Skip to content

Windows Smart App Control blocks the unsigned browse.exe — sign release binaries #2124

Description

@pstilwell90

Summary

On Windows 11 with Smart App Control (SAC) enabled, the bundled browse binary cannot execute, which breaks every browser-driven skill (/canary, /qa, /browse, live /design-review). Please code-sign the Windows release binaries so SAC permits them.

Environment

  • gstack 1.58.0.0
  • Windows 11, Smart App Control: On (Enforce)HKLM:\SYSTEM\CurrentControlSet\Control\CI\Policy\VerifiedAndReputablePolicyState = 1
  • Binary: ~/.claude/skills/gstack/browse/dist/browse.exe (PE32+ x86-64)

What happens

Running the binary fails at the OS policy layer:

  • Git-Bash: .../browse.exe: Permission denied (x-bits are set; not a chmod issue)
  • PowerShell: Program 'browse.exe' failed to run: An error occurred trying to start process ... An Application Control policy has blocked this file.

file reports it as PE32+ executable for MS Windows, and it is unsigned.

Root cause

Smart App Control blocks unsigned / low-reputation executables. Critically, SAC has no per-file allowlist — there is no supported way for a user to make one binary an exception. The only user-side workaround is turning SAC Off, which is irreversible (Windows requires a reset/reinstall to re-enable SAC). Asking users to permanently disable a security feature to run a dev tool is not a reasonable workaround.

Impact

Any Windows 11 machine with SAC enabled (the default on many new devices) cannot use the browser-driven skills at all. bin/ shell scripts run fine — only the compiled binaries are blocked.

Ask

  1. Code-sign the Windows release binaries (Authenticode), and ideally submit them for Microsoft reputation so SAC trusts them without per-machine action. This is the real fix.
  2. Until signed: document the SAC limitation + fallbacks (curl-based health checks, user-driven browser QA) so Windows users aren't stuck debugging "Permission denied".

Minor secondary note

dist/browse (no .exe extension) cannot be exec'd from Git-Bash even setting SAC aside — Git-Bash won't run a PE without the .exe suffix. Only dist/browse.exe is invokable. Skills compute the binary path as dist/browse; on Windows they should prefer dist/browse.exe.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions