Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Do SourceTree for Windows updates undergo any authenticity verification prior to being applied?

Cathy Sanders
Cathy Sanders May 28, 2013

Being from a larger enterprise, our information security group has concerns regarding the installation or updating of software directly from the internet as there is the possibility of the downloaded file having been somehow tampered with by untrusted parties. We can definitely work with the provided offline install file for the initial installs, but would like our developers to be able to do their own updates from the internet. Is there any authenticity verification that is done by SourceTree to ensure that the updates are from Atlassian and have not somehow been tampered with?

Answer
Watch
Like Be the first to like this
329 views

1 answer

1 accepted

0 votes
Answer accepted
stevestreeting
stevestreeting
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 28, 2013

Yes.

  1. The update metadata includes an MD5 hash which is checked against the downloaded file. To compromise the update 2 separate systems would have to be compromised to change both the MD5 and the file itself.
  2. When the update is run, depending on your settings you will probably be asked if you want the installer to modify your system, and in that dialog you can view the code signature associated with the installer
  3. All our code (the installer, the binaries within it) are code signed with publicly verifiable certificates

View More Comments
Cathy Sanders
Cathy Sanders May 28, 2013

Thanks for the response. That should satisfy our security people with regards to the updates.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Sourcetree
Sourcetree
TAGS
AUG Leaders

Atlassian Community Events

    See all events