How to verify provenance of MS Store releases

[ericzinnikas]

I appreciate the supply chain security considerations put in place for AppControl Manager, so that the release artifact attestations can be used to validate the msixbundle published on GitHub. But, I'm hoping to understand how I can attest in the same way with regards to the releases published to the Microsoft Store?

It seems my options are: use the unsigned, but attested release or the signed, but un-attestable release (and I need to self-sign if I want the former)? Curious for your thoughts/suggestions, thanks!

[HotCakeX]

Hi,
There isn't a strong way to do so AFAIK, the packages are built from GitHub actions, sent to Microsoft for validation and signing and they upload it to the Microsoft Store. The store is smart enough to only download the bits for your architecture so the download size is much smaller than downloading an entire MSIXBundle.
At the moment, to be 100% absolutely sure, you can build the package from the source code. The Wiki has automated scripts to do so: https://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager

[ericzinnikas]

Understood, thanks!