Thanks Brian - I'll reach out to them via their issue tracker. Thanks, Rolland -----Original Message----- From: brian m. carlson <sandals@xxxxxxxxxxxxxxxxxxxx> Sent: Friday, October 6, 2023 6:08 PM To: Rolland Swing (Insight Global LLC) <v-roswing@xxxxxxxxxxxxx> Cc: git@xxxxxxxxxxxxxxx; Anthony Chuang <anchuang@xxxxxxxxxxxxx> Subject: [EXTERNAL] Re: Microsoft Smart App Control - Git - git-bash.exe File Unsigned On 2023-10-05 at 20:41:39, Rolland Swing (Insight Global LLC) wrote: > Hi Git Team, Hey, > We're part of the Microsoft team that owns Smart App Control (https://learn.microsoft.com/en-us/windows/apps/develop/smart-app-control/overview), which requires applications to sign all of their executable files (exe, dll, msi, tmp, and a few other file formats). > > We found during internal testing and/or from user feedback that your app, git-bash.exe, is not correctly signed. > > Block Event: FileName: \Device\HarddiskVolume7\Program > Files\Git\git-bash.exe > Calling Process: \Device\HarddiskVolume7\Windows\explorer.exe > Sha256 Hash: > 42F2E685686FB6356A195709AF912C7B9D424466BD7C6D69258AADA5E80AC3C2 The Git project doesn't distribute any binaries at all. We distribute only source code. Many distributors compile these to produce binaries. The project you are probably thinking of is Git for Windows, which, while related, is a separate project. They do indeed distribute binaries, and this looks like a binary that's theirs. If you'd like to contact them, you can use their issue tracker (https://github.com/git-for-windows/git/issues) to inquire. However, I will note that a cursory search there found https://github.com/git-for-windows/git/issues/798, where the maintainer points out that there are over 400 exe files and 250 dll files, which would make signing them all excessively burdensome. I expect the upcoming requirements for HSM-backed keys for Windows code signing may make that even slower and more burdensome. That being said, perhaps with automation, the maintainer may feel differently than they did in 2016, so it might be worth asking again. -- brian m. carlson (he/him or they/them) Toronto, Ontario, CA
