Closed xxegoxxles closed 1 month ago
There is a catalog signature for the OpenSSH binaries that are in Windows via Feature On Demand (default or not, all are considered FoD), as opposed to the embedded signature for the OpenSSH binaries that are released via GitHub. Sigcheck can be used to verify this, as well as the digital signatures tab of the binary's properties.
Thanks for responding. sigcheck.exe did indicate that the binary was signed and referenced the catalog. However, my default Windows 11 installation didn't show digital signatures in the binary properties. (See screenshot )
Is it because of the signature embedding you mentioned?
Summary of the new feature / enhancement
Security Feature request - As a sysadmin I want the OpenSSH binaries that come as default in Windows as well as the ones installed as Feature On Demand to be digitally signed by Microsoft to distinguish them from non-official OpenSSH binaries compiled by 3rd parties. For example the curl.exe that's included in Windows 11 comes signed.
Proposed technical implementation details (optional)
No response