From: "brian m. carlson" <sandals@crustytoothpaste.net>
To: "Rolland Swing (Insight Global LLC)" <v-roswing@microsoft.com>
Cc: "git@vger.kernel.org" <git@vger.kernel.org>,
Anthony Chuang <anchuang@microsoft.com>
Subject: Re: Microsoft Smart App Control - Git - git-bash.exe File Unsigned
Date: Sat, 7 Oct 2023 01:07:53 +0000 [thread overview]
Message-ID: <ZSCvaWuPJ1peZ3KF@tapette.crustytoothpaste.net> (raw)
In-Reply-To: <SJ1PR21MB369933C2C879EAD0D5EAFBD1E3CAA@SJ1PR21MB3699.namprd21.prod.outlook.com>
[-- Attachment #1: Type: text/plain, Size: 1785 bytes --]
On 2023-10-05 at 20:41:39, Rolland Swing (Insight Global LLC) wrote:
> Hi Git Team,
Hey,
> We're part of the Microsoft team that owns Smart App Control (https://learn.microsoft.com/en-us/windows/apps/develop/smart-app-control/overview), which requires applications to sign all of their executable files (exe, dll, msi, tmp, and a few other file formats).
>
> We found during internal testing and/or from user feedback that your app, git-bash.exe, is not correctly signed.
>
> Block Event: FileName: \Device\HarddiskVolume7\Program Files\Git\git-bash.exe
> Calling Process: \Device\HarddiskVolume7\Windows\explorer.exe
> Sha256 Hash: 42F2E685686FB6356A195709AF912C7B9D424466BD7C6D69258AADA5E80AC3C2
The Git project doesn't distribute any binaries at all. We distribute
only source code. Many distributors compile these to produce binaries.
The project you are probably thinking of is Git for Windows, which,
while related, is a separate project. They do indeed distribute
binaries, and this looks like a binary that's theirs. If you'd like to
contact them, you can use their issue tracker
(https://github.com/git-for-windows/git/issues) to inquire.
However, I will note that a cursory search there found
https://github.com/git-for-windows/git/issues/798, where the maintainer
points out that there are over 400 exe files and 250 dll files, which
would make signing them all excessively burdensome. I expect the
upcoming requirements for HSM-backed keys for Windows code signing may
make that even slower and more burdensome. That being said, perhaps
with automation, the maintainer may feel differently than they did in
2016, so it might be worth asking again.
--
brian m. carlson (he/him or they/them)
Toronto, Ontario, CA
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 263 bytes --]
next prev parent reply other threads:[~2023-10-07 1:07 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <SJ1PR21MB36990080CCBC0BB415261D82E3CAA@SJ1PR21MB3699.namprd21.prod.outlook.com>
[not found] ` <SJ1PR21MB3699CA030DE035CA42582AF5E3CAA@SJ1PR21MB3699.namprd21.prod.outlook.com>
2023-10-05 20:41 ` Microsoft Smart App Control - Git - git-bash.exe File Unsigned Rolland Swing (Insight Global LLC)
2023-10-07 1:07 ` brian m. carlson [this message]
2023-10-09 17:21 ` [EXTERNAL] " Rolland Swing (Insight Global LLC)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZSCvaWuPJ1peZ3KF@tapette.crustytoothpaste.net \
--to=sandals@crustytoothpaste.net \
--cc=anchuang@microsoft.com \
--cc=git@vger.kernel.org \
--cc=v-roswing@microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).