Downloaded Git-2.28.0-64-bit**.exe**. I am used to check some hashsum of a download prior to installation. As I understood, this would lower the risk of faked URLs and some man-in-the-middle attacks.
But I cannot find a SHA512 or the like value of the .exe. Can I simply trust the git download?
That was requested before (for Github to provide a sha256 checksum alongside their release assets), but this is not yet available.
Some projects are adding an additional asset representing the checksum, as in coreybutler/nvm-windows releases tag 1.1.7
Git for Windows releases adds a SHA-256 table for all its release:
Git-2.28.0-32-bit.exe 9b83b16f1d73212492f21d9bffe41c4b5ce8393a356af96bf8271652c04dfe8f
So you can control the integrity of your downloaded artifact that way.
And, as mentioned here, those exe are signed as well, which means you can use SignTools.exe to check that signature.
