Do SourceTree for Windows updates undergo any authenticity verification prior to being applied?

Being from a larger enterprise, our information security group has concerns regarding the installation or updating of software directly from the internet as there is the possibility of the downloaded file having been somehow tampered with by untrusted parties. We can definitely work with the provided offline install file for the initial installs, but would like our developers to be able to do their own updates from the internet. Is there any authenticity verification that is done by SourceTree to ensure that the updates are from Atlassian and have not somehow been tampered with?

1 answer

1 accepted

This widget could not be displayed.

Yes.

  1. The update metadata includes an MD5 hash which is checked against the downloaded file. To compromise the update 2 separate systems would have to be compromised to change both the MD5 and the file itself.
  2. When the update is run, depending on your settings you will probably be asked if you want the installer to modify your system, and in that dialog you can view the code signature associated with the installer
  3. All our code (the installer, the binaries within it) are code signed with publicly verifiable certificates

Thanks for the response. That should satisfy our security people with regards to the updates.

Suggest an answer

Log in or Sign up to answer
Community showcase
Published May 30, 2018 in Sourcetree

Tip from the team: configuring Git or Mercurial in Sourcetree

Supported Platforms macOS Windows To make using Sourcetree as simple yet powerful as possible we embed (bundle) dependencies such as Git, Git LFS, and Mercurial. We strive to keep these...

878 views 2 3
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you