -Dcryptomator.updateMechanism=org.cryptomator.macos.update.DmgUpdateMechanism -Dcryptomator.hub.enableTrustOnFirstUse=true -Xss2m -Xmx512m -ea --enable-preview --enable-native-access=org.cryptomator.jfuse.mac,javafx.graphics" />
+    <option name="VM_PARAMETERS" value="-Dapple.awt.enableTemplateImages=true -Dcryptomator.settingsPath=&quot;@{userhome}/Library/Application Support/Cryptomator/settings.json&quot; -Dcryptomator.p12Path=&quot;@{userhome}/Library/Application Support/Cryptomator/key.p12&quot; -Dcryptomator.ipcSocketPath=&quot;@{userhome}/Library/Application Support/Cryptomator/ipc.socket&quot; -Dcryptomator.logDir=&quot;@{userhome}/Library/Logs/Cryptomator&quot; -Dcryptomator.pluginDir=&quot;@{userhome}/Library/Application Support/Cryptomator/Plugins&quot; -Dcryptomator.mountPointsDir=&quot;@{userhome}/Cryptomator&quot; -Dcryptomator.showTrayIcon=true -Dcryptomator.integrationsMac.keychainServiceName=Cryptomator -Xss2m -Xmx512m -ea --enable-preview --enable-native-access=org.cryptomator.jfuse.mac,javafx.graphics" />
    <method v="2">
      <option name="Make" enabled="true" />
    </method>
--- a/.idea/runConfigurations/Cryptomator_macOS_Dev.xml
+++ b/.idea/runConfigurations/Cryptomator_macOS_Dev.xml
@@ -5,7 +5,7 @@
    </envs>
    <option name="MAIN_CLASS_NAME" value="org.cryptomator.launcher.Cryptomator" />
    <module name="cryptomator" />
-    <option name="VM_PARAMETERS" value="-Dapple.awt.enableTemplateImages=true -Dcryptomator.settingsPath=&quot;@{userhome}/Library/Application Support/Cryptomator-Dev/settings.json&quot; -Dcryptomator.p12Path=&quot;@{userhome}/Library/Application Support/Cryptomator-Dev/key.p12&quot; -Dcryptomator.ipcSocketPath=&quot;@{userhome}/Library/Application Support/Cryptomator-Dev/ipc.socket&quot; -Dcryptomator.logDir=&quot;@{userhome}/Library/Logs/Cryptomator-Dev&quot; -Dcryptomator.pluginDir=&quot;@{userhome}/Library/Application Support/Cryptomator-Dev/Plugins&quot; -Dcryptomator.mountPointsDir=&quot;@{userhome}/Library/Application Support/Cryptomator-Dev/mnt&quot; -Dcryptomator.showTrayIcon=true -Dcryptomator.integrationsMac.keychainServiceName=Cryptomator -Dcryptomator.hub.enableTrustOnFirstUse=true -Xss2m -Xmx512m -ea --enable-preview --enable-native-access=org.cryptomator.jfuse.mac,javafx.graphics" />
+    <option name="VM_PARAMETERS" value="-Dapple.awt.enableTemplateImages=true -Dcryptomator.settingsPath=&quot;@{userhome}/Library/Application Support/Cryptomator-Dev/settings.json&quot; -Dcryptomator.p12Path=&quot;@{userhome}/Library/Application Support/Cryptomator-Dev/key.p12&quot; -Dcryptomator.ipcSocketPath=&quot;@{userhome}/Library/Application Support/Cryptomator-Dev/ipc.socket&quot; -Dcryptomator.logDir=&quot;@{userhome}/Library/Logs/Cryptomator-Dev&quot; -Dcryptomator.pluginDir=&quot;@{userhome}/Library/Application Support/Cryptomator-Dev/Plugins&quot; -Dcryptomator.mountPointsDir=&quot;@{userhome}/Library/Application Support/Cryptomator-Dev/mnt&quot; -Dcryptomator.showTrayIcon=true -Dcryptomator.integrationsMac.keychainServiceName=Cryptomator -Xss2m -Xmx512m -ea --enable-preview --enable-native-access=org.cryptomator.jfuse.mac,javafx.graphics" />
    <method v="2">
      <option name="Make" enabled="true" />
    </method>
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,90 +0,0 @@
-# Changelog
-
-All notable changes to this project will be documented in this file.
-
-The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
-
-The changelog starts with version 1.19.0.
-Changes to prior versions can be found on the [Github release page](https://github.com/cryptomator/cryptomator/releases).
-
-
-## [Unreleased](https://github.com/cryptomator/cryptomator/compare/1.19.2...HEAD)
-
-### Changed
-* Refactored release pipeline to allow immutable releases ([#4205](https://github.com/cryptomator/cryptomator/pull/4205))
-
-
-## [1.19.2](https://github.com/cryptomator/cryptomator/releases/1.19.2) - 2026-03-20
-
-### Security
-* Cryptomamtor Hub Vaults: Additional patch for (#4179, [GHSA-34rf-rwr3-7g43](https://github.com/cryptomator/cryptomator/security/advisories/GHSA-34rf-rwr3-7g43))
-
-
-## [1.19.1](https://github.com/cryptomator/cryptomator/releases/1.19.1) - 2026-03-12
-
-### Security
-* Cryptomamtor Hub Vaults: Fixed possible man-in-the-middle attack with tampered vault config (#4179, [GHSA-34rf-rwr3-7g43](https://github.com/cryptomator/cryptomator/security/advisories/GHSA-34rf-rwr3-7g43))
-* Disallow unencrypted http connections to hub by default ([CVE-2026-32309](https://github.com/cryptomator/cryptomator/security/advisories/GHSA-vv33-h7qx-c264))
-* Disallow loading of masterkey file from arbitrary paths (#4180, [CVE-2026-32310](https://github.com/cryptomator/cryptomator/security/advisories/GHSA-5phc-5pfx-hr52))
-* Fixed not-configured plugin directory does not disable plugin search ([#4176](https://github.com/cryptomator/cryptomator/pull/4176))
-
-### Added
-* Trust on first use, adding new config properties `cryptomator.hub.allowedHosts` and `cryptomator.hub.enableTrustOnFirstUse` (#4179)
-
-### Fixed
-* Fixed Finder window opens twice when revealing vault on macOS ([#4177](https://github.com/cryptomator/cryptomator/pull/4177))
-* Fixed app does not start due to secret service detection failure on Linux ([#4175](https://github.com/cryptomator/cryptomator/pull/4175))
-
-### Changed
-* Pin version of appimagetool([#4181](https://github.com/cryptomator/cryptomator/pull/4181))
-* Updated translations
-* Updated dependencies:
-  * `org.cryptomator:integrations-api` from 1.8.0-beta1 to 1.8.0
-  * `org.cryptomator:integrations-linux` from 1.7.0-beta4 to 1.7.0
-  * `org.cryptomator:integrations-mac` from 1.5.0-beta3 to 1.5.0
-
-
-
-## [1.19.0](https://github.com/cryptomator/cryptomator/releases/tag/1.19.0) - 2026-03-09
-
-### Added
-* Self-Update Mechanism ([#3948](https://github.com/cryptomator/cryptomator/pull/3948))
-  * Implemented `.dmg` update mechanism
-  * Implemented Flatpak update mechanism
-* App notifications ([#4069](https://github.com/cryptomator/cryptomator/pull/4069))
-* Mark files in-use for Hub vaults ([#4078](https://github.com/cryptomator/cryptomator/pull/4078))
-* Accessibility: Adjust app to be used with a screen reader ([#547](https://github.com/cryptomator/cryptomator/issues/547))
-* Show Archived Vault Dialog on unlock when Hub returns 410 ([#4081](https://github.com/cryptomator/cryptomator/pull/4081))
-* Support automatic app theme selection according to OS theme on Linux ([#4027](https://github.com/cryptomator/cryptomator/issues/4027))
-* Admin configuration: Allow overwriting certain app properties by external config file ([#4105](https://github.com/cryptomator/cryptomator/pull/4105))
-* New keychain backend using [secret service API](https://specifications.freedesktop.org/secret-service/0.2) for Linux ([#4025](https://github.com/cryptomator/cryptomator/pull/4025))
-* Liquid Glass icon for macOS ([#4166](https://github.com/cryptomator/cryptomator/pull/4166))
-
-### Fixed
-* Fixed password reset/show recovery possible for vaults without masterkey file ([#4120](https://github.com/cryptomator/cryptomator/pull/4120))
-* Fixed restore vault config failed due to selecting a directory instead of file ([#4141](https://github.com/cryptomator/cryptomator/issues/4141))
-* Fixed leaking of cleartext paths into application log ([GHSA-j83j-mwhc-rcgw](https://github.com/cryptomator/cryptomator/security/advisories/GHSA-j83j-mwhc-rcgw))
-
-### Changed
-* Disable user defined app start config on Windows ([#4132](https://github.com/cryptomator/cryptomator/issues/4132))
-* Disable plugin loading by default ([#4136](https://github.com/cryptomator/cryptomator/4136))
-* Use JDK 25 ([#4031](https://github.com/cryptomator/cryptomator/pull/4031))
-* Update JavaFX to 25.0.2 ([#4145](https://github.com/cryptomator/cryptomator/pull/4145))
-* Updated translations
-* Updated dependencies
-  * `ch.qos.logback:*` from 1.5.19 to 1.5.32
-  * `com.fasterxml.jackson.core:jackson-databind` from 2.20.0 to 2.21.1
-  * `com.fasterxml.jackson.datatype:jackson-datatype-jsr310` from 2.20.0 to 2.21.1
-  * `com.github.ben-manes.caffeine:caffeine` from 3.2.2 to 3.2.3
-  * `com.google.dagger:*` from 2.57.2 to 2.59.2
-  * `org.apache.commons:commons-lang3` from 3.19.0 to 3.20.0
-  * `org.cryptomator:cryptofs` from 2.9.0 to 2.10.0
-  * `org.cryptomator:cryptolib` from 2.2.1 to 2.2.2
-  * `org.cryptomator:fuse-nio-adapter` from 5.1.0 to 6.0.1
-  * `org.cryptomator:integrations-api` from 1.7.0 to 1.8.0-beta1
-  * `org.cryptomator:integrations-linux` from 1.6.1 to 1.7.0-beta4
-  * `org.cryptomator:integrations-mac` from 1.4.1 to 1.5.0-beta3
-  * `org.cryptomator:integrations-win` from 1.5.1 to 1.6.0
-  * `org.cryptomator:webdav-nio-adapter` from 3.0.0 to 3.0.1
-  * `org.cryptomator:webdav-nio-adapter-servlet` to 1.2.12
-
--- a/README.md
+++ b/README.md
@@ -78,7 +78,7 @@ For more information on the security details visit [cryptomator.org](https://doc

 ### Dependencies

-* JDK 25 (e.g. temurin, zulu)
+* JDK 24 (e.g. temurin, zulu)
 * Maven 3

 ### Run Maven
--- a/dist/common/config.properties
+++ b/dist/common/config.properties
@@ -1,8 +0,0 @@
-# This is the Cryptomator administrative configuration file.
-# It is a simple key-value pair file.
-# Lines starting with '#' are comments and will be ignored.
-# For more info, read the docs at https://docs.cryptomator.org/desktop/advanced-settings/
-#
-# Example:
-# Sets the plugin directory and enables plugin loading
-# cryptomator.pluginDir=@{userhome}/Cryptomator/Plugins
--- a/dist/linux/appimage/build.sh
+++ b/dist/linux/appimage/build.sh
@@ -23,12 +23,12 @@ mvn -B -f ../../../pom.xml clean package -Plinux -DskipTests
 cp ../../../LICENSE.txt ../../../target
 cp ../../../target/cryptomator-*.jar ../../../target/mods

-JAVAFX_VERSION=25.0.2
+JAVAFX_VERSION=25
 JAVAFX_ARCH="x64"
-JAVAFX_JMODS_SHA256='e0a9c29d8cf3af9b8b48848b43f87b5785bc107c53a951b19668ce05842bba1b'
+JAVAFX_JMODS_SHA256='96e520f48610d8ffb94ca30face1f11ffe8a977ddc1c4ff80b1a9e9f048bd94e'
 if [ "${CPU_ARCH}" = "aarch64" ]; then
    JAVAFX_ARCH="aarch64"
-    JAVAFX_JMODS_SHA256='c3408f818693cce09e59829a8e862a82c7695fdfcd585c41cfd527f5fc3fe646'
+    JAVAFX_JMODS_SHA256='951c52481af0ec5885b06f1ebaa8a10da7e8ea23c5e1ef3e2f6f11fa1b3a7ce1'
 fi

 # download javaFX jmods
@@ -82,14 +82,14 @@ ${JAVA_HOME}/bin/jpackage \
    --vendor "Skymatic GmbH" \
    --java-options "--enable-preview" \
    --java-options "--enable-native-access=javafx.graphics,org.cryptomator.jfuse.linux.amd64,org.cryptomator.jfuse.linux.aarch64,org.purejava.appindicator" \
-    --copyright "(C) 2016 - 2026 Skymatic GmbH" \
+    --copyright "(C) 2016 - 2025 Skymatic GmbH" \
    --java-options "-Xss5m" \
    --java-options "-Xmx256m" \
    --app-version "${VERSION}.${REVISION_NO}" \
    --java-options "-Dfile.encoding=\"utf-8\"" \
    --java-options "-Djava.net.useSystemProxies=true" \
-    --java-options "-Dcryptomator.adminConfigPath=\"/etc/cryptomator/config.properties\"" \
    --java-options "-Dcryptomator.logDir=\"@{userhome}/.local/share/Cryptomator/logs\"" \
+    --java-options "-Dcryptomator.pluginDir=\"@{userhome}/.local/share/Cryptomator/plugins\"" \
    --java-options "-Dcryptomator.settingsPath=\"@{userhome}/.config/Cryptomator/settings.json:@{userhome}/.Cryptomator/settings.json\"" \
    --java-options "-Dcryptomator.p12Path=\"@{userhome}/.config/Cryptomator/key.p12\"" \
    --java-options "-Dcryptomator.ipcSocketPath=\"@{userhome}/.config/Cryptomator/ipc.socket\"" \
@@ -99,7 +99,6 @@ ${JAVA_HOME}/bin/jpackage \
    --java-options "-Dcryptomator.buildNumber=\"appimage-${REVISION_NO}\"" \
    --java-options "-Dcryptomator.networking.truststore.p12Path=\"/etc/cryptomator/certs.p12\"" \
    --java-options "-XX:ErrorFile=/cryptomator/cryptomator_crash.log" \
-    --java-options "-Dcryptomator.hub.enableTrustOnFirstUse=true" \
    --resource-dir ../resources

 # transform AppDir
@@ -116,7 +115,6 @@ cp ../common/org.cryptomator.Cryptomator.tray-unlocked.svg Cryptomator.AppDir/us
 cp ../common/org.cryptomator.Cryptomator.desktop Cryptomator.AppDir/usr/share/applications/org.cryptomator.Cryptomator.desktop
 cp ../common/org.cryptomator.Cryptomator.metainfo.xml Cryptomator.AppDir/usr/share/metainfo/org.cryptomator.Cryptomator.metainfo.xml
 cp ../common/application-vnd.cryptomator.vault.xml Cryptomator.AppDir/usr/share/mime/packages/application-vnd.cryptomator.vault.xml
-cp ../common/application-vnd.cryptomator.encrypted.xml Cryptomator.AppDir/usr/share/mime/packages/application-vnd.cryptomator.encrypted.xml
 ln -s usr/share/icons/hicolor/scalable/apps/org.cryptomator.Cryptomator.svg Cryptomator.AppDir/org.cryptomator.Cryptomator.svg
 ln -s usr/share/icons/hicolor/scalable/apps/org.cryptomator.Cryptomator.svg Cryptomator.AppDir/.DirIcon
 ln -s usr/share/applications/org.cryptomator.Cryptomator.desktop Cryptomator.AppDir/org.cryptomator.Cryptomator.desktop
@@ -124,7 +122,7 @@ ln -s org.cryptomator.Cryptomator.metainfo.xml Cryptomator.AppDir/usr/share/meta
 ln -s bin/cryptomator.sh Cryptomator.AppDir/AppRun

 # load AppImageTool
-curl -L https://github.com/AppImage/appimagetool/releases/download/1.9.1/appimagetool-${CPU_ARCH}.AppImage -o /tmp/appimagetool.AppImage
+curl -L https://github.com/AppImage/appimagetool/releases/download/continuous/appimagetool-${CPU_ARCH}.AppImage -o /tmp/appimagetool.AppImage
 chmod +x /tmp/appimagetool.AppImage

 # create AppImage
--- a/dist/linux/common/application-vnd.cryptomator.encrypted.xml
+++ b/dist/linux/common/application-vnd.cryptomator.encrypted.xml
@@ -1,9 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<mime-info xmlns="http://www.freedesktop.org/standards/shared-mime-info">
-  <mime-type type="application/vnd.cryptomator.encrypted">
-    <comment>Cryptomator Encrypted Data</comment>
-    <glob pattern="*.c9r"/>
-    <glob pattern="*.c9s"/>
-    <glob pattern="*.c9u"/>
-  </mime-type>
-</mime-info>
--- a/dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml
+++ b/dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml
@@ -73,7 +73,6 @@
 	<url type="faq">https://community.cryptomator.org/c/kb/faq</url>
 	<url type="help">https://docs.cryptomator.org/</url>
 	<url type="translate">https://translate.cryptomator.org</url>
-	<url type="vcs-browser">https://github.com/cryptomator/cryptomator</url>

 	<developer id="de.skymatic">
 		<name>Skymatic GmbH</name>
@@ -84,15 +83,6 @@
 	</content_rating>

 	<releases>
-		<release date="2026-03-20" version="1.19.2">
-			<url type="details">https://github.com/cryptomator/cryptomator/releases/1.19.2</url>
-		</release>
-		<release date="2026-03-12" version="1.19.1">
-			<url type="details">https://github.com/cryptomator/cryptomator/releases/1.19.1</url>
-		</release>
-		<release date="2026-03-09" version="1.19.0">
-			<url type="details">https://github.com/cryptomator/cryptomator/releases/1.19.0</url>
-		</release>
 		<release date="2025-11-12" version="1.18.0">
 			<url type="details">https://github.com/cryptomator/cryptomator/releases/1.18.0</url>
 		</release>
--- a/dist/linux/debian/cryptomator.install
+++ b/dist/linux/debian/cryptomator.install
@@ -6,5 +6,4 @@ common/org.cryptomator.Cryptomator.tray-unlocked.svg usr/share/icons/hicolor/sca
 common/org.cryptomator.Cryptomator256.png usr/share/icons/hicolor/256x256/apps
 common/org.cryptomator.Cryptomator512.png usr/share/icons/hicolor/512x512/apps
 common/org.cryptomator.Cryptomator.metainfo.xml usr/share/metainfo
-common/application-vnd.cryptomator.vault.xml usr/share/mime/packages
-common/application-vnd.cryptomator.encrypted.xml usr/share/mime/packages
+common/application-vnd.cryptomator.vault.xml usr/share/mime/packages
--- a/dist/linux/debian/postinst
+++ b/dist/linux/debian/postinst
@@ -25,7 +25,6 @@ case "$1" in
        fi
        xdg-desktop-menu install --novendor /usr/share/applications/org.cryptomator.Cryptomator.desktop
        xdg-mime install /usr/share/mime/packages/application-vnd.cryptomator.vault.xml
-        xdg-mime install /usr/share/mime/packages/application-vnd.cryptomator.encrypted.xml
    ;;

    abort-upgrade|abort-remove|abort-deconfigure)
--- a/dist/linux/debian/prerm
+++ b/dist/linux/debian/prerm
@@ -23,7 +23,6 @@ case "$1" in

        xdg-desktop-menu uninstall --novendor /usr/share/applications/org.cryptomator.Cryptomator.desktop
        xdg-mime uninstall /usr/share/mime/packages/application-vnd.cryptomator.vault.xml
-        xdg-mime uninstall /usr/share/mime/packages/application-vnd.cryptomator.encrypted.xml
    ;;

    failed-upgrade)
--- a/dist/linux/debian/rules
+++ b/dist/linux/debian/rules
@@ -46,13 +46,13 @@ override_dh_auto_build:
 		--vendor "Skymatic GmbH" \
 		--java-options "--enable-preview" \
 		--java-options "--enable-native-access=javafx.graphics,org.cryptomator.jfuse.linux.amd64,org.cryptomator.jfuse.linux.aarch64,org.purejava.appindicator" \
-		--copyright "(C) 2016 - 2026 Skymatic GmbH" \
+		--copyright "(C) 2016 - 2025 Skymatic GmbH" \
 		--java-options "-Xss5m" \
 		--java-options "-Xmx256m" \
 		--java-options "-Dfile.encoding=\"utf-8\"" \
 		--java-options "-Djava.net.useSystemProxies=true" \
-		--java-options "-Dcryptomator.adminConfigPath=\"/etc/cryptomator/config.properties\"" \
 		--java-options "-Dcryptomator.logDir=\"@{userhome}/.local/share/Cryptomator/logs\"" \
+		--java-options "-Dcryptomator.pluginDir=\"@{userhome}/.local/share/Cryptomator/plugins\"" \
 		--java-options "-Dcryptomator.settingsPath=\"@{userhome}/.config/Cryptomator/settings.json:@{userhome}/.Cryptomator/settings.json\"" \
 		--java-options "-Dcryptomator.p12Path=\"@{userhome}/.config/Cryptomator/key.p12\"" \
 		--java-options "-Dcryptomator.ipcSocketPath=\"@{userhome}/.config/Cryptomator/ipc.socket\"" \
@@ -64,7 +64,6 @@ override_dh_auto_build:
 		--java-options "-Dcryptomator.disableUpdateCheck=\"${DISABLE_UPDATE_CHECK}\"" \
 		--java-options "-Dcryptomator.integrationsLinux.autoStartCmd=\"cryptomator\"" \
 		--java-options "-Dcryptomator.networking.truststore.p12Path=\"/etc/cryptomator/certs.p12\"" \
-		--java-options "-Dcryptomator.hub.enableTrustOnFirstUse=true" \
 		--app-version "${VERSION_NUM}.${REVISION_NUM}" \
 		--resource-dir resources \
 		--verbose
--- a/dist/linux/flatpak/build-aux/fusermount-wrapper.sh
+++ b/dist/linux/flatpak/build-aux/fusermount-wrapper.sh
@@ -1,15 +0,0 @@
-#!/bin/sh
-
-# From: https://gitlab.gnome.org/GNOME/gnome-builder/-/blob/main/build-aux/flatpak/fusermount-wrapper.sh
-
-if [ -z "$_FUSE_COMMFD" ]; then
-    FD_ARGS=
-else
-    FD_ARGS="--env=_FUSE_COMMFD=${_FUSE_COMMFD} --forward-fd=${_FUSE_COMMFD}"
-fi
-
-if [ -e /proc/self/fd/3 ] && [ 3 != "$_FUSE_COMMFD" ]; then
-    FD_ARGS="$FD_ARGS --forward-fd=3"
-fi
-
-exec flatpak-spawn --host --forward-fd=1 --forward-fd=2 $FD_ARGS fusermount3 "$@"
--- a/dist/linux/flatpak/org.cryptomator.Cryptomator.TEMPLATE.yaml
+++ b/dist/linux/flatpak/org.cryptomator.Cryptomator.TEMPLATE.yaml
@@ -1,182 +0,0 @@
-app-id: org.cryptomator.Cryptomator
-command: cryptomator
-runtime: org.freedesktop.Platform
-runtime-version: '25.08'
-sdk: org.freedesktop.Sdk
-separate-locales: false
-finish-args:
-  # Required for FUSE, see https://github.com/flathub/org.cryptomator.Cryptomator/pull/68#issuecomment-1935136502
-  - --device=all
-  # Set the PATH environment variable in the application, as flatpak is resetting the shell's PATH
-  - --env=PATH=/app/bin/:/usr/bin/
-  # Allow filesystem access to the user's home dir
-  # Needed to manage vaults there
-  - --filesystem=home
-  # Reading system certificates
-  - --filesystem=host-etc:ro
-  # Allow access to the XDG data directory
-  # Needed to connect to KeePassXC's UNIX domain socket
-  - --filesystem=xdg-run/org.keepassxc.KeePassXC.BrowserServer
-  - --filesystem=xdg-run/app/org.keepassxc.KeePassXC/
-  # Share IPC namespace with the host, without it the X11 shared memory extension will not work
-  - --share=ipc
-  # Allow access to the network
-  - --share=network
-  # Show windows using X11
-  - --socket=x11
-  # Needed to reveal encrypted files
-  - --talk-name=org.freedesktop.FileManager1
-  # Run any command on the host
-  # Needed to spawn fusermount on the host
-  - --talk-name=org.freedesktop.Flatpak
-  # Allow desktop notifications
-  - --talk-name=org.freedesktop.Notifications
-  # Allow access to the GNOME secret service API and to talk to the GNOME keyring daemon
-  - --talk-name=org.freedesktop.secrets
-  - --talk-name=org.gnome.keyring
-  # Allow to talk to the KDE kwallet daemon
-  - --talk-name=org.kde.kwalletd5
-  - --talk-name=org.kde.kwalletd6
-  # Needed to talk to the gvfs daemons over D-Bus and list mounts using the GIO APIs
-  - --talk-name=org.gtk.vfs.*
-  # Allow access to appindicator icons
-  - --talk-name=org.ayatana
-  # Allow access to appindicator icons on KDE
-  - --talk-name=org.kde.StatusNotifierWatcher
-cleanup:
-  - /include
-  - /lib/pkgconfig
-modules:
-  - shared-modules/libayatana-appindicator/libayatana-appindicator-gtk3.json
-  - name: libfuse
-    buildsystem: meson
-    config-opts:
-      - -Dexamples=false
-      - -Dinitscriptdir=
-      - -Duseroot=false
-      - -Dtests=false
-      # don't install rules on the host
-      - -Dudevrulesdir=/tmp/
-    sources:
-      - type: archive
-        url: https://github.com/libfuse/libfuse/releases/download/fuse-3.16.2/fuse-3.16.2.tar.gz
-        sha256: f797055d9296b275e981f5f62d4e32e089614fc253d1ef2985851025b8a0ce87
-        x-checker-data:
-          type: anitya
-          project-id: 861
-          url-template: https://github.com/libfuse/libfuse/releases/download/fuse-$version/fuse-$version.tar.gz
-          versions: {<: '3.17.0'}
-  - name: host-command-wrapper
-    buildsystem: simple
-    build-commands:
-      - install fusermount-wrapper.sh /app/bin/fusermount3
-    sources:
-      - type: file
-        path: build-aux/fusermount-wrapper.sh
-  - name: cryptomator
-    buildsystem: simple
-    build-options:
-      build-args:
-        - --share=network
-      env:
-        PATH: /app/bin:/usr/bin
-        MAVEN_OPTS: -Dmaven.repo.local=.m2/repository
-        JAVA_HOME: jdk
-        JMODS_PATH: jmods
-        VERSION: $FLATPAK_VERSION
-        REVISION_NO: '$FLATPAK_REVISION'
-    build-commands:
-      # Setup Java
-      - tar xvfz jdk.tar.gz --transform 's!^[^/]*!jdk!'
-      - mkdir jmods
-      - unzip -j openjfx.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d jmods
-      # Setup Maven
-      - mkdir maven
-      - tar xf maven.tar.gz --strip-components=1 --exclude=jansi-native --directory=maven
-      # Build project
-      - maven/bin/mvn clean package -DskipTests -P"linux-$(uname -m)"
-      - cp target/cryptomator-*.jar target/mods
-      - cd target
-      - $JAVA_HOME/bin/jlink
-        --output runtime
-        --module-path $JMODS_PATH
-        --add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,javafx.base,javafx.graphics,javafx.controls,javafx.fxml,jdk.crypto.ec,jdk.crypto.cryptoki,jdk.unsupported,jdk.security.auth,jdk.accessibility,jdk.management.jfr,jdk.net,java.compiler
-        --no-header-files
-        --no-man-pages
-        --strip-debug
-        --compress=zip-0
-      - $JAVA_HOME/bin/jpackage
-        --type app-image
-        --runtime-image runtime
-        --input target/libs
-        --module-path target/mods
-        --module org.cryptomator.desktop/org.cryptomator.launcher.Cryptomator
-        --dest .
-        --name Cryptomator
-        --vendor 'Skymatic GmbH'
-        --copyright '(C) 2016 - 2026 Skymatic GmbH'
-        --java-options '--enable-native-access=javafx.graphics,org.cryptomator.jfuse.linux.amd64,org.cryptomator.jfuse.linux.aarch64,org.purejava.appindicator'
-        --java-options "--sun-misc-unsafe-memory-access=allow"
-        --java-options '-Xss5m'
-        --java-options '-Xmx256m'
-        --java-options '-Dfile.encoding='utf-8''
-        --java-options '-Djava.net.useSystemProxies=true'
-        --java-options "-Dcryptomator.appVersion='${VERSION}'"
-        --java-options "-Dcryptomator.buildNumber='flatpak-${REVISION_NO}'"
-        --java-options '-Dcryptomator.ipcSocketPath='@{userhome}/.config/Cryptomator/ipc.socket''
-        --java-options '-Dcryptomator.adminConfigPath='/run/host/etc/cryptomator/config.properties''
-        --java-options '-Dcryptomator.logDir='@{userhome}/.local/share/Cryptomator/logs''
-        --java-options '-Dcryptomator.mountPointsDir='@{userhome}/.local/share/Cryptomator/mnt''
-        --java-options '-Dcryptomator.pluginDir='@{userhome}/.local/share/Cryptomator/plugins''
-        --java-options '-Dcryptomator.p12Path='@{userhome}/.config/Cryptomator/key.p12''
-        --java-options '-Dcryptomator.settingsPath='@{userhome}/.config/Cryptomator/settings.json:~/.Cryptomator/settings.json''
-        --java-options '-Dcryptomator.showTrayIcon=true'
-        --java-options '-Dcryptomator.updateMechanism=org.cryptomator.linux.update.FlatpakUpdater'
-        --java-options '-Dcryptomator.networking.truststore.p12Path='/run/host/etc/cryptomator/certs.p12''
-        --java-options '-Dcryptomator.hub.enableTrustOnFirstUse=true'
-        --app-version "${VERSION}.${REVISION_NO}"
-        --verbose
-      - cp -R Cryptomator /app/
-      - ln -s /app/Cryptomator/bin/Cryptomator /app/bin/cryptomator
-      - cp -R /app/lib/* /app/Cryptomator/lib/app/
-      - install -D -m0644 -t /app/share/applications/ dist/linux/common/org.cryptomator.Cryptomator.desktop
-      - install -D -m0644 -t /app/share/icons/hicolor/scalable/apps/ dist/linux/common/org.cryptomator.Cryptomator.svg
-      - install -D -m0644 -T dist/linux/common/org.cryptomator.Cryptomator.tray.svg /app/share/icons/hicolor/symbolic/apps/org.cryptomator.Cryptomator.tray-symbolic.svg
-      - install -D -m0644 -T dist/linux/common/org.cryptomator.Cryptomator.tray-unlocked.svg /app/share/icons/hicolor/symbolic/apps/org.cryptomator.Cryptomator.tray-unlocked-symbolic.svg
-      - install -D -m0644 -t /app/share/metainfo/ dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml
-    sources:
-      - $CRYPTOMATOR_SOURCE
-      - type: file
-        dest-filename: jdk.tar.gz
-        only-arches:
-          - x86_64
-        url: https://github.com/adoptium/temurin25-binaries/releases/download/jdk-25.0.2%2B10/OpenJDK25U-jdk_x64_linux_hotspot_25.0.2_10.tar.gz
-        sha512: 29043fde119a031c2ca8d57aed445fedd9e7f74608fcdc7a809076ba84cfd1c31f08de2ecccf352e159fdcd1cae172395ed46363007552ff242057826c81ab3a
-      - type: file
-        dest-filename: jdk.tar.gz
-        only-arches:
-          - aarch64
-        url: https://github.com/adoptium/temurin25-binaries/releases/download/jdk-25.0.2%2B10/OpenJDK25U-jdk_aarch64_linux_hotspot_25.0.2_10.tar.gz
-        sha512: f1d3ccec3e1f1bed9d632f14b9223709d6e5c2e0d922125d068870dd3016492a2ca8f08924d4a9d0dc5eb2159fa09efee366a748fd0093475baf29e5c70c781a
-      - type: file
-        dest-filename: openjfx.zip
-        only-arches:
-          - x86_64
-        url: https://download2.gluonhq.com/openjfx/25.0.2/openjfx-25.0.2_linux-x64_bin-jmods.zip
-        sha512: 21f550217101c513f9eb1d7947eba30cb79618238e6539ce770e54e84b01574cdaeba40af602391145f163dd8e43e3794395467413152f13ffffeff948b0ca1b
-      - type: file
-        dest-filename: openjfx.zip
-        only-arches:
-          - aarch64
-        url: https://download2.gluonhq.com/openjfx/25.0.2/openjfx-25.0.2_linux-aarch64_bin-jmods.zip
-        sha512: a9268409b3803e386490bf1319d0f0a14173cebe862c12254cd51b430ee0a297437d9e38d5ebeae0da8899be898b312b103330d09dcfd3e63c1e7d15f2f14311
-      - type: file
-        dest-filename: maven.tar.gz
-        url: https://repo1.maven.org/maven2/org/apache/maven/apache-maven/3.9.13/apache-maven-3.9.13-bin.tar.gz
-        sha512: d9ccd44ba2991586e359c29eb86780ae8ff4ec1b88b0b8af3af074803472690cf2017782a9c4401343c62cbcd056231db9612e1e551cbd9747c21746d732c015
-        x-checker-data:
-          type: anitya
-          project-id: 1894
-          stable-only: true
-          url-template: https://repo1.maven.org/maven2/org/apache/maven/apache-maven/$version/apache-maven-$version-bin.tar.gz
-          versions: {<: '4.0'}
--- a/dist/linux/makepkg/PKGBUILD.template
+++ b/dist/linux/makepkg/PKGBUILD.template
@@ -1,119 +0,0 @@
-# Maintainer: Aaron Graves <linux@ajgraves.com>
-# Contributor: Julian Raufelder <arch@raufelder.com>
-# Contributor: Morten Linderud <morten@linderud.pw>
-# Contributor: Sebastian Stenzel <sebastian.stenzel@gmail.com>
-# Contributor: Armin Schrenk <armin.schrenk@skymatic.de>
-
-pkgname=cryptomator
-pkgver=$PKG_VERSION
-pkgrel=$PKG_RELEASE
-pkgdesc="Multiplatform transparent client-side encryption of your files in the cloud."
-arch=('any')
-url="https://cryptomator.org/"
-license=('GPL3')
-depends=('fuse3' 'alsa-lib' 'hicolor-icon-theme' 'libxtst' 'libnet' 'libxrender')
-makedepends=('maven' 'unzip')
-optdepends=('keepassxc-cryptomator: Use KeePassXC to store vault passwords' 'ttf-hanazono: Install this font when using Japanese system language')
-_jdkver=25.0.2+10
-_jfxver=25.0.2
-_src_app_dir=cryptomator-${pkgver//_/-}
-source=($SOURCES);
-source_x86_64=("jdk-${_jdkver}.tar.gz::https://github.com/adoptium/temurin${_jdkver:0:2}-binaries/releases/download/jdk-${_jdkver//\+/%2B}/OpenJDK${_jdkver:0:2}U-jdk_x64_linux_hotspot_${_jdkver//\+/_}.tar.gz"
-               "openjfx-${_jfxver}.zip::https://download2.gluonhq.com/openjfx/${_jfxver}/openjfx-${_jfxver}_linux-x64_bin-jmods.zip")
-source_aarch64=("jdk-${_jdkver}.tar.gz::https://github.com/adoptium/temurin${_jdkver:0:2}-binaries/releases/download/jdk-${_jdkver//\+/%2B}/OpenJDK${_jdkver:0:2}U-jdk_aarch64_linux_hotspot_${_jdkver//\+/_}.tar.gz"
-                "openjfx-${_jfxver}.zip::https://download2.gluonhq.com/openjfx/${_jfxver}/openjfx-${_jfxver}_linux-aarch64_bin-jmods.zip")
-noextract=("jdk-${_jdkver}.tar.gz" "openjfx-${_jfxver}.zip")
-sha256sums=($SOURCES_SHA)
-sha256sums_x86_64=('987387933b64b9833846dee373b640440d3e1fd48a04804ec01a6dbf718e8ab8'
-                   'e0a9c29d8cf3af9b8b48848b43f87b5785bc107c53a951b19668ce05842bba1b')
-sha256sums_aarch64=('a9d73e711d967dc44896d4f430f73a68fd33590dabc29a7f2fb9f593425b854c'
-                    'c3408f818693cce09e59829a8e862a82c7695fdfcd585c41cfd527f5fc3fe646')
-options=('!strip')
-
-validpgpkeys=('58117AFA1F85B3EEC154677D615D449FE6E6A235')
-
-build() {
-  export JAVA_HOME="${srcdir}/jdk-${_jdkver}"
-  JMODS_PATH="${srcdir}/openjfx-${_jfxver}-jmods"
-  #JEP 493
-  if ! $(${JAVA_HOME}/bin/jlink --help | grep -q "Linking from run-time image enabled"); then
-      JMODS_PATH="${JMODS_PATH}:${JAVA_HOME}/jmods:"
-  fi
-
-  tar xfz "jdk-${_jdkver}.tar.gz"
-
-  mkdir "openjfx-${_jfxver}-jmods"
-  unzip -j "openjfx-${_jfxver}.zip" \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d "openjfx-${_jfxver}-jmods"
-
-  cd "${srcdir}/${_src_app_dir}"
-
-  mvn -B clean package -DskipTests -Plinux
-
-  cp LICENSE.txt target
-  cp target/cryptomator-*.jar target/mods
-
-  cd target
-
-  "$JAVA_HOME/bin/jlink" \
-    --output runtime \
-    --module-path "$JMODS_PATH" \
-    --add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,javafx.base,javafx.graphics,javafx.controls,javafx.fxml,jdk.crypto.ec,jdk.crypto.cryptoki,jdk.unsupported,jdk.security.auth,jdk.accessibility,jdk.management.jfr,jdk.net,java.compiler \
-    --strip-native-commands \
-    --no-header-files \
-    --no-man-pages \
-    --strip-debug \
-    --compress=zip-0
-
-  ##Note: jpackage does not allow -beta suffixes, have to strip those
-  "$JAVA_HOME/bin/jpackage" \
-    --type app-image \
-    --runtime-image runtime \
-    --input libs \
-    --module-path mods \
-    --module org.cryptomator.desktop/org.cryptomator.launcher.Cryptomator \
-    --dest . \
-    --name cryptomator \
-    --vendor "Skymatic GmbH" \
-    --copyright "(C) 2016 - 2026 Skymatic GmbH" \
-    --java-options "--enable-preview" \
-    --java-options '--enable-native-access=javafx.graphics,org.cryptomator.jfuse.linux.amd64,org.cryptomator.jfuse.linux.aarch64,org.purejava.appindicator' \
-    --java-options "-Xss5m" \
-    --java-options "-Xmx256m" \
-    --java-options "-Dfile.encoding=\"utf-8\"" \
-    --java-options "-Djava.net.useSystemProxies=true" \
-    --java-options "-Dcryptomator.adminConfigPath=\"/etc/cryptomator/config.properties\"" \
-    --java-options "-Dcryptomator.appVersion=\"${pkgver//_/-}\"" \
-    --java-options "-Dcryptomator.buildNumber=\"aur-${pkgrel}\"" \
-    --java-options "-Dcryptomator.disableUpdateCheck=true" \
-    --java-options "-Dcryptomator.integrationsLinux.autoStartCmd=\"cryptomator\"" \
-    --java-options "-Dcryptomator.ipcSocketPath=\"@{userhome}/.config/Cryptomator/ipc.socket\"" \
-    --java-options "-Dcryptomator.logDir=\"@{userhome}/.local/share/Cryptomator/logs\"" \
-    --java-options "-Dcryptomator.mountPointsDir=\"@{userhome}/.local/share/Cryptomator/mnt\"" \
-    --java-options "-Dcryptomator.networking.truststore.p12Path=\"/etc/cryptomator/certs.p12\"" \
-    --java-options "-Dcryptomator.pluginDir=\"@{userhome}/.local/share/Cryptomator/plugins\"" \
-    --java-options "-Dcryptomator.p12Path=\"@{userhome}/.config/Cryptomator/key.p12\"" \
-    --java-options "-Dcryptomator.settingsPath=\"@{userhome}/.config/Cryptomator/settings.json:~/.Cryptomator/settings.json\"" \
-    --java-options "-Dcryptomator.showTrayIcon=true" \
-    --java-options "-Dcryptomator.hub.enableTrustOnFirstUse=true" \
-    --app-version "${pkgver//_*/}" \
-    --verbose
-}
-
-package() {
-  install -Dm644 "${srcdir}/${_src_app_dir}/dist/linux/common/application-vnd.cryptomator.vault.xml" "${pkgdir}/usr/share/mime/packages/cryptomator-vault.xml"
-  install -Dm644 "${srcdir}/${_src_app_dir}/dist/linux/common/org.cryptomator.Cryptomator.desktop" "${pkgdir}/usr/share/applications/org.cryptomator.Cryptomator.desktop"
-  install -Dm644 "${srcdir}/${_src_app_dir}/dist/linux/common/org.cryptomator.Cryptomator256.png" "${pkgdir}/usr/share/icons/hicolor/256x256/apps/org.cryptomator.Cryptomator.png"
-  install -Dm644 "${srcdir}/${_src_app_dir}/dist/linux/common/org.cryptomator.Cryptomator512.png" "${pkgdir}/usr/share/icons/hicolor/512x512/apps/org.cryptomator.Cryptomator.png"
-  install -Dm644 "${srcdir}/${_src_app_dir}/dist/linux/common/org.cryptomator.Cryptomator.svg" "${pkgdir}/usr/share/icons/hicolor/scalable/apps/org.cryptomator.Cryptomator.svg"
-  install -Dm644 "${srcdir}/${_src_app_dir}/dist/linux/common/org.cryptomator.Cryptomator.tray.svg" "${pkgdir}/usr/share/icons/hicolor/scalable/apps/org.cryptomator.Cryptomator.tray.svg"
-  install -Dm644 "${srcdir}/${_src_app_dir}/dist/linux/common/org.cryptomator.Cryptomator.tray-unlocked.svg" "${pkgdir}/usr/share/icons/hicolor/scalable/apps/org.cryptomator.Cryptomator.tray-unlocked.svg"
-  install -Dm644 "${srcdir}/${_src_app_dir}/dist/linux/common/org.cryptomator.Cryptomator.tray.svg" "${pkgdir}/usr/share/icons/hicolor/symbolic/apps/org.cryptomator.Cryptomator.tray-symbolic.svg"
-  install -Dm644 "${srcdir}/${_src_app_dir}/dist/linux/common/org.cryptomator.Cryptomator.tray-unlocked.svg" "${pkgdir}/usr/share/icons/hicolor/symbolic/apps/org.cryptomator.Cryptomator.tray-unlocked-symbolic.svg"
-
-  mkdir -p "${pkgdir}/opt/cryptomator/"
-  cp -R "${srcdir}/${_src_app_dir}/target/cryptomator" "${pkgdir}/opt/"
-  install -Dm644 "${srcdir}/${_src_app_dir}/target/LICENSE.txt" -t "${pkgdir}/usr/share/licenses/${pkgname}"
-
-  mkdir -p "${pkgdir}/usr/bin"
-  ln -s "/opt/cryptomator/bin/cryptomator" "${pkgdir}/usr/bin/cryptomator"
-}
--- a/dist/mac/.gitignore
+++ b/dist/mac/.gitignore
@@ -1 +1,2 @@
 embedded.provisionprofile
+xcuserdata/
--- a/dist/mac/DockTilePlugin/CryptomatorDockTilePlugin.swift
+++ b/dist/mac/DockTilePlugin/CryptomatorDockTilePlugin.swift
@@ -0,0 +1,19 @@
+//
+//  CryptomatorDockTilePlugin.swift
+//  Integrations
+//
+//  Created by Tobias Hagemann on 22.09.25.
+//  Copyright © 2025 Cryptomator. All rights reserved.
+//
+
+import AppKit
+
+class CryptomatorDockTilePlugin: NSObject, NSDockTilePlugIn {
+	func setDockTile(_ dockTile: NSDockTile?) {
+		guard let dockTile = dockTile, let image = Bundle(for: Self.self).image(forResource: "Cryptomator") else {
+			return
+		}
+		dockTile.contentView = NSImageView(image: image)
+		dockTile.display()
+	}
+}
--- a/dist/mac/DockTilePlugin/DockTilePlugin.xcodeproj/project.pbxproj
+++ b/dist/mac/DockTilePlugin/DockTilePlugin.xcodeproj/project.pbxproj
@@ -0,0 +1,314 @@
+// !$*UTF8*$!
+{
+	archiveVersion = 1;
+	classes = {
+	};
+	objectVersion = 77;
+	objects = {
+
+/* Begin PBXBuildFile section */
+		74E08DE12E8584DE007E665C /* CryptomatorDockTilePlugin.swift in Sources */ = {isa = PBXBuildFile; fileRef = 74E08DE02E85847E007E665C /* CryptomatorDockTilePlugin.swift */; };
+		74E08DED2E858532007E665C /* Cryptomator.icns in Resources */ = {isa = PBXBuildFile; fileRef = 74E08DEC2E858532007E665C /* Cryptomator.icns */; };
+/* End PBXBuildFile section */
+
+/* Begin PBXFileReference section */
+		74E08DD92E858467007E665C /* Cryptomator.docktileplugin */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = Cryptomator.docktileplugin; sourceTree = BUILT_PRODUCTS_DIR; };
+		74E08DE02E85847E007E665C /* CryptomatorDockTilePlugin.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = CryptomatorDockTilePlugin.swift; sourceTree = "<group>"; };
+		74E08DEC2E858532007E665C /* Cryptomator.icns */ = {isa = PBXFileReference; lastKnownFileType = image.icns; name = Cryptomator.icns; path = ../resources/Cryptomator.icns; sourceTree = SOURCE_ROOT; };
+/* End PBXFileReference section */
+
+/* Begin PBXFrameworksBuildPhase section */
+		74E08DD62E858467007E665C /* Frameworks */ = {
+			isa = PBXFrameworksBuildPhase;
+			buildActionMask = 2147483647;
+			files = (
+			);
+			runOnlyForDeploymentPostprocessing = 0;
+		};
+/* End PBXFrameworksBuildPhase section */
+
+/* Begin PBXGroup section */
+		74E08DD02E858467007E665C = {
+			isa = PBXGroup;
+			children = (
+				74E08DE02E85847E007E665C /* CryptomatorDockTilePlugin.swift */,
+				74E08DEC2E858532007E665C /* Cryptomator.icns */,
+				74E08DDA2E858467007E665C /* Products */,
+			);
+			sourceTree = "<group>";
+		};
+		74E08DDA2E858467007E665C /* Products */ = {
+			isa = PBXGroup;
+			children = (
+				74E08DD92E858467007E665C /* Cryptomator.docktileplugin */,
+			);
+			name = Products;
+			sourceTree = "<group>";
+		};
+/* End PBXGroup section */
+
+/* Begin PBXNativeTarget section */
+		74E08DD82E858467007E665C /* DockTilePlugin */ = {
+			isa = PBXNativeTarget;
+			buildConfigurationList = 74E08DDD2E858467007E665C /* Build configuration list for PBXNativeTarget "DockTilePlugin" */;
+			buildPhases = (
+				74E08DD52E858467007E665C /* Sources */,
+				74E08DD62E858467007E665C /* Frameworks */,
+				74E08DD72E858467007E665C /* Resources */,
+			);
+			buildRules = (
+			);
+			dependencies = (
+			);
+			name = DockTilePlugin;
+			packageProductDependencies = (
+			);
+			productName = DockTilePlugin;
+			productReference = 74E08DD92E858467007E665C /* Cryptomator.docktileplugin */;
+			productType = "com.apple.product-type.bundle";
+		};
+/* End PBXNativeTarget section */
+
+/* Begin PBXProject section */
+		74E08DD12E858467007E665C /* Project object */ = {
+			isa = PBXProject;
+			attributes = {
+				BuildIndependentTargetsInParallel = 1;
+				LastUpgradeCheck = 2600;
+				ORGANIZATIONNAME = Cryptomator;
+				TargetAttributes = {
+					74E08DD82E858467007E665C = {
+						CreatedOnToolsVersion = 26.0.1;
+					};
+				};
+			};
+			buildConfigurationList = 74E08DD42E858467007E665C /* Build configuration list for PBXProject "DockTilePlugin" */;
+			developmentRegion = en;
+			hasScannedForEncodings = 0;
+			knownRegions = (
+				en,
+				Base,
+			);
+			mainGroup = 74E08DD02E858467007E665C;
+			minimizedProjectReferenceProxies = 1;
+			preferredProjectObjectVersion = 77;
+			productRefGroup = 74E08DDA2E858467007E665C /* Products */;
+			projectDirPath = "";
+			projectRoot = "";
+			targets = (
+				74E08DD82E858467007E665C /* DockTilePlugin */,
+			);
+		};
+/* End PBXProject section */
+
+/* Begin PBXResourcesBuildPhase section */
+		74E08DD72E858467007E665C /* Resources */ = {
+			isa = PBXResourcesBuildPhase;
+			buildActionMask = 2147483647;
+			files = (
+				74E08DED2E858532007E665C /* Cryptomator.icns in Resources */,
+			);
+			runOnlyForDeploymentPostprocessing = 0;
+		};
+/* End PBXResourcesBuildPhase section */
+
+/* Begin PBXSourcesBuildPhase section */
+		74E08DD52E858467007E665C /* Sources */ = {
+			isa = PBXSourcesBuildPhase;
+			buildActionMask = 2147483647;
+			files = (
+				74E08DE12E8584DE007E665C /* CryptomatorDockTilePlugin.swift in Sources */,
+			);
+			runOnlyForDeploymentPostprocessing = 0;
+		};
+/* End PBXSourcesBuildPhase section */
+
+/* Begin XCBuildConfiguration section */
+		74E08DDB2E858467007E665C /* Debug */ = {
+			isa = XCBuildConfiguration;
+			buildSettings = {
+				ALWAYS_SEARCH_USER_PATHS = NO;
+				ASSETCATALOG_COMPILER_GENERATE_SWIFT_ASSET_SYMBOL_EXTENSIONS = YES;
+				CLANG_ANALYZER_NONNULL = YES;
+				CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE;
+				CLANG_CXX_LANGUAGE_STANDARD = "gnu++20";
+				CLANG_ENABLE_MODULES = YES;
+				CLANG_ENABLE_OBJC_ARC = YES;
+				CLANG_ENABLE_OBJC_WEAK = YES;
+				CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES;
+				CLANG_WARN_BOOL_CONVERSION = YES;
+				CLANG_WARN_COMMA = YES;
+				CLANG_WARN_CONSTANT_CONVERSION = YES;
+				CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS = YES;
+				CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR;
+				CLANG_WARN_DOCUMENTATION_COMMENTS = YES;
+				CLANG_WARN_EMPTY_BODY = YES;
+				CLANG_WARN_ENUM_CONVERSION = YES;
+				CLANG_WARN_INFINITE_RECURSION = YES;
+				CLANG_WARN_INT_CONVERSION = YES;
+				CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES;
+				CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF = YES;
+				CLANG_WARN_OBJC_LITERAL_CONVERSION = YES;
+				CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR;
+				CLANG_WARN_QUOTED_INCLUDE_IN_FRAMEWORK_HEADER = YES;
+				CLANG_WARN_RANGE_LOOP_ANALYSIS = YES;
+				CLANG_WARN_STRICT_PROTOTYPES = YES;
+				CLANG_WARN_SUSPICIOUS_MOVE = YES;
+				CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE;
+				CLANG_WARN_UNREACHABLE_CODE = YES;
+				CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+				COPY_PHASE_STRIP = NO;
+				DEBUG_INFORMATION_FORMAT = dwarf;
+				DEVELOPMENT_TEAM = YZQJQUHA3L;
+				ENABLE_STRICT_OBJC_MSGSEND = YES;
+				ENABLE_TESTABILITY = YES;
+				ENABLE_USER_SCRIPT_SANDBOXING = YES;
+				GCC_C_LANGUAGE_STANDARD = gnu17;
+				GCC_DYNAMIC_NO_PIC = NO;
+				GCC_NO_COMMON_BLOCKS = YES;
+				GCC_OPTIMIZATION_LEVEL = 0;
+				GCC_PREPROCESSOR_DEFINITIONS = (
+					"DEBUG=1",
+					"$(inherited)",
+				);
+				GCC_WARN_64_TO_32_BIT_CONVERSION = YES;
+				GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR;
+				GCC_WARN_UNDECLARED_SELECTOR = YES;
+				GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE;
+				GCC_WARN_UNUSED_FUNCTION = YES;
+				GCC_WARN_UNUSED_VARIABLE = YES;
+				LOCALIZATION_PREFERS_STRING_CATALOGS = YES;
+				MACOSX_DEPLOYMENT_TARGET = 11.5;
+				MTL_ENABLE_DEBUG_INFO = INCLUDE_SOURCE;
+				MTL_FAST_MATH = YES;
+				ONLY_ACTIVE_ARCH = YES;
+				SDKROOT = macosx;
+				SWIFT_VERSION = 5.0;
+			};
+			name = Debug;
+		};
+		74E08DDC2E858467007E665C /* Release */ = {
+			isa = XCBuildConfiguration;
+			buildSettings = {
+				ALWAYS_SEARCH_USER_PATHS = NO;
+				ASSETCATALOG_COMPILER_GENERATE_SWIFT_ASSET_SYMBOL_EXTENSIONS = YES;
+				CLANG_ANALYZER_NONNULL = YES;
+				CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE;
+				CLANG_CXX_LANGUAGE_STANDARD = "gnu++20";
+				CLANG_ENABLE_MODULES = YES;
+				CLANG_ENABLE_OBJC_ARC = YES;
+				CLANG_ENABLE_OBJC_WEAK = YES;
+				CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES;
+				CLANG_WARN_BOOL_CONVERSION = YES;
+				CLANG_WARN_COMMA = YES;
+				CLANG_WARN_CONSTANT_CONVERSION = YES;
+				CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS = YES;
+				CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR;
+				CLANG_WARN_DOCUMENTATION_COMMENTS = YES;
+				CLANG_WARN_EMPTY_BODY = YES;
+				CLANG_WARN_ENUM_CONVERSION = YES;
+				CLANG_WARN_INFINITE_RECURSION = YES;
+				CLANG_WARN_INT_CONVERSION = YES;
+				CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES;
+				CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF = YES;
+				CLANG_WARN_OBJC_LITERAL_CONVERSION = YES;
+				CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR;
+				CLANG_WARN_QUOTED_INCLUDE_IN_FRAMEWORK_HEADER = YES;
+				CLANG_WARN_RANGE_LOOP_ANALYSIS = YES;
+				CLANG_WARN_STRICT_PROTOTYPES = YES;
+				CLANG_WARN_SUSPICIOUS_MOVE = YES;
+				CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE;
+				CLANG_WARN_UNREACHABLE_CODE = YES;
+				CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
+				COPY_PHASE_STRIP = NO;
+				DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";
+				DEVELOPMENT_TEAM = YZQJQUHA3L;
+				ENABLE_NS_ASSERTIONS = NO;
+				ENABLE_STRICT_OBJC_MSGSEND = YES;
+				ENABLE_USER_SCRIPT_SANDBOXING = YES;
+				GCC_C_LANGUAGE_STANDARD = gnu17;
+				GCC_NO_COMMON_BLOCKS = YES;
+				GCC_WARN_64_TO_32_BIT_CONVERSION = YES;
+				GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR;
+				GCC_WARN_UNDECLARED_SELECTOR = YES;
+				GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE;
+				GCC_WARN_UNUSED_FUNCTION = YES;
+				GCC_WARN_UNUSED_VARIABLE = YES;
+				LOCALIZATION_PREFERS_STRING_CATALOGS = YES;
+				MACOSX_DEPLOYMENT_TARGET = 11.5;
+				MTL_ENABLE_DEBUG_INFO = NO;
+				MTL_FAST_MATH = YES;
+				SDKROOT = macosx;
+				SWIFT_VERSION = 5.0;
+			};
+			name = Release;
+		};
+		74E08DDE2E858467007E665C /* Debug */ = {
+			isa = XCBuildConfiguration;
+			buildSettings = {
+				CODE_SIGN_STYLE = Manual;
+				COMBINE_HIDPI_IMAGES = YES;
+				CURRENT_PROJECT_VERSION = 1;
+				DEVELOPMENT_TEAM = "";
+				GENERATE_INFOPLIST_FILE = YES;
+				INFOPLIST_KEY_NSHumanReadableCopyright = "Copyright © 2025 Cryptomator. All rights reserved.";
+				INFOPLIST_KEY_NSPrincipalClass = CryptomatorDockTilePlugin;
+				INSTALL_PATH = "$(LOCAL_LIBRARY_DIR)/Bundles";
+				MARKETING_VERSION = 1.0;
+				PRODUCT_BUNDLE_IDENTIFIER = org.cryptomator.DockTilePlugin;
+				PRODUCT_NAME = Cryptomator;
+				PROVISIONING_PROFILE_SPECIFIER = "";
+				SKIP_INSTALL = YES;
+				STRING_CATALOG_GENERATE_SYMBOLS = YES;
+				SWIFT_EMIT_LOC_STRINGS = YES;
+				WRAPPER_EXTENSION = docktileplugin;
+			};
+			name = Debug;
+		};
+		74E08DDF2E858467007E665C /* Release */ = {
+			isa = XCBuildConfiguration;
+			buildSettings = {
+				CODE_SIGN_STYLE = Manual;
+				COMBINE_HIDPI_IMAGES = YES;
+				CURRENT_PROJECT_VERSION = 1;
+				DEVELOPMENT_TEAM = "";
+				GENERATE_INFOPLIST_FILE = YES;
+				INFOPLIST_KEY_NSHumanReadableCopyright = "Copyright © 2025 Cryptomator. All rights reserved.";
+				INFOPLIST_KEY_NSPrincipalClass = CryptomatorDockTilePlugin;
+				INSTALL_PATH = "$(LOCAL_LIBRARY_DIR)/Bundles";
+				MARKETING_VERSION = 1.0;
+				PRODUCT_BUNDLE_IDENTIFIER = org.cryptomator.DockTilePlugin;
+				PRODUCT_NAME = Cryptomator;
+				PROVISIONING_PROFILE_SPECIFIER = "";
+				SKIP_INSTALL = YES;
+				STRING_CATALOG_GENERATE_SYMBOLS = YES;
+				SWIFT_EMIT_LOC_STRINGS = YES;
+				WRAPPER_EXTENSION = docktileplugin;
+			};
+			name = Release;
+		};
+/* End XCBuildConfiguration section */
+
+/* Begin XCConfigurationList section */
+		74E08DD42E858467007E665C /* Build configuration list for PBXProject "DockTilePlugin" */ = {
+			isa = XCConfigurationList;
+			buildConfigurations = (
+				74E08DDB2E858467007E665C /* Debug */,
+				74E08DDC2E858467007E665C /* Release */,
+			);
+			defaultConfigurationIsVisible = 0;
+			defaultConfigurationName = Release;
+		};
+		74E08DDD2E858467007E665C /* Build configuration list for PBXNativeTarget "DockTilePlugin" */ = {
+			isa = XCConfigurationList;
+			buildConfigurations = (
+				74E08DDE2E858467007E665C /* Debug */,
+				74E08DDF2E858467007E665C /* Release */,
+			);
+			defaultConfigurationIsVisible = 0;
+			defaultConfigurationName = Release;
+		};
+/* End XCConfigurationList section */
+	};
+	rootObject = 74E08DD12E858467007E665C /* Project object */;
+}
--- a/dist/mac/DockTilePlugin/DockTilePlugin.xcodeproj/project.xcworkspace/contents.xcworkspacedata
+++ b/dist/mac/DockTilePlugin/DockTilePlugin.xcodeproj/project.xcworkspace/contents.xcworkspacedata
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Workspace
+   version = "1.0">
+   <FileRef
+      location = "self:">
+   </FileRef>
+</Workspace>
--- a/dist/mac/DockTilePlugin/DockTilePlugin.xcodeproj/xcshareddata/xcschemes/DockTilePlugin.xcscheme
+++ b/dist/mac/DockTilePlugin/DockTilePlugin.xcodeproj/xcshareddata/xcschemes/DockTilePlugin.xcscheme
@@ -0,0 +1,67 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Scheme
+   LastUpgradeVersion = "2600"
+   version = "1.7">
+   <BuildAction
+      parallelizeBuildables = "YES"
+      buildImplicitDependencies = "YES"
+      buildArchitectures = "Automatic">
+      <BuildActionEntries>
+         <BuildActionEntry
+            buildForTesting = "YES"
+            buildForRunning = "YES"
+            buildForProfiling = "YES"
+            buildForArchiving = "YES"
+            buildForAnalyzing = "YES">
+            <BuildableReference
+               BuildableIdentifier = "primary"
+               BlueprintIdentifier = "74E08DD82E858467007E665C"
+               BuildableName = "Cryptomator.docktileplugin"
+               BlueprintName = "DockTilePlugin"
+               ReferencedContainer = "container:DockTilePlugin.xcodeproj">
+            </BuildableReference>
+         </BuildActionEntry>
+      </BuildActionEntries>
+   </BuildAction>
+   <TestAction
+      buildConfiguration = "Debug"
+      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
+      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
+      shouldUseLaunchSchemeArgsEnv = "YES"
+      shouldAutocreateTestPlan = "YES">
+   </TestAction>
+   <LaunchAction
+      buildConfiguration = "Debug"
+      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
+      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
+      launchStyle = "0"
+      useCustomWorkingDirectory = "NO"
+      ignoresPersistentStateOnLaunch = "NO"
+      debugDocumentVersioning = "YES"
+      debugServiceExtension = "internal"
+      allowLocationSimulation = "YES">
+   </LaunchAction>
+   <ProfileAction
+      buildConfiguration = "Release"
+      shouldUseLaunchSchemeArgsEnv = "YES"
+      savedToolIdentifier = ""
+      useCustomWorkingDirectory = "NO"
+      debugDocumentVersioning = "YES">
+      <MacroExpansion>
+         <BuildableReference
+            BuildableIdentifier = "primary"
+            BlueprintIdentifier = "74E08DD82E858467007E665C"
+            BuildableName = "Cryptomator.docktileplugin"
+            BlueprintName = "DockTilePlugin"
+            ReferencedContainer = "container:DockTilePlugin.xcodeproj">
+         </BuildableReference>
+      </MacroExpansion>
+   </ProfileAction>
+   <AnalyzeAction
+      buildConfiguration = "Debug">
+   </AnalyzeAction>
+   <ArchiveAction
+      buildConfiguration = "Release"
+      revealArchiveInOrganizer = "YES">
+   </ArchiveAction>
+</Scheme>
--- a/dist/mac/dmg/build.sh
+++ b/dist/mac/dmg/build.sh
@@ -24,7 +24,7 @@ rm -rf runtime dmg *.app *.dmg
 # set variables
 APP_NAME="Cryptomator"
 VENDOR="Skymatic GmbH"
-COPYRIGHT_YEARS="2016 - 2026"
+COPYRIGHT_YEARS="2016 - 2025"
 PACKAGE_IDENTIFIER="org.cryptomator"
 MAIN_JAR_GLOB="cryptomator-*.jar"
 MODULE_AND_MAIN_CLASS="org.cryptomator.desktop/org.cryptomator.launcher.Cryptomator"
@@ -32,15 +32,15 @@ REVISION_NO=`git rev-list --count HEAD`
 VERSION_NO=`mvn -f../../../pom.xml help:evaluate -Dexpression=project.version -q -DforceStdout | sed -rn 's/.*([0-9]+\.[0-9]+\.[0-9]+).*/\1/p'`
 FUSE_LIB="FUSE-T"

-JAVAFX_VERSION=25.0.2
+JAVAFX_VERSION=25
 JAVAFX_ARCH="undefined"
 JAVAFX_JMODS_SHA256="undefined"
 if [ "$(machine)" = "arm64e" ]; then
    JAVAFX_ARCH="aarch64"
-    JAVAFX_JMODS_SHA256="4cd258001c75af7047005c5c891e2400ed11d24fbb09412324c0cbaf8b503c5a"
+    JAVAFX_JMODS_SHA256="13f8c0513c40c95881479fbcf0465a29a60217393fb0656f5e4eab78a9442fba"
 else
    JAVAFX_ARCH="x64"
-    JAVAFX_JMODS_SHA256="0b4d8463f03901b7425d94628e4116b7078abb8dd540fbec415266fac20bda5c"
+    JAVAFX_JMODS_SHA256="0eba73fb28a24c845175d16fa2f8c081c936ce6de1be9b79eb6119fa32e53d52"
 fi
 JAVAFX_JMODS_URL="https://download2.gluonhq.com/openjfx/${JAVAFX_VERSION}/openjfx-${JAVAFX_VERSION}_osx-${JAVAFX_ARCH}_bin-jmods.zip"

@@ -114,28 +114,38 @@ ${JAVA_HOME}/bin/jpackage \
    --java-options "-Dapple.awt.enableTemplateImages=true" \
    --java-options "-Dsun.java2d.metal=true" \
    --java-options "-Dcryptomator.appVersion=\"${VERSION_NO}\"" \
-    --java-options "-Dcryptomator.adminConfigPath=\"/Library/Application Support/Cryptomator/config.properties\"" \
    --java-options "-Dcryptomator.logDir=\"@{userhome}/Library/Logs/${APP_NAME}\"" \
    --java-options "-XX:ErrorFile=/cryptomator/cryptomator_crash.log" \
+    --java-options "-Dcryptomator.pluginDir=\"@{userhome}/Library/Application Support/${APP_NAME}/Plugins\"" \
    --java-options "-Dcryptomator.settingsPath=\"@{userhome}/Library/Application Support/${APP_NAME}/settings.json\"" \
    --java-options "-Dcryptomator.ipcSocketPath=\"@{userhome}/Library/Application Support/${APP_NAME}/ipc.socket\"" \
    --java-options "-Dcryptomator.p12Path=\"@{userhome}/Library/Application Support/${APP_NAME}/key.p12\"" \
    --java-options "-Dcryptomator.integrationsMac.keychainServiceName=\"${APP_NAME}\"" \
    --java-options "-Dcryptomator.mountPointsDir=\"@{userhome}/Library/Application Support${APP_NAME}/mnt\"" \
    --java-options "-Dcryptomator.showTrayIcon=true" \
-    --java-options "-Dcryptomator.updateMechanism=org.cryptomator.macos.update.DmgUpdateMechanism" \
    --java-options "-Dcryptomator.buildNumber=\"dmg-${REVISION_NO}\"" \
-    --java-options "-Dcryptomator.hub.enableTrustOnFirstUse=true" \
    --mac-package-identifier ${PACKAGE_IDENTIFIER} \
    --resource-dir ../resources

 # transform app dir
 cp ../resources/${APP_NAME}-Vault.icns ${APP_NAME}.app/Contents/Resources/
-cp ../resources/Assets.car ${APP_NAME}.app/Contents/Resources/
 sed -i '' "s|###BUNDLE_SHORT_VERSION_STRING###|${VERSION_NO}|g" ${APP_NAME}.app/Contents/Info.plist
 sed -i '' "s|###BUNDLE_VERSION###|${REVISION_NO}|g" ${APP_NAME}.app/Contents/Info.plist
 cp ../embedded.provisionprofile ${APP_NAME}.app/Contents/

+# build and install dock tile plugin
+echo "Building and installing Cryptomator.docktileplugin..."
+DERIVED_DATA_PATH=../DockTilePlugin/build
+xcodebuild -project ../DockTilePlugin/DockTilePlugin.xcodeproj \
+           -scheme DockTilePlugin \
+           -configuration Release \
+           -derivedDataPath ${DERIVED_DATA_PATH} \
+           -quiet \
+           clean build
+mkdir -p ${APP_NAME}.app/Contents/PlugIns
+cp -R ${DERIVED_DATA_PATH}/Build/Products/Release/Cryptomator.docktileplugin ${APP_NAME}.app/Contents/PlugIns/
+rm -rf ${DERIVED_DATA_PATH}
+
 # generate license
 mvn -B -f../../../pom.xml license:add-third-party \
    -Dlicense.thirdPartyFilename=license.rtf \
--- a/dist/mac/resources/Assets.car
+++ b/dist/mac/resources/Assets.car
--- a/dist/mac/resources/Info.plist
+++ b/dist/mac/resources/Info.plist
@@ -12,8 +12,6 @@
  <string>Cryptomator</string>
  <key>CFBundleIconFile</key>
  <string>Cryptomator.icns</string>
-  <key>CFBundleIconName</key>
-  <string>Cryptomator</string>
  <key>CFBundleIdentifier</key>
  <string>org.cryptomator</string>
  <key>CFBundleInfoDictionaryVersion</key>
@@ -107,7 +105,6 @@
        <array>
          <string>c9r</string>
          <string>c9s</string>
-          <string>c9u</string>
        </array>
        <key>public.mime-type</key>
        <array>
@@ -119,5 +116,8 @@
  <!-- allow utilization of integrated GPU, see https://developer.apple.com/library/mac/qa/qa1734/_index.html -->
  <key>NSSupportsAutomaticGraphicsSwitching</key>
  <true/>
+  <!-- register dock tile plugin -->
+  <key>NSDockTilePlugIn</key>
+  <string>Cryptomator.docktileplugin</string>
 </dict>
 </plist>
--- a/dist/win/build.ps1
+++ b/dist/win/build.ps1
@@ -16,19 +16,6 @@ Param(
 # Function Definitions Section
 # ============================

-function Invoke-CommandWithExitCheck {
-	param (
-		[string]$Command,
-		[string[]]$Arguments
-	)
-
-	& $Command @Arguments
-	if ($LASTEXITCODE -ne 0) {
-		Write-Error "Command '$Command' failed with exit code $LASTEXITCODE"
-		exit $LASTEXITCODE
-	}
-}
-
 function Main {

 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
@@ -47,20 +34,20 @@ if ((Get-Command "mvn" -ErrorAction SilentlyContinue) -eq $null)
 }
 if ((Get-Command 'wix' -ErrorAction SilentlyContinue) -eq $null)
 {
-   Write-Error 'Unable to find wix in your PATH (try: dotnet tool install --global wix --version 6.0.2)'
+   Write-Error 'Unable to find wix in your PATH (try: dotnet tool install --global wix --version 6.0.0)'
   exit 1
 }
 $wixExtensions = & wix.exe extension list --global | Out-String
 if ($wixExtensions -notmatch 'WixToolset.UI.wixext') {
-    Write-Error 'Wix UI extension missing. Please install it with: wix.exe extension add WixToolset.UI.wixext/6.0.2 --global)'
+    Write-Error 'Wix UI extension missing. Please install it with: wix.exe extension add WixToolset.UI.wixext/6.0.0 --global)'
    exit 1
 }
 if ($wixExtensions -notmatch 'WixToolset.Util.wixext') {
-    Write-Error 'Wix Util extension missing. Please install it with: wix.exe extension add WixToolset.Util.wixext/6.0.2 --global)'
+    Write-Error 'Wix Util extension missing. Please install it with: wix.exe extension add WixToolset.Util.wixext/6.0.0 --global)'
    exit 1
 }
 if ($wixExtensions -notmatch 'WixToolset.BootstrapperApplications.wixext') {
-    Write-Error 'Wix Bootstrapper extension missing. Please install it with: wix.exe extension add WixToolset.BootstrapperApplications.wixext/6.0.2 --global)'
+    Write-Error 'Wix Bootstrapper extension missing. Please install it with: wix.exe extension add WixToolset.BootstrapperApplications.wixext/6.0.0 --global)'
    exit 1
 }

@@ -78,8 +65,7 @@ Write-Host "`$Env:JAVA_HOME=$Env:JAVA_HOME"
 $copyright = "(C) $CopyrightStartYear - $((Get-Date).Year) $Vendor"

 # compile
-Invoke-CommandWithExitCheck -Command `
-    "mvn" -Arguments @("-B", "-f", "$buildDir/../../pom.xml", "clean", "package", "-DskipTests", "-Pwin")
+&mvn -B -f $buildDir/../../pom.xml clean package -DskipTests -Pwin
 Copy-Item "$buildDir\..\..\target\$MainJarGlob.jar" -Destination "$buildDir\..\..\target\mods"

 # add runtime
@@ -107,9 +93,9 @@ switch ($archName) {
        $jmodPaths = "$Env:JAVA_HOME/jmods"
    }
    'x64' {
-		$javaFxVersion='25.0.2'
+		$javaFxVersion='25'
 		$javaFxJmodsUrl = "https://download2.gluonhq.com/openjfx/${javaFxVersion}/openjfx-${javaFxVersion}_windows-x64_bin-jmods.zip"
-		$javaFxJmodsSHA256 = '33d878dfac85590c4d77c518ed413e512d34a8479d90132b230a7ddd173576b3'
+		$javaFxJmodsSHA256 = 'c8eb9fd039b00e0020cf6c3db8ed7876bf3ee4d27860aa697a247b83b8296ae7'
 		$javaFxJmods = '.\resources\jfxJmods.zip'

 		if( !(Test-Path -Path $javaFxJmods) ) {
@@ -143,18 +129,16 @@ if ((& "$Env:JAVA_HOME\bin\jlink" --help | Select-String -Pattern "Linking from
 }

 ### create runtime
-Invoke-CommandWithExitCheck -Command `
-    "$Env:JAVA_HOME\bin\jlink" -Arguments @(
-    "--verbose",
-    "--output", "runtime",
-    "--module-path", $jmodPaths,
-    "--add-modules", "java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,jdk.unsupported,jdk.accessibility,jdk.management.jfr,jdk.crypto.cryptoki,jdk.crypto.ec,jdk.crypto.mscapi,java.compiler,javafx.base,javafx.graphics,javafx.controls,javafx.fxml",
-    "--strip-native-commands",
-    "--no-header-files",
-    "--no-man-pages",
-    "--strip-debug",
-    "--compress", "zip-0" #do not compress and use msi compression
-    )
+& "$Env:JAVA_HOME\bin\jlink" `
+	--verbose `
+	--output runtime `
+	--module-path $jmodPaths `
+	--add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,jdk.unsupported,jdk.accessibility,jdk.management.jfr,jdk.crypto.cryptoki,jdk.crypto.ec,jdk.crypto.mscapi,java.compiler,javafx.base,javafx.graphics,javafx.controls,javafx.fxml `
+	--strip-native-commands `
+	--no-header-files `
+	--no-man-pages `
+	--strip-debug `
+	--compress "zip-0" #do not compress and use msi compression

 $appPath = ".\$AppName"
 if ($clean -and (Test-Path -Path $appPath)) {
@@ -171,7 +155,7 @@ $javaOptions = @(
 "--java-options", "-Djava.net.useSystemProxies=true"
 "--java-options", "-Dcryptomator.logDir=`"@{localappdata}/$AppName`""
 "--java-options", "-XX:ErrorFile=`"C:/cryptomator/cryptomator_crash.log`""
-"--java-options", "-Dcryptomator.adminConfigPath=`"C:/ProgramData/$AppName/config.properties`""
+"--java-options", "-Dcryptomator.pluginDir=`"@{appdata}/$AppName/Plugins`""
 "--java-options", "-Dcryptomator.settingsPath=`"@{appdata}/$AppName/settings.json;@{userhome}/AppData/Roaming/$AppName/settings.json`""
 "--java-options", "-Dcryptomator.ipcSocketPath=`"@{localappdata}/$AppName/ipc.socket`""
 "--java-options", "-Dcryptomator.p12Path=`"@{appdata}/$AppName/key.p12;@{userhome}/AppData/Roaming/$AppName/key.p12`""
@@ -183,7 +167,6 @@ $javaOptions = @(
 "--java-options", "-Dcryptomator.showTrayIcon=true"
 "--java-options", "-Dcryptomator.buildNumber=`"msi-$revisionNo`""
 "--java-options", "-Dcryptomator.disableUpdateCheck=false"
-"--java-options", "-Dcryptomator.hub.enableTrustOnFirstUse=true"
 )


@@ -211,15 +194,14 @@ if ($LASTEXITCODE -ne 0) {
 }

 #Create RTF license for msi
-Invoke-CommandWithExitCheck -Command `
-    "mvn" -Arguments @("-B", "-f", "$buildDir/../../pom.xml", "license:add-third-party", `
-    "-Dlicense.thirdPartyFilename=license.rtf", `
-    "-Dlicense.fileTemplate=$buildDir\resources\licenseTemplate.ftl", `
-    "-Dlicense.outputDirectory=$buildDir\resources\", `
-    "-Dlicense.includedScopes=compile", `
-    "-Dlicense.excludedGroups=^org\.cryptomator", `
-    "-Dlicense.failOnMissing=true", `
-    "-Dlicense.licenseMergesUrl=file:///$buildDir/../../license/merges")
+&mvn -B -f $buildDir/../../pom.xml license:add-third-party `
+ "-Dlicense.thirdPartyFilename=license.rtf" `
+ "-Dlicense.fileTemplate=$buildDir\resources\licenseTemplate.ftl" `
+ "-Dlicense.outputDirectory=$buildDir\resources\" `
+ "-Dlicense.includedScopes=compile" `
+ "-Dlicense.excludedGroups=^org\.cryptomator" `
+ "-Dlicense.failOnMissing=true" `
+ "-Dlicense.licenseMergesUrl=file:///$buildDir/../../license/merges"

 # patch app dir
 Copy-Item "contrib\*" -Destination "$AppName"
@@ -227,46 +209,42 @@ attrib -r "$AppName\$AppName.exe"
 attrib -r "$AppName\${AppName} (Debug).exe"

 # create .msi
-$Env:JP_WIXWIZARD_RESOURCES = "$buildDir\resources\"
-$Env:JP_WIXWIZARD_RESOURCES_PROPERTIES_FORMAT = "${Env:JP_WIXWIZARD_RESOURCES}".Replace('\', '\\');
-$Env:JP_WIXHELPER_DIR = ""
+$Env:JP_WIXWIZARD_RESOURCES = "$buildDir\resources"
+$Env:JP_WIXHELPER_DIR = "."
+& "$Env:JAVA_HOME\bin\jpackage" `
+	--verbose `
+	--type msi `
+	--win-upgrade-uuid $UpgradeUUID `
+	--app-image $AppName `
+	--dest installer `
+	--name $AppName `
+	--vendor $Vendor `
+	--copyright $copyright `
+	--app-version "$semVerNo.$revisionNo" `
+	--win-menu `
+	--win-dir-chooser `
+	--win-shortcut-prompt `
+	--win-menu-group $AppName `
+	--resource-dir resources `
+	--license-file resources/license.rtf `
+	--win-update-url $UpdateUrl `
+	--about-url $AboutUrl `
+	--file-associations resources/FAvaultFile.properties

-Get-Content .\resources\FAvaultFile.template.properties ` # Similar to envsubst
-    | ForEach-Object { $ExecutionContext.InvokeCommand.ExpandString($_) } `
-    | Out-File -FilePath .\resources\FAvaultFile.properties
-
-Invoke-CommandWithExitCheck -Command `
-    "$Env:JAVA_HOME\bin\jpackage" -Arguments @(
-    "--verbose",
-    "--type", "msi",
-    "--win-upgrade-uuid", $UpgradeUUID,
-    "--app-image", $AppName,
-    "--dest", "installer",
-    "--name", $AppName,
-    "--vendor", $Vendor,
-    "--copyright", $copyright,
-    "--app-version", "$semVerNo.$revisionNo",
-    "--win-menu",
-    "--win-dir-chooser",
-    "--win-shortcut-prompt",
-    "--win-menu-group", $AppName,
-    "--resource-dir", "resources",
-    "--license-file", "resources/license.rtf",
-    "--win-update-url", $UpdateUrl,
-    "--about-url", $AboutUrl,
-    "--file-associations", "resources/FAvaultFile.properties"
-    )
+if ($LASTEXITCODE -ne 0) {
+    Write-Error "jpackage MSI failed with exit code $LASTEXITCODE"
+	return 1;
+}

 #Create RTF license for bundle
-Invoke-CommandWithExitCheck -Command `
-	"mvn" -Arguments @("-B", "-f", "$buildDir/../../pom.xml", "license:add-third-party", `
-	"-Dlicense.thirdPartyFilename=license.rtf", `
-	"-Dlicense.fileTemplate=$buildDir\bundle\resources\licenseTemplate.ftl", `
-	"-Dlicense.outputDirectory=$buildDir\bundle\resources\", `
-	"-Dlicense.includedScopes=compile", `
-	"-Dlicense.excludedGroups=^org\.cryptomator", `
-	"-Dlicense.failOnMissing=true", `
-	"-Dlicense.licenseMergesUrl=file:///$buildDir/../../license/merges")
+&mvn -B -f $buildDir/../../pom.xml license:add-third-party `
+ "-Dlicense.thirdPartyFilename=license.rtf" `
+ "-Dlicense.fileTemplate=$buildDir\bundle\resources\licenseTemplate.ftl" `
+ "-Dlicense.outputDirectory=$buildDir\bundle\resources\" `
+ "-Dlicense.includedScopes=compile" `
+ "-Dlicense.excludedGroups=^org\.cryptomator" `
+ "-Dlicense.failOnMissing=true" `
+ "-Dlicense.licenseMergesUrl=file:///$buildDir/../../license/merges"

 # download Winfsp
 $winfspMsiUrl= 'https://github.com/winfsp/winfsp/releases/download/v2.1/winfsp-2.1.25156.msi'
@@ -292,21 +270,18 @@ Invoke-WebRequest $winfspUninstaller -OutFile ".\bundle\resources\winfsp-uninsta
 Copy-Item ".\installer\$AppName-*.msi" -Destination ".\bundle\resources\$AppName.msi" -Force

 # create bundle including winfsp
-Invoke-CommandWithExitCheck -Command `
-    "wix" -Arguments @(
-    "build",
-    "-define", "BundleName=$AppName",
-    "-define", "BundleVersion=$semVerNo.$revisionNo",
-    "-define", "BundleVendor=$Vendor",
-    "-define", "BundleCopyright=$copyright",
-    "-define", "AboutUrl=$AboutUrl",
-    "-define", "HelpUrl=$HelpUrl",
-    "-define", "UpdateUrl=$UpdateUrl",
-    "-ext", "WixToolset.Util.wixext",
-    "-ext", "WixToolset.BootstrapperApplications.wixext",
-    ".\bundle\bundleWithWinfsp.wxs",
-    "-out", ".\installer\$AppName-Installer.exe"
-)
+& wix build `
+	-define BundleName="$AppName" `
+	-define BundleVersion="$semVerNo.$revisionNo" `
+	-define BundleVendor="$Vendor" `
+	-define BundleCopyright="$copyright" `
+	-define AboutUrl="$AboutUrl" `
+	-define HelpUrl="$HelpUrl" `
+	-define UpdateUrl="$UpdateUrl" `
+	-ext "WixToolset.Util.wixext" `
+	-ext "WixToolset.BootstrapperApplications.wixext" `
+    .\bundle\bundleWithWinfsp.wxs `
+    -out "installer\$AppName-Installer.exe"

 Write-Host "Created EXE installer .\installer\$AppName-Installer.exe"
 return 0;
--- a/dist/win/contrib/disableUserConfig.bat
+++ b/dist/win/contrib/disableUserConfig.bat
@@ -1,12 +0,0 @@
-@echo off
-:: Batch wrapper for PowerShell script to disable user configuration in Cryptomator
-:: This is executed as a Custom Action during MSI installation
-:: This file must be located in the INSTALLDIR
-
-:: Change to INSTALLDIR
-cd %~dp0
-:: Execute the PowerShell script
-powershell.exe -NoLogo -NoProfile -NonInteractive -ExecutionPolicy RemoteSigned -File ".\disableUserConfig.ps1"
-
-:: Return the exit code from PowerShell
-exit /b %ERRORLEVEL%
--- a/dist/win/contrib/disableUserConfig.ps1
+++ b/dist/win/contrib/disableUserConfig.ps1
@@ -1,24 +0,0 @@
-# PowerShell script to disable user configuration
-# This script is executed as a Custom Action during MSI installation
-# It deletes the file .package, effectively disabling user specific jpackage configuration.
-# NOTE: This file must be located in the same directory as set in the MSI property INSTALLDIR
-
-try {
-
-    # Determine  file path
-    $packageFile = Join-Path $PSScriptRoot 'app\.package'
-
-    #check if file exists
-    if (Test-Path -Path $packageFile) {
-        Write-Host "Deleting file: $packageFile"
-        Remove-Item -Path $packageFile -Force -ErrorAction Stop
-    } else {
-        Write-Host "File not found: $packageFile. Skipping deletion."
-    }
-
-    exit 0
-}
-catch {
-    Write-Error "Error deleting package file: $_"
-    exit 1
-}
--- a/dist/win/resources/FAvaultFile.properties
+++ b/dist/win/resources/FAvaultFile.properties
@@ -1,4 +1,4 @@
 mime-type=application/vnd.cryptomator.vault
 extension=cryptomator
 description=Cryptomator Vault File
-icon=C:\\Users\\Arbeit\\Skymatic\\cryptomator-jdk26-jpackage\\dist\\win\\resources\\Cryptomator-Vault.ico
+icon=resources/Cryptomator-Vault.ico
--- a/dist/win/resources/FAvaultFile.template.properties
+++ b/dist/win/resources/FAvaultFile.template.properties
@@ -1,4 +0,0 @@
-mime-type=application/vnd.cryptomator.vault
-extension=cryptomator
-description=Cryptomator Vault File
-icon=${env:JP_WIXWIZARD_RESOURCES_PROPERTIES_FORMAT}Cryptomator-Vault.ico
--- a/dist/win/resources/main.wxs
+++ b/dist/win/resources/main.wxs
@@ -68,7 +68,7 @@
    <?endif?>

    <!-- TODO: how does this work again? -->
-    <ns0:Binary Id="JpCaDll" SourceFile="$(env.JP_WIXHELPER_DIR)msica.dll"></ns0:Binary>
+    <ns0:Binary Id="JpCaDll" SourceFile="$(env.JP_WIXHELPER_DIR)\wixhelper.dll" />
    <ns0:CustomAction Id="JpFindRelatedProducts" BinaryRef="JpCaDll" DllEntry="FindRelatedProductsEx" />

    <?ifndef SkipCryptomatorLegacyCheck ?>
@@ -87,37 +87,17 @@

    <!-- Non-Opening ProgID -->
    <ns0:DirectoryRef Id="INSTALLDIR">
-        <ns0:Component Bitness="always64" Id="nonStartingProgID">
+        <ns0:Component Bitness="always64" Id="nonStartingProgID" >
          <ns0:File Id="IconFileForEncryptedData" KeyPath="yes" Source="$(env.JP_WIXWIZARD_RESOURCES)\$(var.IconFileEncryptedData)" Name="$(var.IconFileEncryptedData)"/>
          <ns0:ProgId Id="$(var.JpAppName).Encrypted.1" Description="$(var.JpAppName) Encrypted Data" Icon="IconFileForEncryptedData" IconIndex="0">
            <ns0:Extension Id="c9r" Advertise="no" ContentType="$(var.ProgIdContentType)">
              <ns0:MIME ContentType="$(var.ProgIdContentType)" Default="yes"/>
            </ns0:Extension>
            <ns0:Extension Id="c9s" Advertise="no" ContentType="$(var.ProgIdContentType)"/>
-            <ns0:Extension Id="c9u" Advertise="no" ContentType="$(var.ProgIdContentType)"/>
          </ns0:ProgId>
        </ns0:Component>
    </ns0:DirectoryRef>

-    <ns0:StandardDirectory Id="CommonAppDataFolder">
-      <ns0:Directory Id="CryptomatorDesktopProgramData" Name="Cryptomator">
-        <ns0:Component Id="AdminConfigDir" Guid="c078b7da-ba6e-4069-a5ab-5c0f0f9856a0">
-          <ns0:CreateFolder>
-            <util:PermissionEx User="SYSTEM" GenericAll="yes"/>
-            <util:PermissionEx User="Administrators" GenericAll="yes"/>
-            <util:PermissionEx User="Users" GenericRead="yes" GenericExecute="yes"/>
-          </ns0:CreateFolder>
-        </ns0:Component>
-        <ns0:Component Id="AdminConfigFile" NeverOverwrite="yes" Permanent="yes">
-          <ns0:File Id="EmptyAdminConfig" Source="$(env.JP_WIXWIZARD_RESOURCES)\..\..\common\config.properties" Name="config.properties" KeyPath="yes">
-            <util:PermissionEx User="SYSTEM" GenericAll="yes"/>
-            <util:PermissionEx User="Administrators" GenericAll="yes"/>
-            <util:PermissionEx User="Users" GenericRead="yes" GenericExecute="yes"/>
-          </ns0:File>
-        </ns0:Component>
-      </ns0:Directory>
-    </ns0:StandardDirectory>
-
    <!-- Standard required root -->

    <ns0:Feature Id="DefaultFeature" Title="!(loc.MainFeatureTitle)" Level="1">
@@ -125,9 +105,7 @@
      <ns0:ComponentGroupRef Id="Files"/>
      <ns0:ComponentGroupRef Id="FileAssociations"/>
      <!-- Ref to additional ProgIDs -->
-      <ns0:ComponentRef Id="nonStartingProgID"/>
-      <ns0:ComponentRef Id="AdminConfigDir"/>
-      <ns0:ComponentRef Id="AdminConfigFile"/>
+      <ns0:ComponentRef Id="nonStartingProgID" />
    </ns0:Feature>

    <ns0:CustomAction Id="JpSetARPINSTALLLOCATION" Property="ARPINSTALLLOCATION" Value="[INSTALLDIR]" />
@@ -153,10 +131,6 @@
    <!-- Property for controlling update check behavior (can be set via command line) -->
    <ns0:Property Id="DISABLEUPDATECHECK" Secure="yes" />

-    <!-- Disable user config -->
-    <ns0:SetProperty Id="DisableUserConfig" Value="&quot;[INSTALLDIR]disableUserConfig.bat&quot;" Sequence="execute" Before="DisableUserConfig" />
-    <ns0:CustomAction Id="DisableUserConfig" BinaryRef="Wix4UtilCA_$(sys.BUILDARCHSHORT)" DllEntry="WixQuietExec" Execute="deferred" Return="ignore" Impersonate="no"/>
-
    <!-- WebDAV patches -->
    <ns0:SetProperty Id="PatchWebDAV" Value="&quot;[INSTALLDIR]patchWebDAV.bat&quot; &quot;$(var.LoopbackAlias)&quot;" Sequence="execute" Before="PatchWebDAV" />
    <ns0:CustomAction Id="PatchWebDAV" BinaryRef="Wix4UtilCA_$(sys.BUILDARCHSHORT)" DllEntry="WixQuietExec" Execute="deferred" Return="ignore" Impersonate="no"/>
@@ -213,10 +187,9 @@
      <ns0:Custom Action="FailOnRunningApp" After="Wix4CloseApplications_$(sys.BUILDARCHSHORT)" Condition="FOUNDRUNNINGAPP" />

      <ns0:RemoveExistingProducts After="InstallValidate"/> <!-- Moved from CostInitialize, due to Wix4CloseApplications_* -->
-      <ns0:Custom Action="DisableUserConfig" After="InstallFiles" Condition="NOT (Installed AND (NOT REINSTALL) AND (NOT UPGRADINGPRODUCTCODE) AND REMOVE)"/>
      <!-- Skip action on uninstall -->
      <!-- TODO: don't skip action, but remove cryptomator alias from hosts file -->
-      <ns0:Custom Action="PatchWebDAV" After="DisableUserConfig" Condition="NOT (Installed AND (NOT REINSTALL) AND (NOT UPGRADINGPRODUCTCODE) AND REMOVE)"/>
+      <ns0:Custom Action="PatchWebDAV" After="InstallFiles" Condition="NOT (Installed AND (NOT REINSTALL) AND (NOT UPGRADINGPRODUCTCODE) AND REMOVE)"/>
      <!-- Configure update check setting if property is provided -->
      <ns0:Custom Action="PatchUpdateCheck" After="PatchWebDAV" Condition="DISABLEUPDATECHECK AND NOT (Installed AND (NOT REINSTALL) AND (NOT UPGRADINGPRODUCTCODE) AND REMOVE)"/>
    </ns0:InstallExecuteSequence>
@@ -225,7 +198,7 @@
      <ns0:Custom Action="JpFindRelatedProducts" After="FindRelatedProducts"/>
    </ns0:InstallUISequence>

-    <ns0:WixVariable Id="WixUIBannerBmp" Value="$(env.JP_WIXWIZARD_RESOURCES)banner.bmp" />
-    <ns0:WixVariable Id="WixUIDialogBmp" Value="$(env.JP_WIXWIZARD_RESOURCES)background.bmp" />
+    <ns0:WixVariable Id="WixUIBannerBmp" Value="$(env.JP_WIXWIZARD_RESOURCES)\banner.bmp" />
+    <ns0:WixVariable Id="WixUIDialogBmp" Value="$(env.JP_WIXWIZARD_RESOURCES)\background.bmp" />
  </ns0:Package>
 </ns0:Wix>
--- a/pom.xml
+++ b/pom.xml
@@ -3,7 +3,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>org.cryptomator</groupId>
 	<artifactId>cryptomator</artifactId>
-	<version>1.20.0-SNAPSHOT</version>
+	<version>1.19.0-SNAPSHOT</version>
 	<name>Cryptomator Desktop App</name>

 	<organization>
@@ -33,76 +33,54 @@
 		<nonModularGroupIds>org.ow2.asm,org.apache.jackrabbit,org.apache.httpcomponents</nonModularGroupIds>

 		<!-- cryptomator dependencies -->
-		<cryptomator.cryptofs.version>2.10.0</cryptomator.cryptofs.version>
-		<cryptomator.cryptolib.version>2.2.2</cryptomator.cryptolib.version>
-		<cryptomator.integrations.version>1.8.0</cryptomator.integrations.version>
-		<cryptomator.integrations.win.version>1.6.0</cryptomator.integrations.win.version>
-		<cryptomator.integrations.mac.version>1.5.0</cryptomator.integrations.mac.version>
-		<cryptomator.integrations.linux.version>1.7.0</cryptomator.integrations.linux.version>
-		<cryptomator.fuse.version>6.0.1</cryptomator.fuse.version>
-		<cryptomator.webdav.version>3.0.1</cryptomator.webdav.version>
-		<cryptomator.webdav-servlet.version>1.2.12</cryptomator.webdav-servlet.version>
+		<cryptomator.cryptofs.version>2.9.0</cryptomator.cryptofs.version>
+		<cryptomator.integrations.version>1.7.0</cryptomator.integrations.version>
+		<cryptomator.integrations.win.version>1.5.1</cryptomator.integrations.win.version>
+		<cryptomator.integrations.mac.version>1.4.1</cryptomator.integrations.mac.version>
+		<cryptomator.integrations.linux.version>1.6.1</cryptomator.integrations.linux.version>
+		<cryptomator.fuse.version>5.1.0</cryptomator.fuse.version>
+		<cryptomator.webdav.version>3.0.0</cryptomator.webdav.version>

 		<!-- 3rd party dependencies -->
-		<caffeine.version>3.2.3</caffeine.version>
-		<commons-lang3.version>3.20.0</commons-lang3.version>
-		<dagger.version>2.59.2</dagger.version>
+		<commons-lang3.version>3.19.0</commons-lang3.version>
+		<dagger.version>2.57.2</dagger.version>
 		<easybind.version>2.2</easybind.version>
-		<jackson.version>2.21.1</jackson.version>
-		<javafx.version>25.0.2</javafx.version>
-		<jwt.version>4.5.1</jwt.version>
+		<jackson.version>2.20.0</jackson.version>
+		<javafx.version>25</javafx.version>
+		<jwt.version>4.5.0</jwt.version>
 		<nimbus-jose.version>10.5</nimbus-jose.version>
-		<logback.version>1.5.32</logback.version>
+		<logback.version>1.5.19</logback.version>
 		<slf4j.version>2.0.17</slf4j.version>
 		<tinyoauth2.version>0.8.1</tinyoauth2.version>
 		<zxcvbn.version>1.9.0</zxcvbn.version>

 		<!-- test dependencies -->
-		<junit.jupiter.version>6.0.3</junit.jupiter.version>
-		<mockito.version>5.22.0</mockito.version>
+		<junit.jupiter.version>5.13.4</junit.jupiter.version>
+		<mockito.version>5.20.0</mockito.version>
 		<hamcrest.version>3.0</hamcrest.version>

 		<!-- build-time dependencies -->
-		<jetbrains.annotations.version>26.1.0</jetbrains.annotations.version>
-		<dependency-check.version>12.2.0</dependency-check.version>
+		<jetbrains.annotations.version>26.0.2-1</jetbrains.annotations.version>
+		<dependency-check.version>12.1.5</dependency-check.version>
 		<jacoco.version>0.8.14</jacoco.version>
-		<license-generator.version>2.7.1</license-generator.version>
-		<junit-tree-reporter.version>1.5.1</junit-tree-reporter.version>
-		<mvn-compiler.version>3.15.0</mvn-compiler.version>
-		<mvn-resources.version>3.5.0</mvn-resources.version>
-		<mvn-dependency.version>3.10.0</mvn-dependency.version>
-		<mvn-surefire.version>3.5.3</mvn-surefire.version>
-		<mvn-jar.version>3.5.0</mvn-jar.version>
+		<license-generator.version>2.7.0</license-generator.version>
+		<junit-tree-reporter.version>1.4.0</junit-tree-reporter.version>
+		<mvn-compiler.version>3.14.1</mvn-compiler.version>
+		<mvn-resources.version>3.3.1</mvn-resources.version>
+		<mvn-dependency.version>3.8.1</mvn-dependency.version>
+		<mvn-surefire.version>3.5.4</mvn-surefire.version>
+		<mvn-jar.version>3.4.2</mvn-jar.version>

 		<!-- Property used by surefire to determine jacoco engine -->
 		<surefire.jacoco.args></surefire.jacoco.args>
 	</properties>

-	<repositories>
-		<repository>
-			<name>Central Portal Snapshots</name>
-			<id>central-portal-snapshots</id>
-			<url>https://central.sonatype.com/repository/maven-snapshots/</url>
-			<releases>
-				<enabled>false</enabled>
-			</releases>
-			<snapshots>
-				<enabled>true</enabled>
-			</snapshots>
-		</repository>
-	</repositories>
-
 	<dependencies>
 		<!-- Cryptomator Libs -->
-		<dependency>
-			<groupId>org.cryptomator</groupId>
-			<artifactId>webdav-nio-adapter-servlet</artifactId>
-			<version>${cryptomator.webdav-servlet.version}</version>
-		</dependency>
 		<dependency>
 			<groupId>org.cryptomator</groupId>
 			<artifactId>cryptolib</artifactId>
-			<version>${cryptomator.cryptolib.version}</version>
+			<version>2.2.1</version>
 		</dependency>
 		<dependency>
 			<groupId>org.cryptomator</groupId>
@@ -236,7 +214,7 @@
 		<dependency>
 			<groupId>com.github.ben-manes.caffeine</groupId>
 			<artifactId>caffeine</artifactId>
-			<version>${caffeine.version}</version>
+			<version>3.2.2</version>
 		</dependency>
 		<!-- JUnit / Mockito / Hamcrest -->
 		<dependency>
@@ -338,6 +316,7 @@
 					</annotationProcessorPaths>
 					<compilerArgs>
 						<arg>-Adagger.fastInit=enabled</arg>
+						<arg>-Adagger.formatGeneratedSource=enabled</arg>
 					</compilerArgs>
 				</configuration>
 			</plugin>
@@ -527,57 +506,11 @@
 		</profile>

 		<profile>
-			<id>linux-aarch64</id>
+			<id>linux</id>
 			<activation>
 				<os>
 					<family>unix</family>
 					<name>Linux</name>
-					<arch>aarch64</arch>
-				</os>
-				<property>
-					<name>idea.version</name>
-				</property>
-			</activation>
-			<dependencies>
-				<dependency>
-					<groupId>org.cryptomator</groupId>
-					<artifactId>integrations-linux</artifactId>
-					<version>${cryptomator.integrations.linux.version}</version>
-				</dependency>
-				<dependency>
-					<groupId>org.openjfx</groupId>
-					<artifactId>javafx-base</artifactId>
-					<version>${javafx.version}</version>
-					<classifier>linux-aarch64</classifier>
-				</dependency>
-				<dependency>
-					<groupId>org.openjfx</groupId>
-					<artifactId>javafx-graphics</artifactId>
-					<version>${javafx.version}</version>
-					<classifier>linux-aarch64</classifier>
-				</dependency>
-				<dependency>
-					<groupId>org.openjfx</groupId>
-					<artifactId>javafx-controls</artifactId>
-					<version>${javafx.version}</version>
-					<classifier>linux-aarch64</classifier>
-				</dependency>
-				<dependency>
-					<groupId>org.openjfx</groupId>
-					<artifactId>javafx-fxml</artifactId>
-					<version>${javafx.version}</version>
-					<classifier>linux-aarch64</classifier>
-				</dependency>
-			</dependencies>
-		</profile>
-
-		<profile>
-			<id>linux-x86_64</id>
-			<activation>
-				<os>
-					<family>unix</family>
-					<name>Linux</name>
-					<arch>amd64</arch>
 				</os>
 				<property>
 					<name>idea.version</name>
--- a/src/main/java/module-info.java
+++ b/src/main/java/module-info.java
@@ -1,4 +1,5 @@
 import ch.qos.logback.classic.spi.Configurator;
+import org.cryptomator.networking.SSLContextWithPKCS12TrustStore;
 import org.cryptomator.common.locationpresets.DropboxLinuxLocationPresetsProvider;
 import org.cryptomator.common.locationpresets.DropboxMacLocationPresetsProvider;
 import org.cryptomator.common.locationpresets.DropboxWindowsLocationPresetsProvider;
@@ -13,16 +14,11 @@ import org.cryptomator.common.locationpresets.OneDriveLinuxLocationPresetsProvid
 import org.cryptomator.common.locationpresets.OneDriveMacLocationPresetsProvider;
 import org.cryptomator.common.locationpresets.OneDriveWindowsLocationPresetsProvider;
 import org.cryptomator.common.locationpresets.PCloudLocationPresetsProvider;
-import org.cryptomator.integrations.revealpath.RevealPathService;
-import org.cryptomator.integrations.tray.TrayMenuController;
-import org.cryptomator.integrations.uiappearance.UiAppearanceProvider;
-import org.cryptomator.logging.LogbackConfiguratorFactory;
-import org.cryptomator.networking.SSLContextProvider;
 import org.cryptomator.networking.SSLContextWithMacKeychain;
-import org.cryptomator.networking.SSLContextWithPKCS12TrustStore;
+import org.cryptomator.networking.SSLContextProvider;
 import org.cryptomator.networking.SSLContextWithWindowsCertStore;
-import org.cryptomator.ui.fxapp.JfxRevealPathService;
-import org.cryptomator.ui.fxapp.JfxUiAppearanceProvider;
+import org.cryptomator.integrations.tray.TrayMenuController;
+import org.cryptomator.logging.LogbackConfiguratorFactory;
 import org.cryptomator.ui.traymenu.AwtTrayMenuController;

 open module org.cryptomator.desktop {
@@ -54,19 +50,17 @@ open module org.cryptomator.desktop {
 	requires io.github.coffeelibs.tinyoauth2client;
 	requires org.slf4j;
 	requires org.apache.commons.lang3;
-	requires com.github.benmanes.caffeine;

 	/* dagger bs */
 	requires jakarta.inject;
 	requires static javax.inject;
 	requires java.compiler;
+	requires com.github.benmanes.caffeine;

 	uses org.cryptomator.common.locationpresets.LocationPresetsProvider;
 	uses SSLContextProvider;
 	uses org.cryptomator.event.NotificationHandler;

-	provides UiAppearanceProvider with JfxUiAppearanceProvider;
-	provides RevealPathService with JfxRevealPathService;
 	provides TrayMenuController with AwtTrayMenuController;
 	provides Configurator with LogbackConfiguratorFactory;
 	provides SSLContextProvider with SSLContextWithWindowsCertStore, SSLContextWithMacKeychain, SSLContextWithPKCS12TrustStore;
--- a/src/main/java/org/cryptomator/common/CommonsModule.java
+++ b/src/main/java/org/cryptomator/common/CommonsModule.java
@@ -22,6 +22,8 @@ import javax.inject.Named;
 import javax.inject.Singleton;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
+import java.util.Comparator;
+import java.util.Optional;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.ScheduledExecutorService;
 import java.util.concurrent.SynchronousQueue;
@@ -74,8 +76,15 @@ public abstract class CommonsModule {

 	@Provides
 	@Singleton
-	static RevealPathService provideRevealPathService() {
-		return RevealPathService.get().findFirst().orElseThrow();
+	@Named("SemVer")
+	static Comparator<String> providesSemVerComparator() {
+		return new SemVerComparator();
+	}
+
+	@Provides
+	@Singleton
+	static Optional<RevealPathService> provideRevealPathService() {
+		return RevealPathService.get().findFirst();
 	}


--- a/src/main/java/org/cryptomator/common/Constants.java
+++ b/src/main/java/org/cryptomator/common/Constants.java
@@ -13,7 +13,5 @@ public interface Constants {
 	String CRYPTOMATOR_FILENAME_GLOB = "*.cryptomator";
 	URI DEFAULT_KEY_ID = URI.create(MasterkeyFileLoadingStrategy.SCHEME + ":" + MASTERKEY_FILENAME);
 	byte[] PEPPER = new byte[0];
-	// Separator used to concatenate Hub username and device name in the filesystem owner identifier.
-	String HUB_USER_DEVICE_SEPARATOR = "&";

 }
--- a/src/main/java/org/cryptomator/common/Environment.java
+++ b/src/main/java/org/cryptomator/common/Environment.java
@@ -9,13 +9,10 @@ import org.slf4j.LoggerFactory;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
-import java.util.Arrays;
 import java.util.Optional;
-import java.util.Set;
 import java.util.Spliterator;
 import java.util.Spliterators;
 import java.util.function.Predicate;
-import java.util.stream.Collectors;
 import java.util.stream.Stream;
 import java.util.stream.StreamSupport;

@@ -23,22 +20,20 @@ public class Environment {

 	private static final Logger LOG = LoggerFactory.getLogger(Environment.class);
 	private static final int DEFAULT_MIN_PW_LENGTH = 8;
-	public static final String SETTINGS_PATH_PROP_NAME = "cryptomator.settingsPath";
-	public static final String IPC_SOCKET_PATH_PROP_NAME = "cryptomator.ipcSocketPath";
-	public static final String KEYCHAIN_PATHS_PROP_NAME = "cryptomator.integrationsWin.keychainPaths";
-	public static final String WINDOWS_HELLO_KEYCHAIN_PATHS_PROP_NAME = "cryptomator.integrationsWin.windowsHelloKeychainPaths";
-	public static final String P12_PATH_PROP_NAME = "cryptomator.p12Path";
-	public static final String LOG_DIR_PROP_NAME = "cryptomator.logDir";
-	public static final String LOOPBACK_ALIAS_PROP_NAME = "cryptomator.loopbackAlias";
-	public static final String MOUNTPOINT_DIR_PROP_NAME = "cryptomator.mountPointsDir";
-	public static final String MIN_PW_LENGTH_PROP_NAME = "cryptomator.minPwLength";
-	public static final String APP_VERSION_PROP_NAME = "cryptomator.appVersion";
-	public static final String BUILD_NUMBER_PROP_NAME = "cryptomator.buildNumber";
-	public static final String PLUGIN_DIR_PROP_NAME = "cryptomator.pluginDir";
-	public static final String TRAY_ICON_PROP_NAME = "cryptomator.showTrayIcon";
-	public static final String DISABLE_UPDATE_CHECK_PROP_NAME = "cryptomator.disableUpdateCheck";
-	public static final String HUB_ALLOWED_HOSTS_PROP_NAME = "cryptomator.hub.allowedHosts";
-	public static final String HUB_TOFU_PROP_NAME = "cryptomator.hub.enableTrustOnFirstUse";
+	private static final String SETTINGS_PATH_PROP_NAME = "cryptomator.settingsPath";
+	private static final String IPC_SOCKET_PATH_PROP_NAME = "cryptomator.ipcSocketPath";
+	private static final String KEYCHAIN_PATHS_PROP_NAME = "cryptomator.integrationsWin.keychainPaths";
+	private static final String WINDOWS_HELLO_KEYCHAIN_PATHS_PROP_NAME = "cryptomator.integrationsWin.windowsHelloKeychainPaths";
+	private static final String P12_PATH_PROP_NAME = "cryptomator.p12Path";
+	private static final String LOG_DIR_PROP_NAME = "cryptomator.logDir";
+	private static final String LOOPBACK_ALIAS_PROP_NAME = "cryptomator.loopbackAlias";
+	private static final String MOUNTPOINT_DIR_PROP_NAME = "cryptomator.mountPointsDir";
+	private static final String MIN_PW_LENGTH_PROP_NAME = "cryptomator.minPwLength";
+	private static final String APP_VERSION_PROP_NAME = "cryptomator.appVersion";
+	private static final String BUILD_NUMBER_PROP_NAME = "cryptomator.buildNumber";
+	private static final String PLUGIN_DIR_PROP_NAME = "cryptomator.pluginDir";
+	private static final String TRAY_ICON_PROP_NAME = "cryptomator.showTrayIcon";
+	private static final String DISABLE_UPDATE_CHECK_PROP_NAME = "cryptomator.disableUpdateCheck";

 	private Environment() {}

@@ -62,8 +57,6 @@ public class Environment {
 		logCryptomatorSystemProperty(PLUGIN_DIR_PROP_NAME);
 		logCryptomatorSystemProperty(TRAY_ICON_PROP_NAME);
 		logCryptomatorSystemProperty(DISABLE_UPDATE_CHECK_PROP_NAME);
-		logCryptomatorSystemProperty(HUB_ALLOWED_HOSTS_PROP_NAME);
-		logCryptomatorSystemProperty(HUB_TOFU_PROP_NAME);
 	}

 	public static Environment getInstance() {
@@ -131,15 +124,6 @@ public class Environment {
 		return Optional.ofNullable(System.getProperty(BUILD_NUMBER_PROP_NAME));
 	}

-	/**
-	 * Returns the app version concatenated with the build number (if defined).
-	 *
-	 * @return version string formatted like {@code 1.2.3-4567} or {@code 1.2.3} if no build number is defined.
-	 */
-	public String getAppVersionWithBuildNumber() {
-		return getAppVersion() + getBuildNumber().map("-"::concat).orElse("");
-	}
-
 	public Optional<Path> getPluginDir() {
 		return getPath(PLUGIN_DIR_PROP_NAME);
 	}
@@ -152,18 +136,6 @@ public class Environment {
 		return Boolean.getBoolean(DISABLE_UPDATE_CHECK_PROP_NAME);
 	}

-	public Set<String> hubAllowedHosts() {
-		var allowedHubHostsString = System.getProperty(HUB_ALLOWED_HOSTS_PROP_NAME, "");
-		return Arrays.stream(allowedHubHostsString.split(","))
-				.map(String::trim)
-				.filter(Predicate.not(String::isEmpty))
-				.collect(Collectors.toUnmodifiableSet());
-	}
-
-	public boolean hubTrustOnFirstUse() {
-		return Boolean.getBoolean(HUB_TOFU_PROP_NAME);
-	}
-
 	private Optional<Path> getPath(String propertyName) {
 		String value = System.getProperty(propertyName);
 		return Optional.ofNullable(value).map(Paths::get);
--- a/src/main/java/org/cryptomator/common/EventMap.java
+++ b/src/main/java/org/cryptomator/common/EventMap.java
@@ -0,0 +1,160 @@
+package org.cryptomator.common;
+
+import org.cryptomator.cryptofs.event.BrokenDirFileEvent;
+import org.cryptomator.cryptofs.event.BrokenFileNodeEvent;
+import org.cryptomator.cryptofs.event.ConflictResolutionFailedEvent;
+import org.cryptomator.cryptofs.event.ConflictResolvedEvent;
+import org.cryptomator.cryptofs.event.DecryptionFailedEvent;
+import org.cryptomator.cryptofs.event.FilesystemEvent;
+import org.cryptomator.event.VaultEvent;
+import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
+
+import javax.inject.Inject;
+import javax.inject.Singleton;
+import javafx.beans.InvalidationListener;
+import javafx.collections.FXCollections;
+import javafx.collections.MapChangeListener;
+import javafx.collections.ObservableMap;
+import java.nio.file.Path;
+import java.util.Collection;
+import java.util.Comparator;
+import java.util.Map;
+import java.util.Set;
+
+/**
+ * Map containing {@link VaultEvent}s.
+ * The map is keyed by the ciphertext path of the affected resource _and_ the {@link FilesystemEvent}s class in order to group same events
+ * <p>
+ * Use {@link EventMap#put(VaultEvent)} to add an element and {@link EventMap#remove(VaultEvent)} to remove it.
+ * <p>
+ * The map is size restricted to {@value MAX_SIZE} elements. If a _new_ element (i.e. not already present) is added, the least recently added is removed.
+ */
+@Singleton
+public class EventMap implements ObservableMap<EventMap.EventKey, VaultEvent> {
+
+	private static final int MAX_SIZE = 300;
+
+	public record EventKey(Path ciphertextPath, Class<? extends FilesystemEvent> c) {}
+
+	private final ObservableMap<EventMap.EventKey, VaultEvent> delegate;
+
+	@Inject
+	public EventMap() {
+		delegate = FXCollections.observableHashMap();
+	}
+
+	@Override
+	public void addListener(MapChangeListener<? super EventKey, ? super VaultEvent> mapChangeListener) {
+		delegate.addListener(mapChangeListener);
+	}
+
+	@Override
+	public void removeListener(MapChangeListener<? super EventKey, ? super VaultEvent> mapChangeListener) {
+		delegate.removeListener(mapChangeListener);
+	}
+
+	@Override
+	public int size() {
+		return delegate.size();
+	}
+
+	@Override
+	public boolean isEmpty() {
+		return delegate.isEmpty();
+	}
+
+	@Override
+	public boolean containsKey(Object key) {
+		return delegate.containsKey(key);
+	}
+
+	@Override
+	public boolean containsValue(Object value) {
+		return delegate.containsValue(value);
+	}
+
+	@Override
+	public VaultEvent get(Object key) {
+		return delegate.get(key);
+	}
+
+	@Override
+	public @Nullable VaultEvent put(EventKey key, VaultEvent value) {
+		return delegate.put(key, value);
+	}
+
+	@Override
+	public VaultEvent remove(Object key) {
+		return delegate.remove(key);
+	}
+
+	@Override
+	public void putAll(@NotNull Map<? extends EventKey, ? extends VaultEvent> m) {
+		delegate.putAll(m);
+	}
+
+	@Override
+	public void clear() {
+		delegate.clear();
+	}
+
+	@Override
+	public @NotNull Set<EventKey> keySet() {
+		return delegate.keySet();
+	}
+
+	@Override
+	public @NotNull Collection<VaultEvent> values() {
+		return delegate.values();
+	}
+
+	@Override
+	public @NotNull Set<Entry<EventKey, VaultEvent>> entrySet() {
+		return delegate.entrySet();
+	}
+
+	@Override
+	public void addListener(InvalidationListener invalidationListener) {
+		delegate.addListener(invalidationListener);
+	}
+
+	@Override
+	public void removeListener(InvalidationListener invalidationListener) {
+		delegate.removeListener(invalidationListener);
+	}
+
+	public synchronized void put(VaultEvent e) {
+		//compute key
+		var key = computeKey(e.actualEvent());
+		//if-else
+		var nullOrEntry = delegate.get(key);
+		if (nullOrEntry == null) {
+			if (size() == MAX_SIZE) {
+				delegate.entrySet().stream() //
+						.min(Comparator.comparing(entry -> entry.getValue().actualEvent().getTimestamp())) //
+						.ifPresent(oldestEntry -> delegate.remove(oldestEntry.getKey()));
+			}
+			delegate.put(key, e);
+		} else {
+			delegate.put(key, nullOrEntry.incrementCount(e.actualEvent()));
+		}
+	}
+
+	public synchronized VaultEvent remove(VaultEvent similar) {
+		//compute key
+		var key = computeKey(similar.actualEvent());
+		return this.remove(key);
+	}
+
+	private EventKey computeKey(FilesystemEvent e) {
+		var p = switch (e) {
+			case DecryptionFailedEvent(_, Path ciphertextPath, _) -> ciphertextPath;
+			case ConflictResolvedEvent(_, _, _, _, Path resolvedCiphertext) -> resolvedCiphertext;
+			case ConflictResolutionFailedEvent(_, _, Path conflictingCiphertext, _) -> conflictingCiphertext;
+			case BrokenDirFileEvent(_, Path ciphertext) -> ciphertext;
+			case BrokenFileNodeEvent(_, _, Path ciphertext) -> ciphertext;
+		};
+		return new EventKey(p, e.getClass());
+	}
+}
--- a/src/main/java/org/cryptomator/common/FilesystemOwnerSupplier.java
+++ b/src/main/java/org/cryptomator/common/FilesystemOwnerSupplier.java
@@ -1,18 +0,0 @@
-package org.cryptomator.common;
-
-import java.util.function.Supplier;
-
-/**
- * Interface marking a class to be used in {@link org.cryptomator.cryptofs.CryptoFileSystemProperties.Builder#withOwnerGetter(Supplier)}.
- */
-@FunctionalInterface
-public interface FilesystemOwnerSupplier {
-
-	/**
-	 * Get the filesystem owner.
-	 *
-	 * @return the filesystem owner
-	 */
-	String getOwner();
-
-}
--- a/src/main/java/org/cryptomator/common/SemVerComparator.java
+++ b/src/main/java/org/cryptomator/common/SemVerComparator.java
@@ -0,0 +1,81 @@
+/*******************************************************************************
+ * Copyright (c) 2016, 2017 Sebastian Stenzel and others.
+ * All rights reserved.
+ * This program and the accompanying materials are made available under the terms of the accompanying LICENSE file.
+ *
+ * Contributors:
+ *     Sebastian Stenzel - initial API and implementation
+ *******************************************************************************/
+package org.cryptomator.common;
+
+import org.apache.commons.lang3.StringUtils;
+
+import java.util.Comparator;
+
+/**
+ * Compares version strings according to <a href="http://semver.org/spec/v2.0.0.html">SemVer 2.0.0</a>.
+ */
+public class SemVerComparator implements Comparator<String> {
+
+	private static final char VERSION_SEP = '.'; // http://semver.org/spec/v2.0.0.html#spec-item-2
+	private static final String PRE_RELEASE_SEP = "-"; // http://semver.org/spec/v2.0.0.html#spec-item-9
+	private static final String BUILD_SEP = "+"; // http://semver.org/spec/v2.0.0.html#spec-item-10
+
+	@Override
+	public int compare(String version1, String version2) {
+		// "Build metadata SHOULD be ignored when determining version precedence.
+		// Thus two versions that differ only in the build metadata, have the same precedence."
+		String v1WithoutBuildMetadata = StringUtils.substringBefore(version1, BUILD_SEP);
+		String v2WithoutBuildMetadata = StringUtils.substringBefore(version2, BUILD_SEP);
+
+		if (v1WithoutBuildMetadata.equals(v2WithoutBuildMetadata)) {
+			return 0;
+		}
+
+		String v1MajorMinorPatch = StringUtils.substringBefore(v1WithoutBuildMetadata, PRE_RELEASE_SEP);
+		String v2MajorMinorPatch = StringUtils.substringBefore(v2WithoutBuildMetadata, PRE_RELEASE_SEP);
+		String v1PreReleaseVersion = StringUtils.substringAfter(v1WithoutBuildMetadata, PRE_RELEASE_SEP);
+		String v2PreReleaseVersion = StringUtils.substringAfter(v2WithoutBuildMetadata, PRE_RELEASE_SEP);
+		return compare(v1MajorMinorPatch, v1PreReleaseVersion, v2MajorMinorPatch, v2PreReleaseVersion);
+	}
+
+	private int compare(String v1MajorMinorPatch, String v1PreReleaseVersion, String v2MajorMinorPatch, String v2PreReleaseVersion) {
+		int comparisonResult = compareNumericallyThenLexicographically(v1MajorMinorPatch, v2MajorMinorPatch);
+		if (comparisonResult == 0) {
+			if (v1PreReleaseVersion.isEmpty()) {
+				return 1; // 1.0.0 > 1.0.0-BETA
+			} else if (v2PreReleaseVersion.isEmpty()) {
+				return -1; // 1.0.0-BETA < 1.0.0
+			} else {
+				return compareNumericallyThenLexicographically(v1PreReleaseVersion, v2PreReleaseVersion);
+			}
+		} else {
+			return comparisonResult;
+		}
+	}
+
+	private int compareNumericallyThenLexicographically(String version1, String version2) {
+		final String[] vComps1 = StringUtils.split(version1, VERSION_SEP);
+		final String[] vComps2 = StringUtils.split(version2, VERSION_SEP);
+		final int commonCompCount = Math.min(vComps1.length, vComps2.length);
+
+		for (int i = 0; i < commonCompCount; i++) {
+			int subversionComparisonResult = 0;
+			try {
+				final int v1 = Integer.parseInt(vComps1[i]);
+				final int v2 = Integer.parseInt(vComps2[i]);
+				subversionComparisonResult = v1 - v2;
+			} catch (NumberFormatException ex) {
+				// ok, lets compare this fragment lexicographically
+				subversionComparisonResult = vComps1[i].compareTo(vComps2[i]);
+			}
+			if (subversionComparisonResult != 0) {
+				return subversionComparisonResult;
+			}
+		}
+
+		// all in common so far? longest version string is considered the higher version:
+		return vComps1.length - vComps2.length;
+	}
+
+}
--- a/src/main/java/org/cryptomator/common/SubstitutingProperties.java
+++ b/src/main/java/org/cryptomator/common/SubstitutingProperties.java
@@ -1,7 +1,7 @@
 package org.cryptomator.common;

 import org.jetbrains.annotations.VisibleForTesting;
-import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;

 import java.util.Map;
 import java.util.Properties;
@@ -13,12 +13,10 @@ public class SubstitutingProperties extends PropertiesDecorator {
 	private static final Pattern TEMPLATE = Pattern.compile("@\\{(\\w+)}");

 	private final Map<String, String> env;
-	private final Logger logger;

-	public SubstitutingProperties(Properties props, Map<String, String> systemEnvironment, Logger logger) {
+	public SubstitutingProperties(Properties props, Map<String, String> systemEnvironment) {
 		super(props);
 		this.env = systemEnvironment;
-		this.logger = logger;
 	}

 	@Override
@@ -46,7 +44,7 @@ public class SubstitutingProperties extends PropertiesDecorator {
 					case "localappdata" -> resolveFrom("LOCALAPPDATA", Source.ENV);
 					case "userhome" -> resolveFrom("user.home", Source.PROPS);
 					default -> {
-						logger.warn("Unknown variable {} in property value {}.", match.group(), value);
+						LoggerFactory.getLogger(SubstitutingProperties.class).warn("Unknown variable {} in property value {}.", match.group(), value);
 						yield match.group();
 					}
 				});
@@ -58,7 +56,7 @@ public class SubstitutingProperties extends PropertiesDecorator {
 			case PROPS -> delegate.getProperty(key);
 		};
 		if (val == null) {
-			logger.warn("Variable {} used for substitution not found in {}. Replaced with empty string.", key, src);
+			LoggerFactory.getLogger(SubstitutingProperties.class).warn("Variable {} used for substitution not found in {}. Replaced with empty string.", key, src);
 			return "";
 		} else {
 			return Matcher.quoteReplacement(val);
--- a/src/main/java/org/cryptomator/common/mount/Mounter.java
+++ b/src/main/java/org/cryptomator/common/mount/Mounter.java
@@ -167,7 +167,6 @@ public class Mounter {
 		usedMountServices.add(mountService);

 		var builder = mountService.forFileSystem(cryptoFsRoot);
-		LOG.debug("Using mount service {} for mounting vault {}", mountService.getClass().getName(), vaultSettings.displayName);
 		var internal = new SettledMounter(mountService, builder, vaultSettings); // FIXME: no need for an inner class
 		var cleanup = internal.prepare();
 		return new MountHandle(builder.mount(), mountService.hasCapability(UNMOUNT_FORCED), cleanup);
--- a/src/main/java/org/cryptomator/common/recovery/MasterkeyService.java
+++ b/src/main/java/org/cryptomator/common/recovery/MasterkeyService.java
@@ -61,7 +61,6 @@ public final class MasterkeyService {
 			Optional<Path> c9rFile = paths //
 					.filter(p -> p.toString().endsWith(".c9r")) //
 					.filter(p -> !p.endsWith("dir.c9r")) //
-					.filter(Files::isRegularFile) //
 					.findFirst();
 			if (c9rFile.isEmpty()) {
 				LOG.info("Unable to detect Crypto scheme: No *.c9r file found in {}", vaultPath);
--- a/src/main/java/org/cryptomator/common/settings/Settings.java
+++ b/src/main/java/org/cryptomator/common/settings/Settings.java
@@ -24,12 +24,11 @@ import javafx.beans.property.SimpleStringProperty;
 import javafx.beans.property.StringProperty;
 import javafx.collections.FXCollections;
 import javafx.collections.ObservableList;
-import javafx.collections.ObservableSet;
 import javafx.geometry.NodeOrientation;
+
 import java.nio.file.Path;
 import java.time.Instant;
-import java.util.HashSet;
-import java.util.Set;
+import java.util.function.Consumer;

 public class Settings {

@@ -54,7 +53,6 @@ public class Settings {
 	static final String DEFAULT_USER_INTERFACE_ORIENTATION = NodeOrientation.LEFT_TO_RIGHT.name();
 	public static final Instant DEFAULT_TIMESTAMP = Instant.parse("2000-01-01T00:00:00Z");

-	private final SettingsProvider provider;
 	public final ObservableList<VaultSettings> directories;
 	public final BooleanProperty startHidden;
 	public final BooleanProperty autoCloseVaults;
@@ -80,13 +78,13 @@ public class Settings {
 	public final ObjectProperty<Instant> lastUpdateCheckReminder;
 	public final ObjectProperty<Instant> lastSuccessfulUpdateCheck;
 	public final ObjectProperty<Path> previouslyUsedVaultDirectory;
-	public final StringProperty lastUpdateAttemptedByVersion;
-	public final ObservableSet<String> trustedHosts;

-	public static Settings create(SettingsProvider provider, Environment env) {
+	private Consumer<Settings> saveCmd;
+
+	public static Settings create(Environment env) {
 		var defaults = new SettingsJson();
 		defaults.showTrayIcon = env.showTrayIcon();
-		return new Settings(provider, defaults);
+		return new Settings(defaults);
 	}

 	/**
@@ -94,8 +92,7 @@ public class Settings {
 	 *
 	 * @param json The parsed settings.json
 	 */
-	Settings(SettingsProvider provider, SettingsJson json) {
-		this.provider = provider;
+	Settings(SettingsJson json) {
 		this.directories = FXCollections.observableArrayList(VaultSettings::observables);
 		this.startHidden = new SimpleBooleanProperty(this, "startHidden", json.startHidden);
 		this.autoCloseVaults = new SimpleBooleanProperty(this, "autoCloseVaults", json.autoCloseVaults);
@@ -121,8 +118,6 @@ public class Settings {
 		this.lastUpdateCheckReminder = new SimpleObjectProperty<>(this, "lastUpdateCheckReminder", json.lastReminderForUpdateCheck);
 		this.lastSuccessfulUpdateCheck = new SimpleObjectProperty<>(this, "lastSuccessfulUpdateCheck", json.lastSuccessfulUpdateCheck);
 		this.previouslyUsedVaultDirectory = new SimpleObjectProperty<>(this, "previouslyUsedVaultDirectory", json.previouslyUsedVaultDirectory);
-		this.lastUpdateAttemptedByVersion = new SimpleStringProperty(this, "lastUpdateAttemptedByVersion", json.lastUpdateAttemptedByVersion);
-		this.trustedHosts = FXCollections.observableSet(json.trustedHosts);

 		this.directories.addAll(json.directories.stream().map(VaultSettings::new).toList());

@@ -153,12 +148,15 @@ public class Settings {
 		lastUpdateCheckReminder.addListener(this::somethingChanged);
 		lastSuccessfulUpdateCheck.addListener(this::somethingChanged);
 		previouslyUsedVaultDirectory.addListener(this::somethingChanged);
-		lastUpdateAttemptedByVersion.addListener(this::somethingChanged);
-		trustedHosts.addListener(this::somethingChanged);
 	}

 	@SuppressWarnings("deprecation")
 	private void migrateLegacySettings(SettingsJson json) {
+		// migrate renamed keychainAccess
+		if(this.keychainProvider.getValueSafe().equals("org.cryptomator.linux.keychain.SecretServiceKeychainAccess")) {
+			this.keychainProvider.setValue("org.cryptomator.linux.keychain.GnomeKeyringKeychainAccess");
+		}
+
 		// implicit migration of 1.6.x legacy setting "preferredVolumeImpl":
 		if (this.mountService.get() == null && json.preferredVolumeImpl != null) {
 			this.mountService.set(switch (json.preferredVolumeImpl) {
@@ -212,8 +210,6 @@ public class Settings {
 		json.lastReminderForUpdateCheck = lastUpdateCheckReminder.get();
 		json.lastSuccessfulUpdateCheck = lastSuccessfulUpdateCheck.get();
 		json.previouslyUsedVaultDirectory = previouslyUsedVaultDirectory.get();
-		json.lastUpdateAttemptedByVersion = lastUpdateAttemptedByVersion.get();
-		json.trustedHosts = Set.copyOf(trustedHosts);
 		return json;
 	}

@@ -226,12 +222,20 @@ public class Settings {
 		}
 	}

-	private void somethingChanged(@SuppressWarnings("unused") Observable observable) {
-		provider.scheduleSave(this);
+
+	// TODO rename to setChangeListener
+	void setSaveCmd(Consumer<Settings> saveCmd) {
+		this.saveCmd = saveCmd;
 	}

-	public void saveNow() {
-		provider.saveNow(this);
+	private void somethingChanged(@SuppressWarnings("unused") Observable observable) {
+		this.save();
+	}
+
+	void save() {
+		if (saveCmd != null) {
+			saveCmd.accept(this);
+		}
 	}

 }
--- a/src/main/java/org/cryptomator/common/settings/SettingsJson.java
+++ b/src/main/java/org/cryptomator/common/settings/SettingsJson.java
@@ -4,23 +4,17 @@ import com.fasterxml.jackson.annotation.JsonFormat;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonInclude;
 import com.fasterxml.jackson.annotation.JsonProperty;
-import com.fasterxml.jackson.annotation.JsonSetter;
-import com.fasterxml.jackson.annotation.Nulls;

 import java.nio.file.Path;
 import java.time.Instant;
-import java.util.ArrayList;
-import java.util.HashSet;
 import java.util.List;
-import java.util.Set;

@JsonIgnoreProperties(ignoreUnknown = true)
@JsonInclude(JsonInclude.Include.NON_NULL)
 class SettingsJson {

 	@JsonProperty("directories")
-	@JsonSetter(nulls = Nulls.AS_EMPTY)
-	List<VaultSettingsJson> directories = new ArrayList<>();
+	List<VaultSettingsJson> directories = List.of();

 	@JsonProperty("writtenByVersion")
 	String writtenByVersion;
@@ -102,11 +96,4 @@ class SettingsJson {

 	@JsonProperty("previouslyUsedVaultDirectory")
 	Path previouslyUsedVaultDirectory;
-
-	@JsonProperty("lastUpdateAttemptedByVersion")
-	String lastUpdateAttemptedByVersion;
-
-	@JsonProperty("trustedHosts")
-	@JsonSetter(nulls = Nulls.AS_EMPTY)
-	Set<String> trustedHosts = new HashSet<>();
 }
--- a/src/main/java/org/cryptomator/common/settings/SettingsProvider.java
+++ b/src/main/java/org/cryptomator/common/settings/SettingsProvider.java
@@ -26,9 +26,7 @@ import java.nio.file.NoSuchFileException;
 import java.nio.file.Path;
 import java.nio.file.StandardCopyOption;
 import java.nio.file.StandardOpenOption;
-import java.util.concurrent.CompletableFuture;
-import java.util.concurrent.ExecutionException;
-import java.util.concurrent.Future;
+import java.util.Optional;
 import java.util.concurrent.ScheduledExecutorService;
 import java.util.concurrent.ScheduledFuture;
 import java.util.concurrent.TimeUnit;
@@ -63,7 +61,8 @@ public class SettingsProvider implements Supplier<Settings> {
 		Settings settings = env.getSettingsPath() //
 				.flatMap(this::tryLoad) //
 				.findFirst() //
-				.orElseGet(() -> Settings.create(this, env));
+				.orElseGet(() -> Settings.create(env));
+		settings.setSaveCmd(this::scheduleSave);
 		return settings;
 	}

@@ -72,7 +71,7 @@ public class SettingsProvider implements Supplier<Settings> {
 		try (InputStream in = Files.newInputStream(path, StandardOpenOption.READ)) {
 			var json = JSON.reader().readValue(in, SettingsJson.class);
 			LOG.info("Settings loaded from {}", path);
-			var settings = new Settings(this, json);
+			var settings = new Settings(json);
 			return Stream.of(settings);
 		} catch (JacksonException e) {
 			LOG.warn("Failed to parse json file {}", path, e);
@@ -85,33 +84,19 @@ public class SettingsProvider implements Supplier<Settings> {
 		}
 	}

-	void saveNow(Settings settings) {
-		try {
-			scheduleSave(settings, 0L).get();
-		} catch (InterruptedException e) {
-			Thread.currentThread().interrupt();
-			LOG.error("Saving settings was interrupted.", e);
-		} catch (ExecutionException e) {
-			LOG.error("Unexpected exception while saving.", e);
-		}
-	}
-
-	void scheduleSave(Settings settings) {
-		scheduleSave(settings, SAVE_DELAY_MS);
-	}
-
-	private Future<?> scheduleSave(Settings settings, long delayMillis) {
+	private void scheduleSave(Settings settings) {
 		if (settings == null) {
-			return CompletableFuture.completedFuture(null);
+			return;
 		}
-		final Path settingsPath = env.getSettingsPath().findFirst().orElseThrow(); // always save to preferred (first) path
-		Runnable saveCommand = () -> this.save(settings, settingsPath);
-		ScheduledFuture<?> scheduledTask = scheduler.schedule(saveCommand, delayMillis, TimeUnit.MILLISECONDS);
-		ScheduledFuture<?> previouslyScheduledTask = scheduledSaveCmd.getAndSet(scheduledTask);
-		if (previouslyScheduledTask != null) {
-			previouslyScheduledTask.cancel(false);
-		}
-		return scheduledTask;
+		final Optional<Path> settingsPath = env.getSettingsPath().findFirst(); // always save to preferred (first) path
+		settingsPath.ifPresent(path -> {
+			Runnable saveCommand = () -> this.save(settings, path);
+			ScheduledFuture<?> scheduledTask = scheduler.schedule(saveCommand, SAVE_DELAY_MS, TimeUnit.MILLISECONDS);
+			ScheduledFuture<?> previouslyScheduledTask = scheduledSaveCmd.getAndSet(scheduledTask);
+			if (previouslyScheduledTask != null) {
+				previouslyScheduledTask.cancel(false);
+			}
+		});
 	}

 	private void save(Settings settings, Path settingsPath) {
@@ -122,7 +107,7 @@ public class SettingsProvider implements Supplier<Settings> {
 			Path tmpPath = settingsPath.resolveSibling(settingsPath.getFileName().toString() + ".tmp");
 			try (OutputStream out = Files.newOutputStream(tmpPath, StandardOpenOption.CREATE, StandardOpenOption.TRUNCATE_EXISTING, StandardOpenOption.WRITE)) {
 				var jsonObj = settings.serialized();
-				jsonObj.writtenByVersion = env.getAppVersionWithBuildNumber();
+				jsonObj.writtenByVersion = env.getAppVersion() + env.getBuildNumber().map("-"::concat).orElse("");
 				JSON.writerWithDefaultPrettyPrinter().writeValue(out, jsonObj);
 			}
 			Files.move(tmpPath, settingsPath, StandardCopyOption.REPLACE_EXISTING);
--- a/src/main/java/org/cryptomator/common/settings/UiTheme.java
+++ b/src/main/java/org/cryptomator/common/settings/UiTheme.java
@@ -10,6 +10,14 @@ public enum UiTheme {
 	DARK("preferences.interface.theme.dark"), //
 	AUTOMATIC("preferences.interface.theme.automatic");

+	public static UiTheme[] applicableValues() {
+		if (SystemUtils.IS_OS_MAC || SystemUtils.IS_OS_WINDOWS) {
+			return values();
+		} else {
+			return new UiTheme[]{LIGHT, DARK};
+		}
+	}
+
 	private final String displayName;

 	UiTheme(String displayName) {
--- a/src/main/java/org/cryptomator/common/vaults/Vault.java
+++ b/src/main/java/org/cryptomator/common/vaults/Vault.java
@@ -10,7 +10,7 @@ package org.cryptomator.common.vaults;

 import org.apache.commons.lang3.SystemUtils;
 import org.cryptomator.common.Constants;
-import org.cryptomator.common.FilesystemOwnerSupplier;
+import org.cryptomator.event.FileSystemEventAggregator;
 import org.cryptomator.common.mount.Mounter;
 import org.cryptomator.common.settings.Settings;
 import org.cryptomator.common.settings.VaultSettings;
@@ -23,8 +23,6 @@ import org.cryptomator.cryptofs.event.FilesystemEvent;
 import org.cryptomator.cryptolib.api.CryptoException;
 import org.cryptomator.cryptolib.api.MasterkeyLoader;
 import org.cryptomator.cryptolib.api.MasterkeyLoadingFailedException;
-import org.cryptomator.event.FileSystemEventAggregator;
-import org.cryptomator.event.NotificationManager;
 import org.cryptomator.integrations.mount.MountFailedException;
 import org.cryptomator.integrations.mount.Mountpoint;
 import org.cryptomator.integrations.mount.UnmountFailedException;
@@ -80,7 +78,6 @@ public class Vault {
 	private final Mounter mounter;
 	private final Settings settings;
 	private final FileSystemEventAggregator fileSystemEventAggregator;
-	private final NotificationManager notificationManager;
 	private final BooleanProperty showingStats;

 	private final AtomicReference<Mounter.MountHandle> mountHandle = new AtomicReference<>(null);
@@ -93,8 +90,7 @@ public class Vault {
 		  @Named("lastKnownException") ObjectProperty<Exception> lastKnownException, //
 		  VaultStats stats, //
 		  Mounter mounter, Settings settings, //
-		  FileSystemEventAggregator fileSystemEventAggregator, //
-		  NotificationManager notificationManager) {
+		  FileSystemEventAggregator fileSystemEventAggregator) {
 		this.vaultSettings = vaultSettings;
 		this.configCache = configCache;
 		this.cryptoFileSystem = cryptoFileSystem;
@@ -113,7 +109,6 @@ public class Vault {
 		this.mounter = mounter;
 		this.settings = settings;
 		this.fileSystemEventAggregator = fileSystemEventAggregator;
-		this.notificationManager = notificationManager;
 		this.showingStats = new SimpleBooleanProperty(false);
 		this.quickAccessEntry = new AtomicReference<>(null);
 	}
@@ -150,17 +145,14 @@ public class Vault {
 			LOG.warn("Limiting cleartext filename length on this device to {}.", vaultSettings.maxCleartextFilenameLength.get());
 		}

-		var fsPropsBuilder = CryptoFileSystemProperties.cryptoFileSystemProperties() //
+		CryptoFileSystemProperties fsProps = CryptoFileSystemProperties.cryptoFileSystemProperties() //
 				.withKeyLoader(keyLoader) //
 				.withFlags(flags) //
 				.withMaxCleartextNameLength(vaultSettings.maxCleartextFilenameLength.get()) //
 				.withVaultConfigFilename(Constants.VAULTCONFIG_FILENAME) //
-				.withFilesystemEventConsumer(this::consumeVaultEvent);
-		if (keyLoader instanceof FilesystemOwnerSupplier oo) {
-			fsPropsBuilder.withOwnerGetter(oo::getOwner);
-		}
-
-		return CryptoFileSystemProvider.newFileSystem(getPath(), fsPropsBuilder.build());
+				.withFilesystemEventConsumer(this::consumeVaultEvent) //
+				.build();
+		return CryptoFileSystemProvider.newFileSystem(getPath(), fsProps);
 	}

 	private void destroyCryptoFileSystem() {
@@ -270,7 +262,6 @@ public class Vault {

 	private void consumeVaultEvent(FilesystemEvent e) {
 		fileSystemEventAggregator.put(this, e);
-		notificationManager.offer(this, e);
 	}

 	// ******************************************************************************
--- a/src/main/java/org/cryptomator/event/FileSystemEventAggregator.java
+++ b/src/main/java/org/cryptomator/event/FileSystemEventAggregator.java
@@ -6,7 +6,6 @@ import org.cryptomator.cryptofs.event.BrokenFileNodeEvent;
 import org.cryptomator.cryptofs.event.ConflictResolutionFailedEvent;
 import org.cryptomator.cryptofs.event.ConflictResolvedEvent;
 import org.cryptomator.cryptofs.event.DecryptionFailedEvent;
-import org.cryptomator.cryptofs.event.FileIsInUseEvent;
 import org.cryptomator.cryptofs.event.FilesystemEvent;

 import javax.inject.Inject;
@@ -102,7 +101,6 @@ public class FileSystemEventAggregator {
 			case ConflictResolutionFailedEvent(_, _, Path conflictingCiphertext, _) -> conflictingCiphertext;
 			case BrokenDirFileEvent(_, Path ciphertext) -> ciphertext;
 			case BrokenFileNodeEvent(_, _, Path ciphertext) -> ciphertext;
-			case FileIsInUseEvent(_, _, Path ciphertext, _, _, _) -> ciphertext;
 		};
 		return new FSEventBucket(v, p, event.getClass());
 	}
--- a/src/main/java/org/cryptomator/event/NotificationManager.java
+++ b/src/main/java/org/cryptomator/event/NotificationManager.java
@@ -1,85 +0,0 @@
-package org.cryptomator.event;
-
-import com.github.benmanes.caffeine.cache.Cache;
-import com.github.benmanes.caffeine.cache.Caffeine;
-import org.cryptomator.common.vaults.Vault;
-import org.cryptomator.cryptofs.event.FileIsInUseEvent;
-import org.cryptomator.cryptofs.event.FilesystemEvent;
-
-import javax.inject.Inject;
-import javax.inject.Singleton;
-import java.nio.file.Path;
-import java.time.Duration;
-import java.util.List;
-import java.util.concurrent.ConcurrentLinkedQueue;
-import java.util.concurrent.atomic.AtomicBoolean;
-
-/**
- * Manager for notifications.
- * <p>
- * To add (filesystem) events, use method {@link #offer(Vault, FilesystemEvent)}. If the input event is eligible, it is added to an internal queue.
- * An event is eligible, if
- * <ul>
- *     <li>the event should trigger a notification and</li>
- *     <li>it is not added within the last {@value DEBOUNCE_THRESHOLD_SECONDS} seconds</li>
- * </ul>
- *
- * @see org.cryptomator.ui.fxapp.FxNotificationManager
- */
-@Singleton
-public class NotificationManager {
-
-	private static final int DEBOUNCE_THRESHOLD_SECONDS = 5;
-
-	private final Cache<FSEventBucket, FilesystemEvent> debounceCache;
-	private final ConcurrentLinkedQueue<VaultEvent> pendingEvents;
-
-	@Inject
-	public NotificationManager() {
-		debounceCache = Caffeine.newBuilder().expireAfterWrite(Duration.ofSeconds(DEBOUNCE_THRESHOLD_SECONDS)).build();
-		pendingEvents = new ConcurrentLinkedQueue<>();
-	}
-
-	/**
-	 * Offers the given filesystem event to the notification manager.
-	 *
-	 * @param v The vault where the filesystem event happened
-	 * @param e the actual filesystem event
-	 * @return {@code true} if the filesystem event is accepted, otherwise {@code false}.
-	 */
-	public boolean offer(Vault v, FilesystemEvent e) {
-		return switch (e) {
-			case FileIsInUseEvent fiiue -> addEvent(v, fiiue.ciphertextPath(), fiiue);
-			default -> false;
-		};
-	}
-
-	boolean addEvent(Vault v, Path keyPath, FilesystemEvent e) {
-		var key = new FSEventBucket(v, keyPath, e.getClass());
-		var isAdded = new AtomicBoolean(false);
-		debounceCache.asMap().computeIfAbsent(key, _ -> {
-			synchronized (this) {
-				pendingEvents.add(new VaultEvent(v, e));
-				isAdded.set(true);
-			}
-			return e;
-		});
-		return isAdded.get();
-	}
-
-	/**
-	 * Adds all events to the target list and clears afterward the pending-event-queue
-	 *
-	 * @param target list where the filesystem events are copied to
-	 * @return {@code true}, if elements were copied
-	 */
-	public boolean appendToAndClear(List<VaultEvent> target) {
-		//it is not clear, if addAll iterates thread-safe over the pendingEvents
-		//hence we synchronize moving (copy then clear) and adding-single-element operations
-		synchronized (this) {
-			var result = target.addAll(pendingEvents);
-			pendingEvents.clear();
-			return result;
-		}
-	}
-}
--- a/src/main/java/org/cryptomator/event/VaultEvent.java
+++ b/src/main/java/org/cryptomator/event/VaultEvent.java
@@ -3,6 +3,25 @@ package org.cryptomator.event;
 import org.cryptomator.common.vaults.Vault;
 import org.cryptomator.cryptofs.event.FilesystemEvent;

-public record VaultEvent(Vault v, FilesystemEvent actualEvent) {
+import java.time.Instant;

+public record VaultEvent(Vault v, FilesystemEvent actualEvent, int count) implements Comparable<VaultEvent> {
+
+	public VaultEvent(Vault v, FilesystemEvent actualEvent) {
+		this(v, actualEvent, 1);
+	}
+
+	@Override
+	public int compareTo(VaultEvent other) {
+		var timeResult = actualEvent.getTimestamp().compareTo(other.actualEvent().getTimestamp());
+		if(timeResult != 0) {
+			return timeResult;
+		} else {
+			return this.equals(other) ? 0 : this.actualEvent.getClass().getName().compareTo(other.actualEvent.getClass().getName());
+		}
+	}
+
+	public VaultEvent incrementCount(FilesystemEvent update) {
+		return new VaultEvent(v, update, count+1);
+	}
 }
--- a/src/main/java/org/cryptomator/launcher/AdminPropertiesFactory.java
+++ b/src/main/java/org/cryptomator/launcher/AdminPropertiesFactory.java
@@ -1,101 +0,0 @@
-package org.cryptomator.launcher;
-
-import org.slf4j.Logger;
-
-import java.io.IOException;
-import java.io.Reader;
-import java.nio.channels.Channels;
-import java.nio.channels.FileChannel;
-import java.nio.charset.StandardCharsets;
-import java.nio.file.NoSuchFileException;
-import java.nio.file.Path;
-import java.nio.file.StandardOpenOption;
-import java.util.Properties;
-import java.util.Set;
-
-/**
- * Factory to generate admin properties.
- *
- * <p>
- * Admin properties are {@link Properties} using system properties as defaults, but allow overwriting a specific set of properties with an external config file.
- * Those properties are created by calling {@link #create()}. The method first reads system property {@value #ADMIN_PROP_FILE_KEY}. If it contains a path to a valid properties file, all overridable properties from the file are loaded into the returned admin properties.
- * <p>
- * The overridable properties are:
- * <ul>
- *     <li>cryptomator.logDir</li>
- *     <li>cryptomator.pluginDir</li>
- *     <li>cryptomator.p12Path</li>
- *     <li>cryptomator.mountPointsDir</li>
- *     <li>cryptomator.disableUpdateCheck</li>
- *     <li>cryptomator.hub.allowedHosts</li>
- *     <li>cryptomator.hub.enableTrustOnFirstUse</li>
- * </ul>
- *
- * @see Properties
- * @see System#getProperties()
- */
-class AdminPropertiesFactory {
-
-	private static final Logger LOG = EventualLogger.INSTANCE;
-	private static final long MAX_CONFIG_SIZE_BYTES = 8192;
-	private static final String ADMIN_PROP_FILE_KEY = "cryptomator.adminConfigPath";
-	private static final Set<String> ALLOWED_OVERRIDES = Set.of( //
-			"cryptomator.logDir", //
-			"cryptomator.pluginDir", //
-			"cryptomator.p12Path", //
-			"cryptomator.mountPointsDir", //
-			"cryptomator.disableUpdateCheck", //
- 			"cryptomator.hub.allowedHosts", //
-			"cryptomator.hub.enableTrustOnFirstUse");
-
-
-	/**
-	 * Creates new {@link Properties} containing overridable properties from the admin config.
-	 * <p>
-	 * The returned properties object uses as default the {@link System} properties.
-	 * For a list of overridable properties, see {@link AdminPropertiesFactory}
-	 *
-	 * @return {@link Properties} containing overridable properties from the admin config and defaulting to system properties.
-	 */
-	static Properties create() {
-		var systemProps = System.getProperties();
-		var adminProps = new Properties(systemProps);
-
-		final String adminCfgPath = System.getProperty(ADMIN_PROP_FILE_KEY);
-		if (adminCfgPath == null) {
-			LOG.debug("Admin config property is not defined. Skipping.");
-			return adminProps;
-		}
-		var propsFromFile = loadPropertiesFromFile(Path.of(adminCfgPath));
-
-		for (var key : propsFromFile.stringPropertyNames()) {
-			if (ALLOWED_OVERRIDES.contains(key)) {
-				var value = propsFromFile.getProperty(key);
-				LOG.info("Overwriting {} with value {} from admin config.", key, value);
-				adminProps.setProperty(key, value);
-			} else {
-				LOG.debug("Property {} in admin config is not supported for override.", key);
-			}
-		}
-		return adminProps;
-	}
-
-	//visible for testing
-	static Properties loadPropertiesFromFile(Path adminPropertiesPath) {
-		var adminProps = new Properties();
-		try (FileChannel ch = FileChannel.open(adminPropertiesPath, StandardOpenOption.READ); //
-			 Reader reader = Channels.newReader(ch, StandardCharsets.UTF_8)) {
-			if (ch.size() > MAX_CONFIG_SIZE_BYTES) {
-				throw new IOException("Config file %s exceeds maximum size of %d".formatted(adminPropertiesPath, MAX_CONFIG_SIZE_BYTES));
-			}
-			adminProps.load(reader);
-		} catch (NoSuchFileException _) {
-			//NO-OP
-			LOG.debug("No admin properties found at {}.", adminPropertiesPath);
-		} catch (IOException | IllegalArgumentException e) {
-			LOG.warn("Failed to read administrative properties from {}. Returning empty properties.", adminPropertiesPath, e);
-		}
-		return adminProps;
-	}
-
-}
--- a/src/main/java/org/cryptomator/launcher/Cryptomator.java
+++ b/src/main/java/org/cryptomator/launcher/Cryptomator.java
@@ -11,9 +11,9 @@ import org.apache.commons.lang3.SystemUtils;
 import org.cryptomator.common.Environment;
 import org.cryptomator.common.ShutdownHook;
 import org.cryptomator.common.SubstitutingProperties;
+import org.cryptomator.networking.SSLContextProvider;
 import org.cryptomator.ipc.IpcCommunicator;
 import org.cryptomator.logging.DebugMode;
-import org.cryptomator.networking.SSLContextProvider;
 import org.cryptomator.ui.fxapp.FxApplicationComponent;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -35,8 +35,7 @@ public class Cryptomator {
 	private static final long STARTUP_TIME = System.currentTimeMillis();

 	static {
-		var adminProps = AdminPropertiesFactory.create();
-		var lazyProcessedProps = new SubstitutingProperties(adminProps, System.getenv(), EventualLogger.INSTANCE);
+		var lazyProcessedProps = new SubstitutingProperties(System.getProperties(), System.getenv());
 		System.setProperties(lazyProcessedProps);
 		CRYPTOMATOR_COMPONENT = DaggerCryptomatorComponent.factory().create(STARTUP_TIME);
 		LOG = LoggerFactory.getLogger(Cryptomator.class);
@@ -90,11 +89,10 @@ public class Cryptomator {
 	 * @return Nonzero exit code in case of an error.
 	 */
 	private int run(String[] args) {
-		debugMode.initialize();
-		EventualLogger.INSTANCE.drainTo(LOG);
 		env.log();
 		LOG.debug("Dagger graph initialized after {}ms", System.currentTimeMillis() - STARTUP_TIME);
 		LOG.info("Starting Cryptomator {} on {} {} ({})", env.getAppVersion(), SystemUtils.OS_NAME, SystemUtils.OS_VERSION, SystemUtils.OS_ARCH);
+		debugMode.initialize();
 		supportedLanguages.applyPreferred();
 		changeDefaultSSLContext();
 		/*
--- a/src/main/java/org/cryptomator/launcher/CryptomatorModule.java
+++ b/src/main/java/org/cryptomator/launcher/CryptomatorModule.java
@@ -4,6 +4,7 @@ import dagger.Module;
 import dagger.Provides;
 import org.cryptomator.integrations.autostart.AutoStartProvider;
 import org.cryptomator.integrations.tray.TrayIntegrationProvider;
+import org.cryptomator.integrations.uiappearance.UiAppearanceProvider;
 import org.cryptomator.ui.fxapp.FxApplicationComponent;

 import javax.inject.Named;
@@ -29,6 +30,11 @@ class CryptomatorModule {
 		return new ArrayBlockingQueue<>(10);
 	}

+	@Provides
+	@Singleton
+	static Optional<UiAppearanceProvider> provideAppearanceProvider() {
+		return UiAppearanceProvider.get();
+	}

 	@Provides
 	@Singleton
--- a/src/main/java/org/cryptomator/launcher/EventualLogger.java
+++ b/src/main/java/org/cryptomator/launcher/EventualLogger.java
@@ -1,106 +0,0 @@
-package org.cryptomator.launcher;
-
-import org.slf4j.Logger;
-import org.slf4j.Marker;
-import org.slf4j.event.DefaultLoggingEvent;
-import org.slf4j.event.Level;
-import org.slf4j.event.LoggingEvent;
-import org.slf4j.helpers.AbstractLogger;
-
-import java.util.ArrayDeque;
-import java.util.List;
-import java.util.Objects;
-import java.util.Queue;
-
-class EventualLogger extends AbstractLogger {
-
-	static final EventualLogger INSTANCE = new EventualLogger();
-
-	private final Queue<LoggingEvent> bufferedEvents = new ArrayDeque<>();
-
-	private EventualLogger() {
-	}
-
-	synchronized void drainTo(Logger gutter) {
-		for (var event : bufferedEvents) {
-			var builder = gutter.atLevel(event.getLevel()) //
-					.setCause(event.getThrowable()) //
-					.setMessage(event.getMessage());
-			Objects.requireNonNullElse(event.getArguments(), List.of()).forEach(builder::addArgument);
-			Objects.requireNonNullElse(event.getMarkers(), List.<Marker>of()).forEach(builder::addMarker);
-			builder.log();
-		}
-		bufferedEvents.clear();
-	}
-
-	@Override
-	protected synchronized void handleNormalizedLoggingCall(Level level, Marker marker, String messagePattern, Object[] arguments, Throwable throwable) {
-		var event = new DefaultLoggingEvent(level, this);
-		if (marker != null) {
-			event.addMarker(marker);
-		}
-		event.setMessage(messagePattern);
-		for (var arg : Objects.requireNonNullElse(arguments, new Object[]{})) {
-			event.addArgument(arg);
-		}
-		event.setThrowable(throwable);
-		bufferedEvents.add(event);
-	}
-
-	//Unclear, unused and undocumented method of slf4j, see also https://github.com/qos-ch/slf4j/discussions/348
-	@Override
-	protected String getFullyQualifiedCallerName() {
-		return getClass().getCanonicalName();
-	}
-
-
-	@Override
-	public boolean isTraceEnabled() {
-		return true;
-	}
-
-	@Override
-	public boolean isTraceEnabled(Marker marker) {
-		return true;
-	}
-
-	@Override
-	public boolean isDebugEnabled() {
-		return true;
-	}
-
-	@Override
-	public boolean isDebugEnabled(Marker marker) {
-		return true;
-	}
-
-	@Override
-	public boolean isInfoEnabled() {
-		return true;
-	}
-
-	@Override
-	public boolean isInfoEnabled(Marker marker) {
-		return true;
-	}
-
-	@Override
-	public boolean isWarnEnabled() {
-		return true;
-	}
-
-	@Override
-	public boolean isWarnEnabled(Marker marker) {
-		return true;
-	}
-
-	@Override
-	public boolean isErrorEnabled() {
-		return true;
-	}
-
-	@Override
-	public boolean isErrorEnabled(Marker marker) {
-		return true;
-	}
-}
--- a/src/main/java/org/cryptomator/networking/SSLContextDifferentTrustStoreBase.java
+++ b/src/main/java/org/cryptomator/networking/SSLContextDifferentTrustStoreBase.java
@@ -18,7 +18,7 @@ abstract class SSLContextDifferentTrustStoreBase implements SSLContextProvider {
 	public SSLContext getContext(SecureRandom csprng) throws SSLContextBuildException {
 		try {
 			KeyStore truststore = getTruststore();
-			ensureLoaded(truststore);
+			truststore.load(null, null);

 			TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
 			tmf.init(truststore);
@@ -30,13 +30,4 @@ abstract class SSLContextDifferentTrustStoreBase implements SSLContextProvider {
 			throw new SSLContextBuildException(e);
 		}
 	}
-
-	static void ensureLoaded(KeyStore truststore) throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException {
-		try {
-			truststore.aliases();
-		} catch (KeyStoreException e) {
-			// Not initialized yet (e.g. custom KeyStore SPI); initialize without replacing preloaded stores.
-			truststore.load(null, null);
-		}
-	}
 }
--- a/src/main/java/org/cryptomator/networking/SSLContextWithWindowsCertStore.java
+++ b/src/main/java/org/cryptomator/networking/SSLContextWithWindowsCertStore.java
@@ -1,73 +1,21 @@
 package org.cryptomator.networking;

-import org.cryptomator.common.Nullable;
 import org.cryptomator.integrations.common.OperatingSystem;
-import org.jetbrains.annotations.VisibleForTesting;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;

-import java.io.IOException;
-import java.nio.file.Files;
-import java.nio.file.Path;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
-import java.security.NoSuchAlgorithmException;
-import java.security.Provider;
-import java.security.cert.CertificateException;
-import java.util.List;
-import java.util.Properties;

 /**
- * SSLContextProvider for Windows using the Windows certificate store as trust store and the bundled JDK cacerts as fallback
+ * SSLContextProvider for Windows using the Windows certificate store as trust store
 * <p>
 * In order to work, the jdk.crypto.mscapi jmod is needed
 */
@OperatingSystem(OperatingSystem.Value.WINDOWS)
 public class SSLContextWithWindowsCertStore extends SSLContextDifferentTrustStoreBase implements SSLContextProvider {

-	private static final Logger LOG = LoggerFactory.getLogger(SSLContextWithWindowsCertStore.class);
-	private static final String DEFAULT_TRUSTSTORE_PASSWORD = "changeit"; //default JDK cacerts password
-
 	@Override
-	KeyStore getTruststore() throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException {
-		var windowsKeyStore = KeyStore.getInstance("WINDOWS-ROOT");
-		var jdkKeyStore = getShippedCaCertsStore();
-		if (jdkKeyStore == null) {
-			return windowsKeyStore;
-		}
-
-		ensureLoaded(windowsKeyStore);
-		ensureLoaded(jdkKeyStore);
-		try {
-			CombinedKeyStoreSpi spi = CombinedKeyStoreSpi.create(windowsKeyStore, jdkKeyStore);
-			Provider dummyProvider = new Provider("CombinedKeyStoreProvider", "1.0", "Provides a combined, read-only KeyStore") {};
-			return new KeyStore(spi, dummyProvider, "CombinedKeyStoreProvider") {};
-		} catch (IllegalArgumentException e) {
-			throw new KeyStoreException(e);
-		}
-	}
-
-	@Nullable
-	KeyStore getShippedCaCertsStore() {
-		return getCaCertsStoreByProperties(System.getProperties());
-	}
-
-	//for testability
-	@VisibleForTesting
-	@Nullable
-	KeyStore getCaCertsStoreByProperties(Properties props) {
-		var javaHome = Path.of(props.getProperty("java.home"));
-		var trustStorePassword = props.getProperty("javax.net.ssl.trustStorePassword", DEFAULT_TRUSTSTORE_PASSWORD).toCharArray();
-		for (var candidate : List.of(javaHome.resolve("lib/security/cacerts"), javaHome.resolve("conf/security/cacerts"))) {
-			try {
-				if (Files.isRegularFile(candidate)) {
-					return KeyStore.getInstance(candidate.toFile(), trustStorePassword);
-				}
-			} catch (CertificateException | KeyStoreException | IOException | NoSuchAlgorithmException e) {
-				LOG.info("Unable to load fallback cacerts {} file. Skipping fallback.", candidate, e);
-			}
-		}
-		return null;
+	KeyStore getTruststore() throws KeyStoreException {
+		return KeyStore.getInstance("WINDOWS-ROOT");
 	}

 }
--- a/src/main/java/org/cryptomator/ui/addvaultwizard/ChooseExistingVaultController.java
+++ b/src/main/java/org/cryptomator/ui/addvaultwizard/ChooseExistingVaultController.java
@@ -59,7 +59,7 @@ public class ChooseExistingVaultController implements FxController {
 		this.vault = vault;
 		this.vaultListManager = vaultListManager;
 		this.resourceBundle = resourceBundle;
-		this.screenshot = applicationStyle.appliedAppThemeProperty().map(this::selectScreenshot);
+		this.screenshot = applicationStyle.appliedThemeProperty().map(this::selectScreenshot);
 	}

 	private Image selectScreenshot(Theme theme) {
--- a/src/main/java/org/cryptomator/ui/common/FxmlFile.java
+++ b/src/main/java/org/cryptomator/ui/common/FxmlFile.java
@@ -19,7 +19,6 @@ public enum FxmlFile {
 	HEALTH_START("/fxml/health_start.fxml"), //
 	HEALTH_CHECK_LIST("/fxml/health_check_list.fxml"), //
 	HUB_NO_KEYCHAIN("/fxml/hub_no_keychain.fxml"), //
-	HUB_CHECK_HOST_TRUST("/fxml/hub_check_host_trust.fxml"), //
 	HUB_AUTH_FLOW("/fxml/hub_auth_flow.fxml"), //
 	HUB_INVALID_LICENSE("/fxml/hub_invalid_license.fxml"), //
 	HUB_RECEIVE_KEY("/fxml/hub_receive_key.fxml"), //
@@ -30,7 +29,6 @@ public enum FxmlFile {
 	HUB_REGISTER_FAILED("/fxml/hub_register_failed.fxml"), //
 	HUB_REGISTER_DEVICE("/fxml/hub_register_device.fxml"), //
 	HUB_UNAUTHORIZED_DEVICE("/fxml/hub_unauthorized_device.fxml"), //
-	HUB_UNTRUSTED_HOST("/fxml/hub_untrusted_host.fxml"), //
 	HUB_REQUIRE_ACCOUNT_INIT("/fxml/hub_require_account_init.fxml"), //
 	LOCK_FORCED("/fxml/lock_forced.fxml"), //
 	LOCK_FAILED("/fxml/lock_failed.fxml"), //
@@ -40,7 +38,6 @@ public enum FxmlFile {
 	MIGRATION_RUN("/fxml/migration_run.fxml"), //
 	MIGRATION_START("/fxml/migration_start.fxml"), //
 	MIGRATION_SUCCESS("/fxml/migration_success.fxml"), //
-	NOTIFICATION("/fxml/notification.fxml"), //
 	PREFERENCES("/fxml/preferences.fxml"), //
 	QUIT("/fxml/quit.fxml"), //
 	QUIT_FORCED("/fxml/quit_forced.fxml"), //
@@ -62,7 +59,6 @@ public enum FxmlFile {
 	VAULT_STATISTICS("/fxml/stats.fxml"), //
 	WRONGFILEALERT("/fxml/wrongfilealert.fxml");

-
 	private final String ressourcePathString;

 	FxmlFile(String ressourcePathString) {
--- a/src/main/java/org/cryptomator/ui/common/SystemBarUtil.java
+++ b/src/main/java/org/cryptomator/ui/common/SystemBarUtil.java
@@ -1,56 +0,0 @@
-package org.cryptomator.ui.common;
-
-import javafx.stage.Screen;
-
-/**
- * Utility class providing methods regarding the OS bar.
- */
-public class SystemBarUtil {
-
-	public enum Placement {
-		/**
-		 * OS Bar placed at the left screen edge
-		 */
-		LEFT,
-		/**
-		 * OS Bar placed at the top screen edge
-		 */
-		TOP,
-		/**
-		 * OS Bar placed at the right screen edge
-		 */
-		RIGHT,
-		/**
-		 * OS Bar placed at the bottom screen edge
-		 */
-		BOTTOM;
-	}
-
-	/**
-	 * Determines the placement of the OS bar on the given screen.
-	 * <p>
-	 * <b>Assuming the OS bar fills one screen edge completely</b>,
-	 * this method determines that screen edge by comparing the actual screen bounds with the visual ones.
-	 * <p>
-	 * If the screen does not have a system bar, the bottom placement is returned.
-	 * If the screen does have multiple system bars, the first in following priority is returned:
-	 * LEFT, TOP, RIGHT, BOTTOM.
-	 *
-	 * @param screen a {@link Screen} where an OS bar exists
-	 * @return {@link Placement} indicating the screen edge.
-	 */
-	public static Placement getPlacementOfSystembar(Screen screen) {
-		var bounds = screen.getBounds();
-		var vBounds = screen.getVisualBounds();
-		//assumption: the system bar fills a whole screen side
-		if (bounds.getMinX() != vBounds.getMinX()) {
-			return Placement.LEFT;
-		} else if (bounds.getMinY() != vBounds.getMinY()) {
-			return Placement.TOP;
-		} else if (bounds.getMaxX() != vBounds.getMaxX()) {
-			return Placement.RIGHT;
-		} else {
-			return Placement.BOTTOM;
-		}
-	}
-}
--- a/src/main/java/org/cryptomator/ui/common/VaultService.java
+++ b/src/main/java/org/cryptomator/ui/common/VaultService.java
@@ -1,16 +1,17 @@
 package org.cryptomator.ui.common;

+import dagger.Lazy;
 import org.cryptomator.common.vaults.Vault;
 import org.cryptomator.common.vaults.VaultState;
 import org.cryptomator.integrations.mount.Mountpoint;
 import org.cryptomator.integrations.mount.UnmountFailedException;
-import org.cryptomator.integrations.revealpath.RevealFailedException;
-import org.cryptomator.integrations.revealpath.RevealPathService;
 import org.cryptomator.ui.fxapp.FxApplicationScoped;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

 import javax.inject.Inject;
+import javafx.application.Application;
+import javafx.application.HostServices;
 import javafx.concurrent.Task;
 import javafx.stage.Stage;
 import java.io.IOException;
@@ -27,12 +28,12 @@ public class VaultService {

 	private static final Logger LOG = LoggerFactory.getLogger(VaultService.class);

-	private final RevealPathService revealPathService;
+	private final Lazy<Application> application;
 	private final ExecutorService executorService;

 	@Inject
-	public VaultService(RevealPathService revealPathService, ExecutorService executorService) {
-		this.revealPathService = revealPathService;
+	public VaultService(Lazy<Application> application, ExecutorService executorService) {
+		this.application = application;
 		this.executorService = executorService;
 	}

@@ -46,9 +47,9 @@ public class VaultService {
 	 * @param vault The vault to reveal
 	 */
 	public Task<Vault> createRevealTask(Vault vault) {
-		Task<Vault> task = new RevealVaultTask(vault, revealPathService);
-		task.setOnSucceeded(_ -> LOG.info("Revealed {}", vault.getDisplayName()));
-		task.setOnFailed(evt -> LOG.warn("Failed to reveal {}", vault.getDisplayName(), evt.getSource().getException()));
+		Task<Vault> task = new RevealVaultTask(vault, application.get().getHostServices());
+		task.setOnSucceeded(evt -> LOG.info("Revealed {}", vault.getDisplayName()));
+		task.setOnFailed(evt -> LOG.error("Failed to reveal " + vault.getDisplayName(), evt.getSource().getException()));
 		return task;
 	}

@@ -109,18 +110,19 @@ public class VaultService {
 	private static class RevealVaultTask extends Task<Vault> {

 		private final Vault vault;
-		private final RevealPathService rs;
+		private final HostServices hostServices;

-		public RevealVaultTask(Vault vault, RevealPathService revealPathService) {
+		public RevealVaultTask(Vault vault, HostServices hostServices) {
 			this.vault = vault;
-			this.rs = revealPathService;
+			this.hostServices = hostServices;
+			setOnFailed(evt -> LOG.error("Failed to reveal " + vault.getDisplayName(), getException()));
 		}

 		@Override
-		protected Vault call() throws RevealFailedException {
+		protected Vault call() {
 			switch (vault.getMountPoint()) {
 				case null -> LOG.warn("Not currently mounted");
-				case Mountpoint.WithPath m -> rs.reveal(m.path());
+				case Mountpoint.WithPath m -> hostServices.showDocument(m.uri().toString());
 				case Mountpoint.WithUri m -> LOG.info("Vault mounted at {}", m.uri()); // TODO show in UI?
 			}
 			return vault;
--- a/src/main/java/org/cryptomator/ui/controls/FontAwesome5Icon.java
+++ b/src/main/java/org/cryptomator/ui/controls/FontAwesome5Icon.java
@@ -12,8 +12,6 @@ public enum FontAwesome5Icon {
 	CARET_DOWN("\uF0D7"), //
 	CARET_RIGHT("\uF0Da"), //
 	CHECK("\uF00C"), //
-	CHEVRON_LEFT("\uF053"), //
-	CHEVRON_RIGHT("\uF054"), //
 	CLOCK("\uF017"), //
 	CLIPBOARD("\uF328"), //
 	COG("\uF013"), //
@@ -62,7 +60,6 @@ public enum FontAwesome5Icon {
 	TRASH("\uF1F8"), //
 	UNLINK("\uf127"), //
 	USER_COG("\uf4fe"), //
-	USER_LOCK("\uf502"), //
 	WRENCH("\uF0AD"), //
 	WINDOW_MINIMIZE("\uF2D1"), //
 	;
--- a/src/main/java/org/cryptomator/ui/controls/NotificationBar.java
+++ b/src/main/java/org/cryptomator/ui/controls/NotificationBar.java
@@ -4,27 +4,24 @@ import javafx.beans.property.BooleanProperty;
 import javafx.beans.property.SimpleBooleanProperty;
 import javafx.fxml.FXML;
 import javafx.geometry.Pos;
-import javafx.scene.AccessibleRole;
 import javafx.scene.control.Button;
-import javafx.scene.control.ContentDisplay;
 import javafx.scene.control.Label;
 import javafx.scene.layout.HBox;
 import javafx.scene.layout.Region;
 import javafx.scene.layout.VBox;
-import java.util.ResourceBundle;

-public class InfoBar extends HBox {
+public class NotificationBar extends HBox {

 	@FXML
-	private Label infoMessage;
+	private Label notificationLabel;

 	private final BooleanProperty dismissable = new SimpleBooleanProperty();
 	private final BooleanProperty notify = new SimpleBooleanProperty();


-	public InfoBar() {
+	public NotificationBar() {
 		setAlignment(Pos.CENTER);
-		getStyleClass().addAll("info-bar");
+		setStyle("-fx-alignment: center;");

 		Region spacer = new Region();
 		spacer.setMinWidth(40);
@@ -39,21 +36,14 @@ public class InfoBar extends HBox {
 		vbox.setAlignment(Pos.CENTER);
 		HBox.setHgrow(vbox, javafx.scene.layout.Priority.ALWAYS);

-		infoMessage = new Label();
-		infoMessage.setFocusTraversable(true);
-		infoMessage.setAccessibleRole(AccessibleRole.BUTTON);
-		vbox.getChildren().add(infoMessage);
+		notificationLabel = new Label();
+		notificationLabel.getStyleClass().add("notification-label");
+		notificationLabel.setStyle("-fx-alignment: center;");
+		vbox.getChildren().add(notificationLabel);

-		var closeGraphic = new FontAwesome5IconView();
-		closeGraphic.setGlyph(FontAwesome5Icon.TIMES);
-		closeGraphic.setGlyphSize(12);
-		closeGraphic.getStyleClass().add("glyph");
-
-		Button closeButton = new Button();
-		closeButton.setGraphic(closeGraphic);
-		closeButton.setContentDisplay(ContentDisplay.GRAPHIC_ONLY);
-		closeButton.setAccessibleText(ResourceBundle.getBundle("i18n.strings").getString("main.notification.closeButton.tooltip"));
+		Button closeButton = new Button("X");
 		closeButton.setMinWidth(40);
+		closeButton.setStyle("-fx-background-color: transparent; -fx-text-fill: white; -fx-font-weight: bold;");
 		closeButton.visibleProperty().bind(dismissable);

 		closeButton.setOnAction(_ -> {
@@ -71,11 +61,11 @@ public class InfoBar extends HBox {
 	}

 	public String getText() {
-		return infoMessage.getText();
+		return notificationLabel.getText();
 	}

 	public void setText(String text) {
-		infoMessage.setText(text);
+		notificationLabel.setText(text);
 	}

 	public void setStyleClass(String styleClass) {
--- a/src/main/java/org/cryptomator/ui/decryptname/DecryptFileNamesViewController.java
+++ b/src/main/java/org/cryptomator/ui/decryptname/DecryptFileNamesViewController.java
@@ -58,6 +58,8 @@ public class DecryptFileNamesViewController implements FxController {
 	private final Stage window;
 	private final Vault vault;
 	private final ResourceBundle resourceBundle;
+	private final List<Path> initialList;
+
 	@FXML
 	public TableColumn<CipherAndCleartext, String> ciphertextColumn;
 	@FXML
@@ -66,11 +68,12 @@ public class DecryptFileNamesViewController implements FxController {
 	public TableView<CipherAndCleartext> cipherToCleartextTable;

 	@Inject
-	public DecryptFileNamesViewController(@DecryptNameWindow Stage window, @DecryptNameWindow Vault vault, ResourceBundle resourceBundle) {
+	public DecryptFileNamesViewController(@DecryptNameWindow Stage window, @DecryptNameWindow Vault vault, @DecryptNameWindow List<Path> pathsToDecrypt, ResourceBundle resourceBundle) {
 		this.window = window;
 		this.vault = vault;
 		this.resourceBundle = resourceBundle;
 		this.mapping = new SimpleListProperty<>(FXCollections.observableArrayList());
+		this.initialList = pathsToDecrypt;
 	}

 	@FXML
@@ -94,7 +97,8 @@ public class DecryptFileNamesViewController implements FxController {
 		});
 		cipherToCleartextTable.setOnDragDropped(event -> {
 			if (event.getGestureSource() == null && event.getDragboard().hasFiles()) {
-				decrypt(event.getDragboard().getFiles().stream().map(File::toPath).toList());
+				checkAndDecrypt(event.getDragboard().getFiles().stream().map(File::toPath).toList());
+				cipherToCleartextTable.setItems(mapping);
 			}
 		});
 		cipherToCleartextTable.setOnDragExited(_ -> cipherToCleartextTable.setItems(mapping));
@@ -120,7 +124,9 @@ public class DecryptFileNamesViewController implements FxController {
 				});
 			}
 		});
-		window.setOnHidden(_ -> mapping.clear());
+		if (!initialList.isEmpty()) {
+			checkAndDecrypt(initialList);
+		}
 	}

 	private void copySingleCelltoClipboard() {
@@ -143,18 +149,10 @@ public class DecryptFileNamesViewController implements FxController {
 		fileChooser.setInitialDirectory(vault.getPath().toFile());
 		var ciphertextNodes = fileChooser.showOpenMultipleDialog(window);
 		if (ciphertextNodes != null) {
-			decrypt(ciphertextNodes.stream().map(File::toPath).toList());
+			checkAndDecrypt(ciphertextNodes.stream().map(File::toPath).toList());
 		}
 	}

-	public void decrypt(List<Path> pathsToDecrypt) {
-		if (pathsToDecrypt.isEmpty()) {
-			return;
-		}
-		checkAndDecrypt(pathsToDecrypt);
-		cipherToCleartextTable.setItems(mapping);
-	}
-
 	private void checkAndDecrypt(List<Path> pathsToDecrypt) {
 		mapping.clear();
 		//Assumption: All files are in the same directory
--- a/src/main/java/org/cryptomator/ui/decryptname/DecryptNameComponent.java
+++ b/src/main/java/org/cryptomator/ui/decryptname/DecryptNameComponent.java
@@ -28,28 +28,23 @@ public interface DecryptNameComponent {
 	@FxmlScene(FxmlFile.DECRYPTNAMES)
 	Lazy<Scene> decryptNamesView();

-	DecryptFileNamesViewController controller();
-
 	@DecryptNameWindow
 	Vault vault();

-	default void showDecryptFileNameWindow(List<Path> pathsToDecrypt) {
+	default void showDecryptFileNameWindow() {
 		Stage s = window();
 		s.setScene(decryptNamesView().get());
 		s.sizeToScene();
 		if (vault().isUnlocked()) {
-			controller().decrypt(pathsToDecrypt);
 			s.show();
-			s.requestFocus();
 		} else {
 			LOG.error("Aborted showing DecryptFileName window: vault state is not {}, but {}.", VaultState.Value.UNLOCKED, vault().getState());
-			s.close();
 		}
 	}

 	@Subcomponent.Factory
 	interface Factory {

-		DecryptNameComponent create(@BindsInstance @DecryptNameWindow Vault vault, @BindsInstance @Named("windowOwner") Stage owner);
+		DecryptNameComponent create(@BindsInstance @DecryptNameWindow Vault vault, @BindsInstance @Named("windowOwner") Stage owner, @BindsInstance @DecryptNameWindow List<Path> pathsToDecrypt);
 	}
 }
--- a/src/main/java/org/cryptomator/ui/dialogs/Dialogs.java
+++ b/src/main/java/org/cryptomator/ui/dialogs/Dialogs.java
@@ -61,15 +61,6 @@ public class Dialogs {
 				.setOkButtonKey(BUTTON_KEY_CLOSE);
 	}

-	public SimpleDialog.Builder prepareHubVaultArchived(Stage window, Vault vault) {
-		return createDialogBuilder().setOwner(window) //
-				.setTitleKey("unlock.title", vault.getDisplayName()) //
-				.setMessageKey("hub.archived.message") //
-				.setDescriptionKey("hub.archived.description") //
-				.setIcon(FontAwesome5Icon.BAN)//
-				.setOkButtonKey(BUTTON_KEY_CLOSE);
-	}
-
 	public SimpleDialog.Builder prepareRecoveryVaultAdded(Stage window, String displayName) {
 		return createDialogBuilder().setOwner(window) //
 				.setTitleKey("recover.existing.title") //
--- a/src/main/java/org/cryptomator/ui/eventview/EventListCellController.java
+++ b/src/main/java/org/cryptomator/ui/eventview/EventListCellController.java
@@ -1,18 +1,16 @@
 package org.cryptomator.ui.eventview;

-import org.apache.commons.lang3.SystemUtils;
-import org.cryptomator.common.Constants;
+import org.cryptomator.event.FSEventBucket;
+import org.cryptomator.event.FSEventBucketContent;
+import org.cryptomator.event.FileSystemEventAggregator;
 import org.cryptomator.common.Nullable;
 import org.cryptomator.common.ObservableUtil;
+import org.cryptomator.cryptofs.CryptoPath;
 import org.cryptomator.cryptofs.event.BrokenDirFileEvent;
 import org.cryptomator.cryptofs.event.BrokenFileNodeEvent;
 import org.cryptomator.cryptofs.event.ConflictResolutionFailedEvent;
 import org.cryptomator.cryptofs.event.ConflictResolvedEvent;
 import org.cryptomator.cryptofs.event.DecryptionFailedEvent;
-import org.cryptomator.cryptofs.event.FileIsInUseEvent;
-import org.cryptomator.event.FSEventBucket;
-import org.cryptomator.event.FSEventBucketContent;
-import org.cryptomator.event.FileSystemEventAggregator;
 import org.cryptomator.integrations.revealpath.RevealFailedException;
 import org.cryptomator.integrations.revealpath.RevealPathService;
 import org.cryptomator.ui.common.FxController;
@@ -45,6 +43,7 @@ import java.time.ZoneId;
 import java.time.format.DateTimeFormatter;
 import java.time.format.FormatStyle;
 import java.util.Map;
+import java.util.Optional;
 import java.util.ResourceBundle;
 import java.util.function.Function;

@@ -55,6 +54,7 @@ public class EventListCellController implements FxController {
 	private static final DateTimeFormatter LOCAL_TIME_FORMATTER = DateTimeFormatter.ofLocalizedTime(FormatStyle.SHORT).withZone(ZoneId.systemDefault());

 	private final FileSystemEventAggregator fileSystemEventAggregator;
+	@Nullable
 	private final RevealPathService revealService;
 	private final ResourceBundle resourceBundle;
 	private final ObjectProperty<Map.Entry<FSEventBucket, FSEventBucketContent>> eventEntry;
@@ -79,17 +79,15 @@ public class EventListCellController implements FxController {
 	Button eventActionsButton;

 	@Inject
-	public EventListCellController(FileSystemEventAggregator fileSystemEventAggregator,
-								   RevealPathService revealService,
-								   ResourceBundle resourceBundle) {
+	public EventListCellController(FileSystemEventAggregator fileSystemEventAggregator, Optional<RevealPathService> revealService, ResourceBundle resourceBundle) {
 		this.fileSystemEventAggregator = fileSystemEventAggregator;
-		this.revealService = revealService;
+		this.revealService = revealService.orElseGet(() -> null);
 		this.resourceBundle = resourceBundle;
 		this.eventEntry = new SimpleObjectProperty<>(null);
 		this.eventMessage = new SimpleStringProperty();
 		this.eventDescription = new SimpleStringProperty();
 		this.eventIcon = new SimpleObjectProperty<>();
-		this.eventCount = ObservableUtil.mapWithDefault(eventEntry, e -> e.getValue().count() == 1 ? "" : "(" + e.getValue().count() + ")", "");
+		this.eventCount = ObservableUtil.mapWithDefault(eventEntry, e -> e.getValue().count() == 1? "" : "("+ e.getValue().count() +")", "");
 		this.vaultUnlocked = ObservableUtil.mapWithDefault(eventEntry.flatMap(e -> e.getKey().vault().unlockedProperty()), Function.identity(), false);
 		this.readableTime = ObservableUtil.mapWithDefault(eventEntry, e -> LOCAL_TIME_FORMATTER.format(e.getValue().mostRecentEvent().getTimestamp()), "");
 		this.readableDate = ObservableUtil.mapWithDefault(eventEntry, e -> LOCAL_DATE_FORMATTER.format(e.getValue().mostRecentEvent().getTimestamp()), "");
@@ -117,7 +115,7 @@ public class EventListCellController implements FxController {
 		eventActionsMenu.hide();
 		eventActionsMenu.getItems().clear();
 		eventTooltip.setText(item.getKey().vault().getDisplayName());
-		addLocalizedAction("generic.action.dismiss", () -> {
+		addAction("generic.action.dismiss", () -> {
 			fileSystemEventAggregator.remove(item.getKey());
 		});
 		switch (item.getValue().mostRecentEvent()) {
@@ -126,70 +124,70 @@ public class EventListCellController implements FxController {
 			case DecryptionFailedEvent fse -> this.adjustToDecryptionFailedEvent(fse);
 			case BrokenDirFileEvent fse -> this.adjustToBrokenDirFileEvent(fse);
 			case BrokenFileNodeEvent fse -> this.adjustToBrokenFileNodeEvent(fse);
-			case FileIsInUseEvent fse -> this.adjustToFileInUseEvent(fse);
 		}
 	}

-	private void adjustToFileInUseEvent(FileIsInUseEvent fiiue) {
-		eventIcon.setValue(FontAwesome5Icon.USER_LOCK);
-		eventMessage.setValue(resourceBundle.getString("eventView.entry.inUse.message"));
-		var indexFileName = fiiue.cleartextPath().lastIndexOf("/");
-		eventDescription.setValue(fiiue.cleartextPath().substring(indexFileName + 1));
-		addLocalizedAction("eventView.entry.inUse.showDecrypted", () -> reveal(revealService, convertVaultPathToSystemPath(fiiue.cleartextPath())));
-		addLocalizedAction("eventView.entry.inUse.showEncrypted", () -> reveal(revealService, fiiue.ciphertextPath()));
-
-		var userAndDevice = fiiue.owner().split(Constants.HUB_USER_DEVICE_SEPARATOR);
-		var user = userAndDevice[0];
-		var device = userAndDevice.length == 1 ? userAndDevice[0] : userAndDevice[1];
-		addLocalizedAction("eventView.entry.inUse.copyUserAndDevice", () -> copyToClipboard(user + ", " + device));
-		addLocalizedAction("eventView.entry.inUse.ignoreLock", fiiue.ignoreMethod());
-	}
-

 	private void adjustToBrokenFileNodeEvent(BrokenFileNodeEvent bfe) {
 		eventIcon.setValue(FontAwesome5Icon.TIMES);
 		eventMessage.setValue(resourceBundle.getString("eventView.entry.brokenFileNode.message"));
 		eventDescription.setValue(bfe.ciphertextPath().getFileName().toString());
-		addLocalizedAction("eventView.entry.brokenFileNode.showEncrypted", () -> reveal(revealService, bfe.ciphertextPath()));
-		addLocalizedAction("eventView.entry.brokenFileNode.copyDecrypted", () -> copyToClipboard(convertVaultPathToSystemPath(bfe.cleartextPath()).toString()));
+		if (revealService != null) {
+			addAction("eventView.entry.brokenFileNode.showEncrypted", () -> reveal(revealService, bfe.ciphertextPath()));
+		} else {
+			addAction("eventView.entry.brokenFileNode.copyEncrypted", () -> copyToClipboard(bfe.ciphertextPath().toString()));
+		}
+		addAction("eventView.entry.brokenFileNode.copyDecrypted", () -> copyToClipboard(convertVaultPathToSystemPath(bfe.cleartextPath()).toString()));
 	}

 	private void adjustToConflictResolvedEvent(ConflictResolvedEvent cre) {
 		eventIcon.setValue(FontAwesome5Icon.CHECK);
 		eventMessage.setValue(resourceBundle.getString("eventView.entry.conflictResolved.message"));
 		eventDescription.setValue(cre.resolvedCiphertextPath().getFileName().toString());
-		addLocalizedAction("eventView.entry.conflictResolved.showDecrypted", () -> reveal(revealService, convertVaultPathToSystemPath(cre.resolvedCleartextPath())));
+		if (revealService != null) {
+			addAction("eventView.entry.conflictResolved.showDecrypted", () -> reveal(revealService, convertVaultPathToSystemPath(cre.resolvedCleartextPath())));
+		} else {
+			addAction("eventView.entry.conflictResolved.copyDecrypted", () -> copyToClipboard(convertVaultPathToSystemPath(cre.resolvedCleartextPath()).toString()));
+		}
 	}

 	private void adjustToConflictEvent(ConflictResolutionFailedEvent cfe) {
 		eventIcon.setValue(FontAwesome5Icon.COMPRESS_ALT);
 		eventMessage.setValue(resourceBundle.getString("eventView.entry.conflict.message"));
 		eventDescription.setValue(cfe.conflictingCiphertextPath().getFileName().toString());
-		addLocalizedAction("eventView.entry.conflict.showDecrypted", () -> reveal(revealService, convertVaultPathToSystemPath(cfe.canonicalCleartextPath())));
-		addLocalizedAction("eventView.entry.conflict.showEncrypted", () -> reveal(revealService, cfe.conflictingCiphertextPath()));
+		if (revealService != null) {
+			addAction("eventView.entry.conflict.showDecrypted", () -> reveal(revealService, convertVaultPathToSystemPath(cfe.canonicalCleartextPath())));
+			addAction("eventView.entry.conflict.showEncrypted", () -> reveal(revealService, cfe.conflictingCiphertextPath()));
+		} else {
+			addAction("eventView.entry.conflict.copyDecrypted", () -> copyToClipboard(convertVaultPathToSystemPath(cfe.canonicalCleartextPath()).toString()));
+			addAction("eventView.entry.conflict.copyEncrypted", () -> copyToClipboard(cfe.conflictingCiphertextPath().toString()));
+		}
 	}

 	private void adjustToDecryptionFailedEvent(DecryptionFailedEvent dfe) {
 		eventIcon.setValue(FontAwesome5Icon.BAN);
 		eventMessage.setValue(resourceBundle.getString("eventView.entry.decryptionFailed.message"));
 		eventDescription.setValue(dfe.ciphertextPath().getFileName().toString());
-		addLocalizedAction("eventView.entry.decryptionFailed.showEncrypted", () -> reveal(revealService, dfe.ciphertextPath()));
+		if (revealService != null) {
+			addAction("eventView.entry.decryptionFailed.showEncrypted", () -> reveal(revealService, dfe.ciphertextPath()));
+		} else {
+			addAction("eventView.entry.decryptionFailed.copyEncrypted", () -> copyToClipboard(dfe.ciphertextPath().toString()));
+		}
 	}

 	private void adjustToBrokenDirFileEvent(BrokenDirFileEvent bde) {
 		eventIcon.setValue(FontAwesome5Icon.TIMES);
 		eventMessage.setValue(resourceBundle.getString("eventView.entry.brokenDirFile.message"));
 		eventDescription.setValue(bde.ciphertextPath().getParent().getFileName().toString());
-		addLocalizedAction("eventView.entry.brokenDirFile.showEncrypted", () -> reveal(revealService, bde.ciphertextPath()));
+		if (revealService != null) {
+			addAction("eventView.entry.brokenDirFile.showEncrypted", () -> reveal(revealService, bde.ciphertextPath()));
+		} else {
+			addAction("eventView.entry.brokenDirFile.copyEncrypted", () -> copyToClipboard(bde.ciphertextPath().toString()));
+		}
 	}

-	private void addLocalizedAction(String localizationKey, Runnable action) {
-		var entryText = resourceBundle.getString(localizationKey);
-		addAction(entryText, action);
-	}
-
-	private void addAction(String entryText, Runnable action) {
-		var entry = new MenuItem(entryText);
+	private void addAction(String localizationKey, Runnable action) {
+		var entry = new MenuItem(resourceBundle.getString(localizationKey));
 		entry.getStyleClass().addLast("dropdown-button-context-menu-item");
 		entry.setOnAction(_ -> action.run());
 		eventActionsMenu.getItems().addLast(entry);
@@ -236,17 +234,18 @@ public class EventListCellController implements FxController {
 		}
 	}

-	private Path convertVaultPathToSystemPath(String vaultInternalPath) {
+	private Path convertVaultPathToSystemPath(Path p) {
+		if (!(p instanceof CryptoPath)) {
+			throw new IllegalArgumentException("Path " + p + " is not a vault path");
+		}
 		var v = eventEntry.getValue().getKey().vault();
 		if (!v.isUnlocked()) {
 			return Path.of(System.getProperty("user.home"));
 		}

-		var mountPoint = v.getMountPoint().uri().getPath();
-		if (SystemUtils.IS_OS_WINDOWS) {
-			mountPoint = mountPoint.substring(1); //strip away any leading "/", otherwise there are errors
-		}
-		return Path.of(mountPoint, vaultInternalPath.substring(1)); //vaultPaths are always absolute
+		var mountUri = v.getMountPoint().uri();
+		var internalPath = p.toString().substring(1);
+		return Path.of(mountUri.getPath().concat(internalPath).substring(1));
 	}

 	private void reveal(RevealPathService s, Path p) {
--- a/src/main/java/org/cryptomator/ui/fxapp/FxApplication.java
+++ b/src/main/java/org/cryptomator/ui/fxapp/FxApplication.java
@@ -10,20 +10,16 @@ import org.slf4j.LoggerFactory;

 import javax.inject.Inject;
 import javax.inject.Named;
-import javafx.application.Application;
 import javafx.application.Platform;
 import java.time.Duration;
 import java.time.Instant;
 import java.util.concurrent.TimeUnit;
-import java.util.concurrent.atomic.AtomicReference;

@FxApplicationScoped
 public class FxApplication {

 	private static final Logger LOG = LoggerFactory.getLogger(FxApplication.class);

-	static final AtomicReference<Application> INSTANCE = new AtomicReference<>();
-
 	private final long startupTime;
 	private final Environment environment;
 	private final Settings settings;
@@ -34,21 +30,9 @@ public class FxApplication {
 	private final FxApplicationTerminator applicationTerminator;
 	private final AutoUnlocker autoUnlocker;
 	private final FxFSEventList fxFSEventList;
-	private final FxNotificationManager notificationManager;

 	@Inject
-	FxApplication(Application fxApp,
-				   @Named("startupTime") long startupTime, //
-				  Environment environment, //
-				  Settings settings, //
-				  AppLaunchEventHandler launchEventHandler, //
-				  Lazy<TrayMenuComponent> trayMenu, //
-				  FxApplicationWindows appWindows, //
-				  FxApplicationStyle applicationStyle, //
-				  FxApplicationTerminator applicationTerminator, //
-				  AutoUnlocker autoUnlocker, //
-				  FxFSEventList fxFSEventList, //
-				  FxNotificationManager notificationManager) {
+	FxApplication(@Named("startupTime") long startupTime, Environment environment, Settings settings, AppLaunchEventHandler launchEventHandler, Lazy<TrayMenuComponent> trayMenu, FxApplicationWindows appWindows, FxApplicationStyle applicationStyle, FxApplicationTerminator applicationTerminator, AutoUnlocker autoUnlocker, FxFSEventList fxFSEventList) {
 		this.startupTime = startupTime;
 		this.environment = environment;
 		this.settings = settings;
@@ -59,9 +43,6 @@ public class FxApplication {
 		this.applicationTerminator = applicationTerminator;
 		this.autoUnlocker = autoUnlocker;
 		this.fxFSEventList = fxFSEventList;
-		this.notificationManager = notificationManager;
-
-		INSTANCE.set(fxApp);
 	}

 	public void start() {
@@ -107,7 +88,6 @@ public class FxApplication {

 		launchEventHandler.startHandlingLaunchEvents();
 		fxFSEventList.schedulePollForUpdates();
-		notificationManager.schedulePollForUpdates();
 		autoUnlocker.tryUnlockForTimespan(2, TimeUnit.MINUTES);
 	}

--- a/src/main/java/org/cryptomator/ui/fxapp/FxApplicationModule.java
+++ b/src/main/java/org/cryptomator/ui/fxapp/FxApplicationModule.java
@@ -7,14 +7,12 @@ package org.cryptomator.ui.fxapp;

 import dagger.Module;
 import dagger.Provides;
-import org.cryptomator.integrations.uiappearance.UiAppearanceProvider;
 import org.cryptomator.ui.decryptname.DecryptNameComponent;
 import org.cryptomator.ui.error.ErrorComponent;
 import org.cryptomator.ui.eventview.EventViewComponent;
 import org.cryptomator.ui.health.HealthCheckComponent;
 import org.cryptomator.ui.lock.LockComponent;
 import org.cryptomator.ui.mainwindow.MainWindowComponent;
-import org.cryptomator.ui.notification.NotificationComponent;
 import org.cryptomator.ui.preferences.PreferencesComponent;
 import org.cryptomator.ui.quit.QuitComponent;
 import org.cryptomator.ui.recoverykey.RecoveryKeyComponent;
@@ -27,9 +25,8 @@ import org.cryptomator.ui.vaultoptions.VaultOptionsComponent;
 import javafx.scene.image.Image;
 import java.io.IOException;
 import java.io.InputStream;
-import java.util.Optional;

-@Module(subcomponents = {TrayMenuComponent.class, //
+@Module(includes = {UpdateCheckerModule.class}, subcomponents = {TrayMenuComponent.class, //
 		DecryptNameComponent.class, //
 		MainWindowComponent.class, //
 		PreferencesComponent.class, //
@@ -42,8 +39,7 @@ import java.util.Optional;
 		UpdateReminderComponent.class, //
 		ShareVaultComponent.class, //
 		EventViewComponent.class, //
-		RecoveryKeyComponent.class, //
-		NotificationComponent.class})
+		RecoveryKeyComponent.class})
 abstract class FxApplicationModule {

 	private static Image createImageFromResource(String resourceName) throws IOException {
@@ -52,18 +48,23 @@ abstract class FxApplicationModule {
 		}
 	}

-	@Provides
-	@FxApplicationScoped
-	static Optional<UiAppearanceProvider> provideAppearanceProvider() {
-		return UiAppearanceProvider.get();
-	}
-
 	@Provides
 	@FxApplicationScoped
 	static TrayMenuComponent provideTrayMenuComponent(TrayMenuComponent.Builder builder) {
 		return builder.build();
 	}

+	@Provides
+	@FxApplicationScoped
+	static MainWindowComponent provideMainWindowComponent(MainWindowComponent.Builder builder) {
+		return builder.build();
+	}
+
+	@Provides
+	@FxApplicationScoped
+	static PreferencesComponent providePreferencesComponent(PreferencesComponent.Builder builder) {
+		return builder.build();
+	}

 	@Provides
 	@FxApplicationScoped
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Armin Schrenk	5fd7fb874e	remove wixhelper extract step	2025-11-13 14:58:22 +01:00
Armin Schrenk	18dce94658	if jdk is build with jep-493-flag, use jimage to extract wixhelper	2025-11-13 14:30:04 +01:00
Sebastian Stenzel	80a0281885	try different version name	2025-11-13 13:41:56 +01:00
Sebastian Stenzel	3eeceea64f	try building with temurin jdk 26+23-ea	2025-11-13 13:29:38 +01:00