msysgit / git

msysGit-based Git for Windows 1.x is now superseded by Git for Windows 2.x
http://github.com/git-for-windows/git
Other
1.01k stars 316 forks source link

Windows installer not cryptographically signed. #361

Closed fake-name closed 9 years ago

fake-name commented 9 years ago

The installer executable available from the main msysgit webpage is unsigned, and it is therefore impossible to verify the integrity of the installer. This is just flat out bad.

untitled

All linux packages are signed and verified in basically every distribution, and windows has facilities for doing the same. There is no reason to /not/ sign the binaries, particularly when they are apparently release binaries (it says "preview", but there does not appear to be a non-preview version).

dscho commented 9 years ago

You will find that the recent release candidates of Git for Windows 2.x are signed. Since version 2.x will supersede version 1.x, I hope you agree that it is better to focus on 2.x than to release a new 1.x version just to release signed installers.

(it says "preview", but there does not appear to be a non-preview version)

There is indeed no official release of Git for Windows yet.

fake-name commented 9 years ago

Well, in that case, you should probably point https://msysgit.github.io/ to the new installer. Lots of 3-rd party installers link to that page for "here is where you get git".

dscho commented 9 years ago

Git for Windows 2.x is not officially released, either. So redirecting as you suggested would be premature. But yes, we will do that eventually: https://github.com/git-for-windows/git/issues/12