Microsoft Smart App Control - Git - git-bash.exe File Unsigned

Microsoft Smart App Control - Git - git-bash.exe File Unsigned

[Rolland Swing (Insight Global LLC)]

Hi Git Team,

We're part of the Microsoft team that owns Smart App Control (https://learn.microsoft.com/en-us/windows/apps/develop/smart-app-control/overview), which requires applications to sign all of their executable files (exe, dll, msi, tmp, and a few other file formats).
 
We found during internal testing and/or from user feedback that your app, git-bash.exe, is not correctly signed. 

Block Event:   FileName: \Device\HarddiskVolume7\Program Files\Git\git-bash.exe
  Calling Process: \Device\HarddiskVolume7\Windows\explorer.exe
  Sha256 Hash: 42F2E685686FB6356A195709AF912C7B9D424466BD7C6D69258AADA5E80AC3C2 

Signing your app is in your best interest, as it positively identifies you as the developer of your application to your customers installing and running your apps, and they can rest assured that your app hasn't been tampered with. For the purposes of Smart App Control, all app binaries including .exe, .dll, .tmp files, and uninstallers all need to be signed.

For more information on code signing, please refer to: https://learn.microsoft.com/en-us/windows/apps/develop/smart-app-control/code-signing-for-smart-app-control
 
Please confirm if the unsigned file(s) will be signed in this or a future build, or if there is no intent to rectify the unsigned executable file(s). 

Thanks,

Rolland Swing | Azure E&P Program Manager
Enterprise & Security - Platform Integrity Team
mailto:v-roswing@microsoft.com

Re: Microsoft Smart App Control - Git - git-bash.exe File Unsigned

[brian m. carlson]

[-- Attachment #1: Type: text/plain, Size: 1785 bytes --]

On 2023-10-05 at 20:41:39, Rolland Swing (Insight Global LLC) wrote:
> Hi Git Team,

Hey,

> We're part of the Microsoft team that owns Smart App Control (https://learn.microsoft.com/en-us/windows/apps/develop/smart-app-control/overview), which requires applications to sign all of their executable files (exe, dll, msi, tmp, and a few other file formats).
>  
> We found during internal testing and/or from user feedback that your app, git-bash.exe, is not correctly signed. 
> 
> Block Event:   FileName: \Device\HarddiskVolume7\Program Files\Git\git-bash.exe
>   Calling Process: \Device\HarddiskVolume7\Windows\explorer.exe
>   Sha256 Hash: 42F2E685686FB6356A195709AF912C7B9D424466BD7C6D69258AADA5E80AC3C2 

The Git project doesn't distribute any binaries at all.  We distribute
only source code.  Many distributors compile these to produce binaries.

The project you are probably thinking of is Git for Windows, which,
while related, is a separate project.  They do indeed distribute
binaries, and this looks like a binary that's theirs.  If you'd like to
contact them, you can use their issue tracker
(https://github.com/git-for-windows/git/issues) to inquire.

However, I will note that a cursory search there found
https://github.com/git-for-windows/git/issues/798, where the maintainer
points out that there are over 400 exe files and 250 dll files, which
would make signing them all excessively burdensome.  I expect the
upcoming requirements for HSM-backed keys for Windows code signing may
make that even slower and more burdensome.  That being said, perhaps
with automation, the maintainer may feel differently than they did in
2016, so it might be worth asking again.
-- 
brian m. carlson (he/him or they/them)
Toronto, Ontario, CA

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 263 bytes --]

RE: [EXTERNAL] Re: Microsoft Smart App Control - Git - git-bash.exe File Unsigned

[Rolland Swing (Insight Global LLC)]

Thanks Brian - I'll reach out to them via their issue tracker.

Thanks,

Rolland

-----Original Message-----
From: brian m. carlson <sandals@crustytoothpaste.net> 
Sent: Friday, October 6, 2023 6:08 PM
To: Rolland Swing (Insight Global LLC) <v-roswing@microsoft.com>
Cc: git@vger.kernel.org; Anthony Chuang <anchuang@microsoft.com>
Subject: [EXTERNAL] Re: Microsoft Smart App Control - Git - git-bash.exe File Unsigned

On 2023-10-05 at 20:41:39, Rolland Swing (Insight Global LLC) wrote:
> Hi Git Team,

Hey,

> We're part of the Microsoft team that owns Smart App Control (https://learn.microsoft.com/en-us/windows/apps/develop/smart-app-control/overview), which requires applications to sign all of their executable files (exe, dll, msi, tmp, and a few other file formats).
>  
> We found during internal testing and/or from user feedback that your app, git-bash.exe, is not correctly signed. 
> 
> Block Event:   FileName: \Device\HarddiskVolume7\Program 
> Files\Git\git-bash.exe
>   Calling Process: \Device\HarddiskVolume7\Windows\explorer.exe
>   Sha256 Hash: 
> 42F2E685686FB6356A195709AF912C7B9D424466BD7C6D69258AADA5E80AC3C2

The Git project doesn't distribute any binaries at all.  We distribute only source code.  Many distributors compile these to produce binaries.

The project you are probably thinking of is Git for Windows, which, while related, is a separate project.  They do indeed distribute binaries, and this looks like a binary that's theirs.  If you'd like to contact them, you can use their issue tracker
(https://github.com/git-for-windows/git/issues) to inquire.

However, I will note that a cursory search there found https://github.com/git-for-windows/git/issues/798, where the maintainer points out that there are over 400 exe files and 250 dll files, which would make signing them all excessively burdensome.  I expect the upcoming requirements for HSM-backed keys for Windows code signing may make that even slower and more burdensome.  That being said, perhaps with automation, the maintainer may feel differently than they did in 2016, so it might be worth asking again.
--
brian m. carlson (he/him or they/them)
Toronto, Ontario, CA