Digitally sign the OpenSSH binaries that come default in Windows and official FOD

PowerShell / Win32-OpenSSH

Win32 port of OpenSSH

7.2k stars 739 forks source link

Digitally sign the OpenSSH binaries that come default in Windows and official FOD #2226

Closed xxegoxxles closed 1 month ago

xxegoxxles commented 2 months ago

Summary of the new feature / enhancement

Security Feature request - As a sysadmin I want the OpenSSH binaries that come as default in Windows as well as the ones installed as Feature On Demand to be digitally signed by Microsoft to distinguish them from non-official OpenSSH binaries compiled by 3rd parties. For example the curl.exe that's included in Windows 11 comes signed.

Proposed technical implementation details (optional)

No response

tgauth commented 2 months ago

There is a catalog signature for the OpenSSH binaries that are in Windows via Feature On Demand (default or not, all are considered FoD), as opposed to the embedded signature for the OpenSSH binaries that are released via GitHub. Sigcheck can be used to verify this, as well as the digital signatures tab of the binary's properties.

xxegoxxles commented 1 month ago

Thanks for responding. sigcheck.exe did indicate that the binary was signed and referenced the catalog. However, my default Windows 11 installation didn't show digital signatures in the binary properties. (See screenshot Screenshot 2024-04-30 at 9 30 54 AM )

Is it because of the signature embedding you mentioned?