GPO for WinGet to remove MoTW from REST sources

[denelon]

I would like an option to specify via GPO (Group Policy Object) that WinGet should change the MoTW (Mark of The Web) from untrusted zones (the Internet) when SHA256 hashes match the installer downloaded (prior to installation) to a trusted zone.

Note: We would not extend this to a WinGet setting due to the potential risk associated with adding a source to WinGet and subsequently exposing the user to this risk. This would essentially be an enterprise specific setting for organizations who understand the risk of removing this user protection mechanism.

WinGet modifies the MoTW (Mark of The Web) from untrusted zones (the Internet) when SHA256 hashes match the installer downloaded (prior to installation) for the "msstore" and "winget" sources.

These default sources are validating packages prior to including them which is the prerequisite for these default sources.

Private REST sources do not get the same treatment, so users are seeing an "Open File - Security Warning".

Details below:

@jantari, WinGet isn't the source of the mark. For the community repository, the zone is changed after the installer has been downloaded and verified against the SHA256.

We will have to look at a mechanism like an administrator setting, or a GPO (Group Policy Object) setting to apply the same behavior to non-default sources.

If the installer URL is coming from a trusted zone, then the security warning shouldn't appear.

Originally posted by @denelon in https://github.com/microsoft/winget-cli/issues/4046#issuecomment-1883349569